Getting Legal: Building the ISO/Legal Counsel Relationship through GLB Dr. Dan Manson Cal Poly Pomona
Topics Background on Legal Counsel in CSU Background on Legal Counsel in CSU First Contact First Contact Notice of Breach of Security Notice of Breach of Security Information Security Program (GLB) Information Security Program (GLB) Incident Response Team Incident Response Team New Laws New Laws Conclusion Conclusion
Why the ISO Needs a Relationship With Legal A strategy focused on relationships with processes geared to encounters is doomed to end in poor results and low customer satisfaction. A strategy focused on relationships with processes geared to encounters is doomed to end in poor results and low customer satisfaction. Robert F. Nolan Management Consultants, based on Barbara Guteks The Brave New Service Strategy, AMACOM, 2000.
Acknowledgment My sincere thanks for the professional advice and support provided from Cal Poly Pomonas legal counsel, Marlene Jones My sincere thanks for the professional advice and support provided from Cal Poly Pomonas legal counsel, Marlene Jones
Background 23 campuses in Cal State University System 23 campuses in Cal State University System 21 legal counsels in Cal State system 21 legal counsels in Cal State system 5 based on campus, remainder at Chancellors Office 5 based on campus, remainder at Chancellors Office
First Contact – June 19th Received from legal counsel Received from legal counsel Asked whether we drafted information security program to comply with applicable state and federal laws Asked whether we drafted information security program to comply with applicable state and federal laws
Breach of Security and Notice Timeline Discovered July 30 Discovered July 30 Eight s plus several phone calls between July 30 and August 1 Eight s plus several phone calls between July 30 and August 1 Notification letter completed August 1 Notification letter completed August 1
Notice of Breach On July 30, 2003, the University discovered that lists of names and social security numbers of students in seven class sections were stored in files accessible without proper authorization. Although there was no evidence that any personal data was retrieved from the files, the University took immediate steps to restrict the files and provide the requisite notice under civil code section of the Information Practices Act. We have no reason to believe that your information has been misused; however, we are bringing this event to your attention with the suggestion that you be on the lookout for any possible misuse of your personal information.
The Financial Modernization Act of 1999 (GLB) Institutions that comply with the Family Educational Rights and Privacy Act (FERPA) are exempted from parts of federal privacy rules that were established for financial institutions under the Gramm-Leach-Bliley Act (GLB). Institutions that comply with the Family Educational Rights and Privacy Act (FERPA) are exempted from parts of federal privacy rules that were established for financial institutions under the Gramm-Leach-Bliley Act (GLB). The FTC is taking the position that its safeguarding rules DO apply to institutions of higher education, affecting student loan records in particular and possibly others. The FTC is taking the position that its safeguarding rules DO apply to institutions of higher education, affecting student loan records in particular and possibly others.
Information Security Program First draft July 8 th First draft July 8 th Many s and several face-to-face meetings over next 3 months Many s and several face-to-face meetings over next 3 months Draft Information Security Program presented to Cabinet September 11 th Draft Information Security Program presented to Cabinet September 11 th Memo sent to campus President October 9 th Memo sent to campus President October 9 th Academic Senate questions raised and addressed Academic Senate questions raised and addressed
GLB Safeguarding Requirements GLB mandates that the University appoint an information security coordinator, conduct a risk assessment of likely security and privacy risks, institute a training program for all employees who have access to Covered Data and Information, oversee service providers and contracts, and evaluate and adjust the Program periodically. GLB mandates that the University appoint an information security coordinator, conduct a risk assessment of likely security and privacy risks, institute a training program for all employees who have access to Covered Data and Information, oversee service providers and contracts, and evaluate and adjust the Program periodically. Source:
Information Security Program Preamble This Information Security Program (Program) was prepared by the Instructional and Information Technology Division (I&IT) in order to protect sensitive information and data, and to comply with Federal Law. This Program will affect I&IT, as well as other areas of the University, including, but not limited to, Academic Affairs, Administrative Affairs, Presidents Office, University Advancement, Extended University, and Student Affairs and will also affect non-state entities operating on campus, such as CSU approved auxiliaries. The goal of the Program is to protect sensitive information and data and to assure compliance with applicable law related to information security. Source:
Incident Response Team Campus IRT started in July Campus IRT started in July Team asked for meeting with legal counsel Team asked for meeting with legal counsel Legal counsel asked for list of questions Legal counsel asked for list of questions
Partial List of Questions and Answers At what point do we bring in legal counsel to the IRT process? When you need assistance to determine if the notice requirements of Civil Code contained in are triggered or if you believe that the there has been an intentional violation of the Information Practices Act. At what point do we bring in legal counsel to the IRT process? When you need assistance to determine if the notice requirements of Civil Code contained in are triggered or if you believe that the there has been an intentional violation of the Information Practices Act.
