Data Incident Notification Policies and Procedures Mary Ann Blair Tracy Mitrano Steven Schuster April 10, 2006 Copyright Mary Ann Blair, Tracy Mitrano, Steven Schuster This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the author.

Background/Headlines “A programming error in the University of Southern California's online system for accepting applications …left the personal information of as many as 280,000 users publicly accessible” “The University of San Diego has notified almost 7,800 individuals… that hackers gained illicit access to computers containing their personal income tax data. The compromised data included names, Social Security numbers and addresses” …

Background/Headlines “ The undated letter aggravated many recipients, though, because it provided no details about the breach and offered no specific recommendations on steps they could take to protect their personal banking and credit accounts. “ “It's one of the worst security breach notice letters I’ve ever seen," …

Background/Headlines For other examples, see: You are not immune. Your campus will have to deal with incidents, and depending on the severity, may be required to notify affected users

Welcome and Introductions Name Institution Your role Have you had a data incident requiring notification? What do you hope to gain from this session?

Scenario What do you do???

Data Incident Notification Mary Ann Blair Director of Information Security Carnegie Mellon University

The Need to Notify July California SB 1386 December 22, 2005 – Pennsylvania SB 712 In the future (?)  S. 1408: Identity Theft Protection Act (109 th Congress)  H.R. 4172: Data Accountability and Trust Act  S. 1332: Personal Data Privacy and Security Act

Data Breaches 104 publicized data breaches in breaches in colleges/universities 50 million people affected (2 million from colleges/universities) Sources: ID Analytics, Privacy Rights Clearinghouse

Identity Theft ~10 Million victims last three years Out of pocket cost to victims $500 – $1,500 Time spent by victims 30 – several hundred hours In 2002, cost to business $50 - $279 billion, based on average victim loss of $4,800 – $92,000 Cost is significantly lower if discovered quickly Sources: Javelin Research, Federal Trade Commission, Identify Theft Resource Center

Notification of Data Breach The following is based upon proposed S. 1408: Identity Theft Protection Act (109 th Congress) Reporting the Breach to the Federal Trade Commission Notification of Consumers

Consumer Notification... Use due diligence to investigate any suspected breach of security affecting sensitive personal information [that you] maintain. If, after the exercise of such due diligence, [you] discover a breach of security and determine that the breach of security creates a reasonable risk of identity theft, [you] shall notify each such individual.

Reasonable Risk of ID Theft In determining whether a reasonable risk of identity theft exists, [you] shall consider such factors as whether the data containing sensitive personal information is usable by an unauthorized third party and whether the data is in the possession and control of an unauthorized third party who is likely to commit identity theft.

Methods of Notification Written notice Electronic notice Substitute notice  Cost of notice exceeds $250,000  The individuals to be notified exceeds 500,000  You do not have sufficient contact information

Substitute Notice Notice by electronic mail when you have an address for affected individuals Conspicuous posting of such notice on your Internet website Notification to major State-wide media

Content of the Notice Name of the individual whose information was the subject of the breach of security The name of the “covered entity” that was the subject of the breach of security A description of the categories of sensitive personal information of the individual that were the subject of the breach of security The specific dates between the breach of security of the sensitive personal information of the individual and discovery The toll-free numbers necessary to contact:  Each entity that was the subject of the breach of security  Each nationwide credit reporting agency  The Federal Trade Commission

Timing of the Notice Most expedient manner practicable, but not later than 45 days after the date on which the breach of security was discovered by the covered entity In a manner that is consistent with any measures necessary to determine the scope of the breach and restore the security and integrity of the data system There is a provision for law enforcement and homeland security related delays

Implications Application of state laws  Conflicting requirements  Potential for Federal preemption Congressional record may prove important Absence of case law Unfunded mandate

Data Incident Notification Toolkit* Provide a tool that pulls from our collective experience. A real-time aid for creating the various communications that form data breach notification. An essential part of an incident response plan. * Hosted by EDUCAUSE

