Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Incident Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University William L. Custer Information Security Policy.

Published byShavonne Horn Modified over 8 years ago

Similar presentations

Presentation on theme: "Data Incident Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University William L. Custer Information Security Policy."— Presentation transcript:

1 Data Incident Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University William L. Custer Information Security Policy Manager Miami University Rodney Petersen Policy Analyst and Security Task Force EDUCAUSE

2 Notification of Security Breach Risk The following is based upon proposed S. 1408: Identity Theft Protection Act (109 th Congress) Reporting the Breach to the Federal Trade Commission!!! Notification of Consumers

3 Consumer Notification... Use due diligence to investigate any suspected breach of security affecting sensitive personal information [that you] maintain. If, after the exercise of such due diligence, [you] discover a breach of security and determine that the breach of security creates a reasonable risk of identity theft, [you] shall notify each such individual.

4 Reasonable Risk of ID Theft In determining whether a reasonable risk of identity theft exists, [you] shall consider such factors as whether the data containing sensitive personal information is usable by an unauthorized third party and whether the data is in the possession and control of an unauthorized third party who is likely to commit identity theft.

5 Methods of Notification Written notice Electronic notice Substitute notice –Cost of notice exceeds $250,000 –The individuals to be notified exceeds 500,000 –You do not have sufficient contact information

6 Substitute Notice Notice by electronic mail when you have an email address for affected individuals Conspicuous posting of such notice on your Internet website Notification to major State-wide media

7 Content of the Notice Name of the individual whose information was the subject of the breach of security The name of the “covered entity” that was the subject of the breach of security A description of the categories of sensitive personal information of the individual that were the subject of the breach of security The specific dates between the breach of security of the sensitive personal information of the individual and discovery The toll-free numbers necessary to contact: –Each entity that was the subject of the breach of security –Each nationwide credit reporting agency –The Federal Trade Commission

8 Timing of the Notice Most expedient manner practicable, but not later than 45 days after the date on which the breach of security was discovered by the covered entity In a manner that is consistent with any measures necessary to determine the scope of the breach and restore the security and integrity of the data system There is a provision for law enforcement and homeland security related delays

9 Implications Application of state laws –Conflicting requirements –Potential for Federal preemption Congressional record may prove important Absence of case law Unfunded mandate

10 Goal: Bootstrap the Uninitiated When you’re under fire, you need help fast. Provide a tool that pulls from our collective experience. A real-time aid for creating the various communications that form data breach notification. An essential part of an incident response plan.

11 Data Incident Notification Toolkit Hosted by EDUCAUSE Federal/State Legal Requirements Policies and Procedures Threshold for Notification Notification Templates Incident Web Sites Other Resources –Sample Incident Response Plans Under Construction –Threshold for involving law enforcement

12 Notification Templates Outlines and content for –Press Releases –Notification Letters –Incident Specific Website –Incident Response FAQs –Generic Identity Theft Web Site Sample language from actual incidents Food for thought – one size does not fit all

13 Before an Incident Generic Identity Theft Site –Public Service Announcement –Can be referenced in the event of an incident Components –What is Identity Theft –How to avoid it –What to do if Your data may have been compromised You become an actual victim of identity theft –FAQs Verify info correct at time of publication, especially for your locale.

14 Generic Identity Theft Site Introduction This site contains information on how to protect yourself from identity theft as well as what to do to if your personal information becomes exposed or if you actually become a victim of identity theft. Links to additional information can be found under the Resources. What is Identify Theft? Identity theft occurs when someone uses another person's personal information such as name, Social Security number, driver's license number, credit card number or other identifying information to take on that person's identity in order to commit fraud or other crimes... etc

15 Responding to an Incident –Press Releases –Notification Letters –Incident Specific Website (1 per incident) –Incident Response FAQs –Hotline (FAQs serve as a script for call-takers)

16 Press Release Components Who is affected/not affected? What specific types of personal information are involved? What are the (brief) details of the incident? “No evidence to indicate data has been misused…” or what the evidence points to. Expression of regret and concrete steps the institution is taking to prevent this from happening again. For more information, …

17 Sample Snippets – Who is Affected/Not Affected The server contained personal information, including names and Social Security numbers, on current, former and prospective students, as well as current and former faculty and staff. Student laptop computers were not breached, and, at this time, school officials believe that [population e.g. current undergraduates] were not affected.

18 Notification Letter Components Press Release + What steps should individuals take? Next steps. Contact information. Signature.

19 Sample Snippets – Notification Letter Anticipated next steps, if any. e.g. intention to notify if any additional information becomes available? Example: The theft of this information raises a number of possible risks to you. One is theft of identity for financial gain. The University will be sending you a package of materials outlining steps you can take to protect yourself from this. Who to contact for additional information Contact/name, number, hours of availability, web site, hotline, email address, etc. Example: Should you have further questions about this matter, please contact [name of contact}, [title of contact], at [email address of contact] or [phone number].[email Signature Who makes most sense – president, dean, other contact familiar to the individual, consider multiple signatories for different constituent groups.

20 Incident Web Site Components Most-Recent-Update section at top of page Link to Identity Theft website/credit agencies FAQs Toll-free Hotline contact information

21 Data Incident Nofication Toolkit http://www.educause.edu/9320 Page Location: EDUCAUSE Home > EDUCAUSE Major Initiatives > Security Task Force > Resources > DATA INCIDENT NOTIFICATION TOOLKITEDUCAUSE Home EDUCAUSE Major InitiativesSecurity Task ForceResources

22

23

24

25 Coming Attractions Threshold for notification Best practice detection – monitoring, logging, tools, etc. What would you like to see?

