2 United States Department of Education, Privacy Technical Assistance Center 1 Western Suffolk BOCES Data Breach Exercise.

Slides:



Advertisements
Similar presentations
Volunteer Orientation Buchanan County Emergency Management.
Advertisements


School Tragedies A Perspective on Lessons Learned
Master Scenario Events List (MSEL) Conference DATE
Crisis Communications for Security Issues: A Nightmare You Can Manage Marilu Goodyear Donna Liss Allison Rose Lopez Jenny Mehmedovic The University of.
Special Education Update Brownsville Independent School District Special Services Department.
The importance of a Compliance program is to ensure that our agency meets the highest possible standards for all relevant federal, state and local regulations,
1 1 Pandemic Influenza Tabletop Exercise July 13, 2006 Albany, New York July 13, 2006 Albany, New York University at Albany School of Public Health Center.
EDS Public Information Tabletop Exercise
Leading Teams.
The Tabletop Exercise Planning Process: From Conception to Action.
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
Developing a Strategic Communications Plan. Overview This session will cover how to: Outline team functions and chain of command Identify key stakeholders.
Password District Data Breach Exercise [District Name] [Date] [Logo]
Student Assessment Inventory for School Districts Inventory Planning Training.
Business Continuity Check List PageOne. - Why Does Your Business Need A Continuity Checklist? Should the unexpected occur, your business will be able.
EPR-Public Communications L-05
Preventing and Managing a Crisis. Overview This session will cover how to: Develop a crisis communications plan Prevent crises Prepare for crises Implement.
There’s a Gun in my School: Helping Teachers Prevent and React to School Violence Dr. Amy Andersen Dr. Harry Hueston West Texas A&M University.
IAEA International Atomic Energy Agency EPR-Public Communications L-011 Good Practices for PIOs.
The Comprehensive School Health Education Curriculum:
Leaders Manage Daily Operations
Purpose A crisis communication plan coordinates the communication within the organization, as well as between the organization and the media and the public.
Governor’s Taskforce for Pandemic Influenza Preparedness Issue Paper Communications Workgroup Members Robert Rolfs, State Epidemiologist, Utah Department.
Intro to Positive Behavior Interventions & Supports (PBiS)
Critical Incident Response And CIRT Board of Education Report 2006 Dale R. Rauenzahn, Executive Director, Student Support Services.
Responding to a Security Incident Maryland Security Day March 2, 2004 Joy Hughes, CIO
Conservation Districts Supervisor Accreditation Module 9: Employer/Employee Relations.
EDS Incident Command System Tabletop Exercise [Exercise Location] [Exercise Date] [Insert Logo Here]
Greg Johnson, Athletic Director, North Central University Matt Higgins, Asst. Exec. Dir., Minnesota Intercollegiate Athletic Conference.
Intro to Positive Behavior Supports (PBiS) Vermont Family Network March 2010.
INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435.
Developing an Issues Management Plan Poor Crisis Management NEW YORK (AP) -- Lingering images of passengers stranded at sea for days as toilets back.
A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.
Visual 6.1 Unified Command Unit 6: Unified Command.
Role of the Public Access Ombudsman A.R.S. § Investigate complaints relating to public access law. Train public officials and educate the public.
Traditional Training Methods
Welcome 2011 California Statewide Medical and Health Exercise.
Crisis Management Planning. FYI… Today – section 6 due Today – section 6 due Exam Thursday Exam Thursday Multiple Choice (29 ?’s) Multiple Choice (29.
Annual Boys State Directors Conference Reviewing and Updating Crisis Management Plans Mike Bredeck Director of Minnesota.
© 2014 The Litaker Group LLC All Rights Reserved Draft Document Not for Release or Distribution Texas Department of State Health Services Disaster Behavioral.
Project management Topic 7 Controls. What is a control? Decision making activities – Planning – Monitor progress – Compare achievement with plan – Detect.
Disaster Planning Workshop Hosted By: Pleasantview Fire Protection District.
Copyright © Allyn & Bacon 2008 Chapter 7 Liability and Student Records This multimedia product and its contents are protected under copyright law. The.
Elementary School Administration and Management GADS 671 Section 55 and 56.
Final Leadership Challenge and Reflection Module 8 Assignment Scott Pelletier EDU 701: Educational Leadership 4/27/11.
1 Crisis Management and Communication Dr. Joy Smith and Ms. Robin Denny.
19 November 2014 Pennsylvania Local School Districts: Regional Data Breach Exercise.
Response to an Emergency Training for 211 Staff in Ontario Updated September
Prevent Information and Overview Updated March 2016 by the Central Secretariat.
Strategic Communications Training Crisis Communications X State MDA 1.
Incident Management Tabletop Exercise N-Train 2016.
Healthcare Mass Fatality Management Tabletop Exercise > >
School Law and the Public Schools: A Practical Guide for Educational Leaders, 5e © 2012 Pearson Education, Inc. All rights reserved. Chapter 7 Liability.
Summary of Major Points Quarantine / Isolation Planning Process Accomplishments Continuing Projects Where we go from here... SUMMARY Isolation / Quarantine.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
DaSy Conference Data Breach Exercise August 2016 [Logo]
Student Data Transparency and Security Act: What You Need to Know
Student Data Privacy and Security
ACAA Summer Meeting Carrie O’Brien June 1, 2017
Responding to a Data Breach 360° of IT Compliance
Responding to Intrusions
2017.
CRITICAL INCIDENT RESPONSE TRAINING FOR COMMANDERS: THE PROVISION OF PSYCHOLOGICAL & EMOTIONAL CARE TO SERVICEMEN & FAMILY FACILITATOR GUIDE INTRODUCTION:
Risk Register I want to plan a project
Training Appendix for Adult Protective Services and Employment Supports June 2018.
Parent-Teacher Partnerships for Student Success
2016.
Resolving Issues ADR, Due Process and CDE Complaints
2015.
Presentation transcript:

2 United States Department of Education, Privacy Technical Assistance Center 1 Western Suffolk BOCES Data Breach Exercise

2 United States Department of Education, Privacy Technical Assistance Center 2

2 3 District Data Breach Exercise Table top exercise that simulates a data breach within a complex organization. Intended to put you in the shoes of critical decision makers who have just experienced a data breach. This is a REAL-LIFE data breach that happened in the last 90 days in the education world. IT CAN HAPPEN TO YOU!! 3

2 United States Department of Education, Privacy Technical Assistance Center 4 District Data Breach Exercise You will be divided into teams to react and respond to the scenario. Over time, the scenario will be more fully revealed and you will discover more about what happened. 4

2 United States Department of Education, Privacy Technical Assistance Center 5 Be Prepared for the Unexpected! 5

2 United States Department of Education, Privacy Technical Assistance Center 6 Suggestions Think about each of the roles needed in your organization (e.g., public information officer, data system leadership, attorney, auditors, etc.). The full extent or impact of a data breach is rarely known up front. Do your best to anticipate what might happen, but don’t get ahead of yourself. 6

2 United States Department of Education, Privacy Technical Assistance Center 7 District Data Breach Exercise Each team will develop two key products: 1.Public and Internal Communications/ Messaging – Develop the message(s) you will deliver to your staff, students, parents, the media, and the public. 7 During the event, you will be asked to participate in press conferences about the scenario. Be prepared to respond to members of the media about what is happening and how your organization is responding.

2 United States Department of Education, Privacy Technical Assistance Center 8 District Data Breach Exercise (cont.) 2.Response Plan – Outline how your agency will approach the scenario and what resources you will mobilize. Describe who will compose your response team. Identify goals and a timeline for your response. 8

2 United States Department of Education, Privacy Technical Assistance Center 9 Background Your school district has 15,000 students. Your district provides centralized IT services and support for K12 schools as well as access to a centrally managed Student Information System (SIS). 9

2 United States Department of Education, Privacy Technical Assistance Center 10 Background ( cont.) Approximately one year ago, your SIS vendor had a data breach in which a small portion of your students education records were exposed to the public facing internet. Your SIS vendor provided those students’ parents free credit monitoring/identity theft insurance for 1 year. As a result of this breach, you updated your policies on vendor contracts requiring FERPA’s reasonable methods for protecting data. 10

2 United States Department of Education, Privacy Technical Assistance Center 11 Scenario A concerned citizen calls your central district office upon discovering publically available data on “Dropbox”. They didn’t know who posted it, but thought you should be aware. 11

