Presentation on theme: "Data Breach Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University September 2005 CSG Sponsored by the EDUCAUSE."— Presentation transcript:
Data Breach Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University September 2005 CSG Sponsored by the EDUCAUSE Security Task Force Policy and Law Sub Committee Data Breach Notification Sub Group
A Dubious Honor Owe a debt of thanks to those among us who have ‘pioneered’ data breach notification “There but for the grace…” For some it’s the law, for others it’s just the right thing to do. Soon or later we all will be required by law to notify.
Goal: Bootstrap the Uninitiated When you’re under fire, you need help fast. Provide a tool that pulls from our collective experience. A real-time aid for creating the various communications that form data breach notification. An essential part of an incident response plan.
Data Breach Notification Toolkit Hosted by EDUCAUSE Federal/State Legal Requirements Policies and Procedures Threshold for Notification Notification Templates Incident Web Sites Other Resources Sample Incident Response Plans Under Construction Threshold for involving law enforcement
Notification Templates Outlines and content for Press Releases Notification Letters Incident Specific Website Incident Response FAQs Generic Identity Theft Web Site Sample language from actual incidents Food for thought – one size does not fit all
Before an Incident Generic Identity Theft Site Public Service Announcement Can be referenced in the event of an incident Components What is Identity Theft How to avoid it What to do if Your data may have been compromised You become an actual victim of identity theft FAQs Verify info correct at time of publication, especially for your locale.
Generic Identity Theft Site Introduction This site contains information on how to protect yourself from identity theft as well as what to do to if your personal information becomes exposed or if you actually become a victim of identity theft. Links to additional information can be found under the Resources. What is Identify Theft? Identity theft occurs when someone uses another person's personal information such as name, Social Security number, driver's license number, credit card number or other identifying information to take on that person's identity in order to commit fraud or other crimes... etc
Responding to an Incident Press Releases Notification Letters Incident Specific Website (1 per incident) Incident Response FAQs Hotline (FAQs serve as a script for call-takers)
Press Release Components What are you doing? Announcing a breach? A theft? Announcing that the case has been resolved? That notification has occurred? Who is affected/not affected? What specific types of personal information are involved? What are the (brief) details of the incident? “No evidence to indicate data has been misused…” or what the evidence points to. Expression of regret and concrete steps the institution is taking to prevent this from happening again. For more information, …
Sample Snippets – Who is Affected/Not Affected The server contained personal information, including names and Social Security numbers, on current, former and prospective students, as well as current and former faculty and staff. The server contained personal information, including names and Social Security numbers, on current, former and prospective students, as well as current and former faculty and staff. The vast majority of students involved were new students within the past five years. Student laptop computers were not breached, and, at this time, school officials believe that [population e.g. current undergraduates] were not affected.
Notification Letter Components What happened and when? How was it detected? What specific types of personal information are involved and for whom? What steps are being taken? “No evidence to indicate data has been misused…” or what the evidence points to. What steps should individuals take? Expression of regret and/or commitment to security. Next steps. Contact information. Signature.
Sample Snippets – Notification Letter Anticipated next steps, if any. e.g. intention to notify if any additional information becomes available? Example: The theft of this information raises a number of possible risks to you. One is theft of identity for financial gain. The University will be sending you a package of materials outlining steps you can take to protect yourself from this. Another risk is theft of identity for purposes of international travel or foreign entry. The University is currently working with several federal agencies, including the Immigration and Naturalization Service, and we have been informed that because of this theft, you may be asked further questions to verify your identity when leaving or entering the United States. Who to contact for additional information Contact/name, number, hours of availability, web site, hotline, address, etc. Example: Should you have further questions about this matter, please contact [name of contact}, [title of contact], at [ address of contact] or [phone number].[ Signature Who makes most sense – president, dean, other contact familiar to the individual, consider multiple signatories for different constituent groups.
Incident Web Site Components Most-Recent-Update section at top of page Link to Identity Theft website/credit agencies FAQs Press Releases Toll-free Hotline contact information
Reactions Concerns? Perceived Value? Necessary to anonymize snippets?
Coming Attractions Threshold for notification Best practice detection – monitoring, logging, tools, etc. What would you like to see?