26 Miami University Fact Sheet Established 1809 - Ohio land grant institution Liberal education core 100 undergraduate majors 22,600 Students –Oxford, Ohio campus 15,300 undergraduates 1400 graduate students –Hamilton – 3300 undergraduates –Middletown – 2600 undergraduates –European Center in Luxembourg

27 What Is This Session About? Notification If confidential data is exposed Using the toolkit Procedures should be in place already Part of Incident Response IR is part of an Operations Plan

28 Focus Of This Talk Usefulness of the Toolkit Case Study Approach How Miami used the toolkit after an incident

29 What Is The Toolkit? The resources on the Educause site http://www.educause.edu/ DataIncidentNotificationToolkit/9320

30 What Is In The Toolkit (1) Press Release tools Notification Letter components Incident Specific Web Site Template Incident FAQ Generic Identity Theft Web Site

31 What Is In The Toolkit (2) Lots of links to other helpful sites www

32 The Incident Reported A report containing names, Social Security numbers and grades for 21,762 students from fall term 2002 was discovered in a file accessible through the Internet Monday, September 12, 2005 Reported at 9:02 a.m.

33 IT Responds First 9:05 Find the exposed file 9:10 Remove the file 9:12 Contact IT senior management 11:00 Answers from log files 11:15 Offer advice to management

34 Nine Questions I interviewed Miami staff after the event What follows are nine questions Did the toolkit answer them?

35 Q1: Advise To Notify? Should IT advise notification? Answer: yes? Help from the toolkit?

36 A Black Box A black box would be nice Notify? Yes / No No black box in the toolkit

37 Factors Considered Exposed file was several years old Logs for 7 months Very little activity Increase of activity Two site concerned us

38 Access Graphed

39 Helps For Decision Toolkit links to California law Useful guidance for Ohio

40 Q2: Should We Notify? VP team to consider it Director of University Communications included Phone calls to 6 institutions Help from the toolkit?

41 Q3: How Find Time? Time is critical in an emergency Web searches take time Reading takes time Help from the toolkit? Yes

42 Pre Selected Material The toolkit saved us much time by selecting some of the best materials in advance

43 Q4: Where Is the Table of Contents? Notification taxonomy? Ways to notify Help from the Toolkit? Yes

44 What Miami Did Press Release FAQ Notification Letter via e-mail Telephone Hotline US Mail – hired an agency to help

45 Q5: What Are The Topics? Topics to include in any notification Basic facts, concern, apology, action, commitment Help from the toolkit? Yes Plenty of examples

46 What Miami Did Miami chose the open kumona approach Read the examples Wrote from scratch

47 Q6: What Wording To Use? Words are important in crisis The Press hangs on words Help from the toolkit? Yes

48 What Miami Did Read the examples Composed letters from scratch Used form letters from consultant

49 Q7: Thing To Avoid Things not to say How not to create panic Help from the toolkit? Some

50 Q8: What Was Extra? What tools did Miami not use? Why

51 Q9: What Tools Are Missing? This was a question for Miami Also a question for you

52 Contact Information custerwl@muohio.edu

Download ppt "Data Incident Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University William L. Custer Information Security Policy."

Similar presentations

Secure IT 2005 Panel Discussion Felecia Vlahos, SDSU Sally Brainerd, UCSD Brooke Banks, CSU Chico.

Secure IT 2005 Panel Discussion Felecia Vlahos, SDSU Sally Brainerd, UCSD Brooke Banks, CSU Chico.
Compliance with Federal Trade Commission’s “Red Flag Rule”

Compliance with Federal Trade Commission’s “Red Flag Rule”
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Detecting, Preventing and Mitigating Identity Theft Presented by the Bursar’s Office.

Detecting, Preventing and Mitigating Identity Theft Presented by the Bursar’s Office.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Data Breach Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University September 2005 CSG Sponsored by the EDUCAUSE.

Data Breach Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University September 2005 CSG Sponsored by the EDUCAUSE.
Protecting Personal Information Guidance for Business.

Protecting Personal Information Guidance for Business.
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.

I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
Helping you protect your customers against fraud Division of Finance and Corporate Securities.

Helping you protect your customers against fraud Division of Finance and Corporate Securities.
PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,

PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
Computers, Freedom and Privacy April 23, 2004 Identity Theft: Addressing the Problem in California Joanne McNabb, Chief CA Office of Privacy Protection.

Computers, Freedom and Privacy April 23, 2004 Identity Theft: Addressing the Problem in California Joanne McNabb, Chief CA Office of Privacy Protection.
BEWARE! IDENTITY THEFT CARL JOHNSON FINANCIAL LITERACY JENKS HIGH CSHOOL.

BEWARE! IDENTITY THEFT CARL JOHNSON FINANCIAL LITERACY JENKS HIGH CSHOOL.
RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.

RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.

Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Office of the Chief Information Officer Preparing for a Data Compromise: what to do when a security breach exposes sensitive data Charles R. Morrow-Jones.

Office of the Chief Information Officer Preparing for a Data Compromise: what to do when a security breach exposes sensitive data Charles R. Morrow-Jones.
Data Incident Notification Policies and Procedures Mary Ann Blair Tracy Mitrano Steven Schuster April 10, 2006 Copyright Mary Ann Blair, Tracy Mitrano,

Data Incident Notification Policies and Procedures Mary Ann Blair Tracy Mitrano Steven Schuster April 10, 2006 Copyright Mary Ann Blair, Tracy Mitrano,

Similar presentations

Ads by Google