2 United States Department of Education, Privacy Technical Assistance Center 12 District Data Breach Exercise 1.Gather with your team. 2.Go over the scenario carefully. What do you know? What don’t you know? 3.Begin building your response. Elect a team member to take notes. 12

2 United States Department of Education, Privacy Technical Assistance Center 13 Data Breach Exercise ( cont.) 4.During the scenario, you will receive additional information about the breach. Read each of these updates as the scenario unfolds. 5.We will occasionally pause to discuss where we are, and eventually give a press statement. 13 This exercise works best if approached as a “murder mystery” game. The more you synthesize the information and role play, the more useful the exercise becomes.

2 United States Department of Education, Privacy Technical Assistance Center 14 Questions? 14

2 United States Department of Education, Privacy Technical Assistance Center 15 ACME District Data Breach Exercise Minutes

2 United States Department of Education, Privacy Technical Assistance Center 16 Questions to consider… Is there evidence of an actual breach? Do you have any legal responsibilities at this point? How do you respond to the findings? Acknowledge? Remain mute? Aggressively investigate? 16

2 United States Department of Education, Privacy Technical Assistance Center 17 Scenario Update The news of the Dropbox breach has now reached the media. The New York Times reports that about 1,000 students who possess individualized education programs (IEPs) had personal information posted to a public Dropbox site attending schools on Long Island. The Superintendent wants answers on how this happened and wants a brief prepared for her press conference. 17

2 United States Department of Education, Privacy Technical Assistance Center 18 Scenario Update How do you respond to your leadership? What information do you plan to provide? What are the assumptions you are making about the situation? Are you working on your resume? 18

2 United States Department of Education, Privacy Technical Assistance Center 19 ACME District Data Breach Exercise 19 End 10 Minutes

2 United States Department of Education, Privacy Technical Assistance Center 20 Scenario Update Upon further forensic investigation, the data was inadvertently made available online "for several hours" on Tuesday and has since been taken down. In addition, it appears that it was posted by a district staff member. 20

2 United States Department of Education, Privacy Technical Assistance Center 21 Questions to Consider… How does this change your approach? Do you notify parents at this point? Are you required to by law? If so How? Does this event change your approach to the response activities? How? 21

2 United States Department of Education, Privacy Technical Assistance Center 22 ACME District Data Breach Exercise Minutes

2 United States Department of Education, Privacy Technical Assistance Center 23 Next Assignment Red Team: Press Conference – You decide to take your response activities to the streets and hold a press conference where you will inform the public what is going on, how it happened and what you are currently doing to respond to the situation. Each group will select a “spokesperson” who will answer questions from the crowd. Green Team: Staff Training – Provide a summary of potential internal trainings needed to mitigate future incidents from occurring. Include specific topics that you plan to include in your training plan. 23

2 United States Department of Education, Privacy Technical Assistance Center 24 ACME District Data Breach Exercise Minutes

2 United States Department of Education, Privacy Technical Assistance Center 25 Develop Incident Response Plan Use your notes from the scenario discussion. Identify an incident response team (e.g., CIO, Data Coordinator, IT Manager, legal counsel). Outline the steps to identify the source of the breach, catalog the data affected, and identify how it occurred. Should you involve law enforcement? When? What legal requirements exist? What preventative corrective actions should you implement? 25

2 United States Department of Education, Privacy Technical Assistance Center 26 ACME District Data Breach Exercise Minutes

2 United States Department of Education, Privacy Technical Assistance Center 27 Unveil Your Response Plan Take us through your response plan. Include the who, what, when, and how of your activities. What were the driving factors in your decision-making process? Did your plan evolve as the scenario became more clear? How? How should you prepare to enable a prompt reaction to a potential breach? 27

2 United States Department of Education, Privacy Technical Assistance Center 28 Wrap-up Lessons learned from press conference. Incident Response Plans – what might work for us? What have you learned? Will it affect your behavior? How could this exercise be more useful to you? 28

2 United States Department of Education, Privacy Technical Assistance Center 29 Related PTAC Resources Contractor Responsibilities Under FERPA Training videos for district staff & to share with parents Training videos for district staff & to share with parents Data Breach Checklist & Activity Downloads 29

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.