Data Incident Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University William L. Custer Information Security Policy Manager Miami University Rodney Petersen Policy Analyst and Security Task Force EDUCAUSE

Notification of Security Breach Risk The following is based upon proposed S. 1408: Identity Theft Protection Act (109 th Congress) Reporting the Breach to the Federal Trade Commission!!! Notification of Consumers

Consumer Notification... Use due diligence to investigate any suspected breach of security affecting sensitive personal information [that you] maintain. If, after the exercise of such due diligence, [you] discover a breach of security and determine that the breach of security creates a reasonable risk of identity theft, [you] shall notify each such individual.

Reasonable Risk of ID Theft In determining whether a reasonable risk of identity theft exists, [you] shall consider such factors as whether the data containing sensitive personal information is usable by an unauthorized third party and whether the data is in the possession and control of an unauthorized third party who is likely to commit identity theft.

Methods of Notification Written notice Electronic notice Substitute notice –Cost of notice exceeds $250,000 –The individuals to be notified exceeds 500,000 –You do not have sufficient contact information

Substitute Notice Notice by electronic mail when you have an address for affected individuals Conspicuous posting of such notice on your Internet website Notification to major State-wide media

Content of the Notice Name of the individual whose information was the subject of the breach of security The name of the “covered entity” that was the subject of the breach of security A description of the categories of sensitive personal information of the individual that were the subject of the breach of security The specific dates between the breach of security of the sensitive personal information of the individual and discovery The toll-free numbers necessary to contact: –Each entity that was the subject of the breach of security –Each nationwide credit reporting agency –The Federal Trade Commission

Timing of the Notice Most expedient manner practicable, but not later than 45 days after the date on which the breach of security was discovered by the covered entity In a manner that is consistent with any measures necessary to determine the scope of the breach and restore the security and integrity of the data system There is a provision for law enforcement and homeland security related delays

Implications Application of state laws –Conflicting requirements –Potential for Federal preemption Congressional record may prove important Absence of case law Unfunded mandate

Goal: Bootstrap the Uninitiated When you’re under fire, you need help fast. Provide a tool that pulls from our collective experience. A real-time aid for creating the various communications that form data breach notification. An essential part of an incident response plan.

Data Incident Notification Toolkit Hosted by EDUCAUSE Federal/State Legal Requirements Policies and Procedures Threshold for Notification Notification Templates Incident Web Sites Other Resources –Sample Incident Response Plans Under Construction –Threshold for involving law enforcement

Notification Templates Outlines and content for –Press Releases –Notification Letters –Incident Specific Website –Incident Response FAQs –Generic Identity Theft Web Site Sample language from actual incidents Food for thought – one size does not fit all

Before an Incident Generic Identity Theft Site –Public Service Announcement –Can be referenced in the event of an incident Components –What is Identity Theft –How to avoid it –What to do if Your data may have been compromised You become an actual victim of identity theft –FAQs Verify info correct at time of publication, especially for your locale.

Generic Identity Theft Site Introduction This site contains information on how to protect yourself from identity theft as well as what to do to if your personal information becomes exposed or if you actually become a victim of identity theft. Links to additional information can be found under the Resources. What is Identify Theft? Identity theft occurs when someone uses another person's personal information such as name, Social Security number, driver's license number, credit card number or other identifying information to take on that person's identity in order to commit fraud or other crimes... etc

Responding to an Incident –Press Releases –Notification Letters –Incident Specific Website (1 per incident) –Incident Response FAQs –Hotline (FAQs serve as a script for call-takers)

Press Release Components Who is affected/not affected? What specific types of personal information are involved? What are the (brief) details of the incident? “No evidence to indicate data has been misused…” or what the evidence points to. Expression of regret and concrete steps the institution is taking to prevent this from happening again. For more information, …

Sample Snippets – Who is Affected/Not Affected The server contained personal information, including names and Social Security numbers, on current, former and prospective students, as well as current and former faculty and staff. Student laptop computers were not breached, and, at this time, school officials believe that [population e.g. current undergraduates] were not affected.