Civil Code Section (a) Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
Partial List of Questions and Answers What procedures would you (as legal counsel) like to see the IRT follow? Notification under CC must be prompt and records should be kept to verify that the statutorily required notice was provided. What procedures would you (as legal counsel) like to see the IRT follow? Notification under CC must be prompt and records should be kept to verify that the statutorily required notice was provided.
Partial List of Questions and Answers When do we take incidents to legal versus public safety? If you have evidence of a crime or violation of the Information Practices Act by a third party, you should report it to the campus police after providing notice as required by the Act. If you have concerns that a University student or employee has violated the Act, you should contact the appropriate administrator who may consult with the University Counsel. When do we take incidents to legal versus public safety? If you have evidence of a crime or violation of the Information Practices Act by a third party, you should report it to the campus police after providing notice as required by the Act. If you have concerns that a University student or employee has violated the Act, you should contact the appropriate administrator who may consult with the University Counsel.
New Laws California Civil Code § (signed Oct. 12, 2003) California Civil Code § (signed Oct. 12, 2003) Senate Bill 1279 (in progress) Senate Bill 1279 (in progress)
California Civil Code § Effective Date Effective Date January 1, 2004, unless otherwise indicated below. January 1, 2004, unless otherwise indicated below. Prohibitions Prohibitions Under the law, the following actions are prohibited: Under the law, the following actions are prohibited: Publicly post or publicly display in any manner an individuals SSN. Publicly post or publicly display means to intentionally communicate or otherwise make available to the general public. Publicly post or publicly display in any manner an individuals SSN. Publicly post or publicly display means to intentionally communicate or otherwise make available to the general public. Print an individuals SSN on any card required for the individual to access products or services provided by the person or entity. Print an individuals SSN on any card required for the individual to access products or services provided by the person or entity. Require an individual to transmit his or her SSN over the Internet, unless the connection is secure or the SSN is encrypted. Require an individual to transmit his or her SSN over the Internet, unless the connection is secure or the SSN is encrypted. Source:
California Civil Code § Require an individual to use his or her SSN to access an Internet Web site, unless a password or unique personal identification number or other authentication device is also required to access the Internet Web site. (Effective January 1, 2005) Require an individual to use his or her SSN to access an Internet Web site, unless a password or unique personal identification number or other authentication device is also required to access the Internet Web site. (Effective January 1, 2005) Print an individuals SSN on any materials that are mailed to the individual, unless state or federal law requires the SSN to be on the document to be mailed. Notwithstanding this paragraph, SSNs may be included in applications and forms sent by mail, including documents sent as part of an application or enrollment process, or to establish, amend or terminate an account, contract or policy, or to confirm the accuracy of the SSN. An SSN that is permitted to be mailed under this section may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened. (Effective January 1, 2005) Print an individuals SSN on any materials that are mailed to the individual, unless state or federal law requires the SSN to be on the document to be mailed. Notwithstanding this paragraph, SSNs may be included in applications and forms sent by mail, including documents sent as part of an application or enrollment process, or to establish, amend or terminate an account, contract or policy, or to confirm the accuracy of the SSN. An SSN that is permitted to be mailed under this section may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened. (Effective January 1, 2005) Source:
California Civil Code § Encode or embed the SSN in or on a card or document, including, but not limited to, using a bar code, chip, magnetic strip, or other technology, in place of removing the SSN as an effort to comply with these new provisions Encode or embed the SSN in or on a card or document, including, but not limited to, using a bar code, chip, magnetic strip, or other technology, in place of removing the SSN as an effort to comply with these new provisions Allowable Uses of the SSN Allowable Uses of the SSN As a Requirement of Law or for Administrative Purposes: Social Security numbers may be collected, used, or released as required by state or federal law, or used for internal verification or administrative purposes. As a Requirement of Law or for Administrative Purposes: Social Security numbers may be collected, used, or released as required by state or federal law, or used for internal verification or administrative purposes. Source:
California Civil Code § Grandfather Clause: If a state or local agency used an individuals SSN in the manner prohibited above prior to January 1, 2004, it is allowed to continue to use that individuals SSN in the same manner on or after January 1, 2004, if all of the following conditions are met: Grandfather Clause: If a state or local agency used an individuals SSN in the manner prohibited above prior to January 1, 2004, it is allowed to continue to use that individuals SSN in the same manner on or after January 1, 2004, if all of the following conditions are met: The use of the SSN is continuous. If the use is stopped for any reason, the prohibitions apply. The use of the SSN is continuous. If the use is stopped for any reason, the prohibitions apply. The individual is provided an annual disclosure that informs the individual that he or she has the right to stop the use of his or her SSN in a manner prohibited under the law. The individual is provided an annual disclosure that informs the individual that he or she has the right to stop the use of his or her SSN in a manner prohibited under the law. A written request by an individual to stop the use of his or her SSN in the manner prohibited by the law is implemented within thirty days of the receipt of the request. A written request by an individual to stop the use of his or her SSN in the manner prohibited by the law is implemented within thirty days of the receipt of the request. There may not be a fee or charge for implementing the request. There may not be a fee or charge for implementing the request. The person or entity does not deny services to an individual because the individual makes a written request to stop the use of his or her SSN. The person or entity does not deny services to an individual because the individual makes a written request to stop the use of his or her SSN. This grandfather clause concerns the use of an individuals SSN and not the practice of using SSNs in general. This grandfather clause concerns the use of an individuals SSN and not the practice of using SSNs in general. Source:
California Civil Code § Guidance about Truncating the SSN Guidance about Truncating the SSN The law does not prohibit printing a truncated SSN on a document to be mailed to the individual. The law does not prohibit printing a truncated SSN on a document to be mailed to the individual. If an SSN is truncated, however, only the last four digits should be displayed, e.g., XXX-XX-1234 If an SSN is truncated, however, only the last four digits should be displayed, e.g., XXX-XX-1234 Source:
Senate Bill 1279 (in progress) SB 1279 seeks to widen the definition of breachable data to include all data, rather than only computerized data. Under SB 1279, any personal data maintained on voice systems or on paper would be covered by the same provisions that currently apply only to computerized data. SB 1279 seeks to widen the definition of breachable data to include all data, rather than only computerized data. Under SB 1279, any personal data maintained on voice systems or on paper would be covered by the same provisions that currently apply only to computerized data. The bill would also require companies that suffer a security breach involving personal information to provide two years of credit-monitoring services, without charge, to each affected individual. The bill would also require companies that suffer a security breach involving personal information to provide two years of credit-monitoring services, without charge, to each affected individual. Source:
Conclusions Planning needed to handle crisis Planning needed to handle crisis Preventive law like preventative medicine Preventive law like preventative medicine ISOs need to understand legal issues ISOs need to understand legal issues ISOs need a working relationship with legal counsel ISOs need a working relationship with legal counsel Need ISO/CIO/Legal relationship Need ISO/CIO/Legal relationship