Notification Templates Outlines and content for  Press Releases  Notification Letters  Incident Specific Website  Incident Response FAQs  Generic Identity Theft Web Site Sample language from actual incidents Food for thought – one size does not fit all

Before an Incident Generic Identity Theft Site  Public Service Announcement  Can be referenced in the event of an incident Components  What is Identity Theft  How to avoid it  What to do if Your data may have been compromised You become an actual victim of identity theft  FAQs

After an Incident  Press Releases  Notification Letters  Incident Specific Website (1 per incident)  Incident Response FAQs  Hotline (FAQs serve as a script for call-takers)

Press Release Components Who is affected/not affected? What specific types of personal information are involved? What are the (brief) details of the incident? “No evidence to indicate data has been misused…” or what the evidence points to. Expression of regret and concrete steps the institution is taking to prevent this from happening again. For more information, …

Notification Letter Components Press Release + What steps should individuals take? Next steps. Contact information. Signature.

Incident Web Site Components Most-Recent-Update section at top of page Link to Identity Theft website/credit agencies FAQs Toll-free Hotline contact information

Post Incident Handling Monitoring of victim inquiries – ensure consistent handling Handling returned letters Modify incident response plans as needed Modify policies and procedures as needed Data Security Training and Awareness

Legal and Policy Framework Tracy Mitrano Director of IT Policy Cornell University

Information Security of Institutional Data Policy Statement  Every user of institutional data must manage responsibly Appendix A  Roles and Responsibilities Appendix B  Minimum Data Security Standards

Data Classification Cost/Benefit Analysis Costs (financial and administrative):  Administrative burden  Financial cost of new technologies  New business practices Benefits (mitigating risk):  Legal check list  Policy decisions (prioritizing institutional data)  Ethical considerations?

Legal Check List Type of Data Privacy Statement Annual Notice Notification Upon Breach Legislative Private Right of Action* Government Enforcement Statutory Damages Personally Identifiable ooxOxx Education Record xXooxo Medical Record xooxxx Banking Record xxooxx

Incident Tools and Analysis Steven Schuster Director of IT Security Cornell University

Scenario 2 The plot thickens!!!

Questions That Need to Be Answered How are university decisions made? Who within your organization determines notification is necessary? How does a security organization scale to meet the number of incidents we see? How do we define “reasonable belief? How much incident analysis is necessary?

How are university decisions made? Answering this question is probably the most important but may seem impossible Strategy  Ensure everyone who has a some skin in this decision is included Who should be included?

Cornell’s Decision Making Data Incident Response Team (DIRT) DIRT meets for every incident involving critical data DIRT objectives  Thoroughly understand each incident  Guide immediate required response  Determine requirement to notify

DIRT Members Core Tam  University Audit  Risk Management  University Police  University Counsel  University Communication  CIO  Director, IT Policy  Director, IT Security Incident Specific  Data Steward  Unit Head  Local IT support  Security Liaison  ITMC member

Scaling Security What is the mission of this office?

Scaling Security Two broad components  Security operations  Security architecture development We need to recognize these demands are often at odds We must focus on operational efficiencies  Quicker identification  Immediate response  Selective analysis If the computer does not contain sensitive data I don’t care to do analysis

“Reasonable Belief” “… notification is required if there is reasonable belief that data were acquired by an unauthorized individual.” What does this mean?

Performing the Analysis Data sources  System data  Network data What questions need to be answered for each data source?  System data  Network data

“Reasonable Belief” Need to Notify Confirmed Data Were Not Acquired Reasonable Belief Data Were Not Acquired No Data Available for Analysis Reasonable Belief Data Was Occurred Access to Data Confirmed

Performing the Analysis

Conclusions Build a mechanism to address the tough question Be prepared to make judgment alls Someone’s going to have to get their hands dirty

Thank you! Questions?