Notification Letter Components Press Release + What steps should individuals take? Next steps. Contact information. Signature.

Sample Snippets – Notification Letter Anticipated next steps, if any. e.g. intention to notify if any additional information becomes available? Example: The theft of this information raises a number of possible risks to you. One is theft of identity for financial gain. The University will be sending you a package of materials outlining steps you can take to protect yourself from this. Who to contact for additional information Contact/name, number, hours of availability, web site, hotline, address, etc. Example: Should you have further questions about this matter, please contact [name of contact}, [title of contact], at [ address of contact] or [phone number].[ Signature Who makes most sense – president, dean, other contact familiar to the individual, consider multiple signatories for different constituent groups.

Incident Web Site Components Most-Recent-Update section at top of page Link to Identity Theft website/credit agencies FAQs Toll-free Hotline contact information

Data Incident Nofication Toolkit Page Location: EDUCAUSE Home > EDUCAUSE Major Initiatives > Security Task Force > Resources > DATA INCIDENT NOTIFICATION TOOLKITEDUCAUSE Home EDUCAUSE Major InitiativesSecurity Task ForceResources

Coming Attractions Threshold for notification Best practice detection – monitoring, logging, tools, etc. What would you like to see?

Miami University Fact Sheet Established Ohio land grant institution Liberal education core 100 undergraduate majors 22,600 Students –Oxford, Ohio campus 15,300 undergraduates 1400 graduate students –Hamilton – 3300 undergraduates –Middletown – 2600 undergraduates –European Center in Luxembourg

What Is This Session About? Notification If confidential data is exposed Using the toolkit Procedures should be in place already Part of Incident Response IR is part of an Operations Plan

Focus Of This Talk Usefulness of the Toolkit Case Study Approach How Miami used the toolkit after an incident

What Is The Toolkit? The resources on the Educause site DataIncidentNotificationToolkit/9320

What Is In The Toolkit (1) Press Release tools Notification Letter components Incident Specific Web Site Template Incident FAQ Generic Identity Theft Web Site

What Is In The Toolkit (2) Lots of links to other helpful sites www

The Incident Reported A report containing names, Social Security numbers and grades for 21,762 students from fall term 2002 was discovered in a file accessible through the Internet Monday, September 12, 2005 Reported at 9:02 a.m.

IT Responds First 9:05 Find the exposed file 9:10 Remove the file 9:12 Contact IT senior management 11:00 Answers from log files 11:15 Offer advice to management

Nine Questions I interviewed Miami staff after the event What follows are nine questions Did the toolkit answer them?

Q1: Advise To Notify? Should IT advise notification? Answer: yes? Help from the toolkit?

A Black Box A black box would be nice Notify? Yes / No No black box in the toolkit

Factors Considered Exposed file was several years old Logs for 7 months Very little activity Increase of activity Two site concerned us

Access Graphed

Helps For Decision Toolkit links to California law Useful guidance for Ohio

Q2: Should We Notify? VP team to consider it Director of University Communications included Phone calls to 6 institutions Help from the toolkit?

Q3: How Find Time? Time is critical in an emergency Web searches take time Reading takes time Help from the toolkit? Yes

Pre Selected Material The toolkit saved us much time by selecting some of the best materials in advance

Q4: Where Is the Table of Contents? Notification taxonomy? Ways to notify Help from the Toolkit? Yes

What Miami Did Press Release FAQ Notification Letter via Telephone Hotline US Mail – hired an agency to help

Q5: What Are The Topics? Topics to include in any notification Basic facts, concern, apology, action, commitment Help from the toolkit? Yes Plenty of examples

What Miami Did Miami chose the open kumona approach Read the examples Wrote from scratch

Q6: What Wording To Use? Words are important in crisis The Press hangs on words Help from the toolkit? Yes

What Miami Did Read the examples Composed letters from scratch Used form letters from consultant

Q7: Thing To Avoid Things not to say How not to create panic Help from the toolkit? Some

Q8: What Was Extra? What tools did Miami not use? Why

Q9: What Tools Are Missing? This was a question for Miami Also a question for you

Contact Information