Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006.

Slides:

Advertisements

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Advertisements

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

National Incident Management System (NIMS)  Part of Homeland Security Presidential Directive-5, February 28,  Campuses must be NIMS compliant in.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Data Breach Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University September 2005 CSG Sponsored by the EDUCAUSE.

Computers, Freedom and Privacy April 23, 2004 Identity Theft: Addressing the Problem in California Joanne McNabb, Chief CA Office of Privacy Protection.

Data Ownership Responsibilities & Procedures

Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.

Virginia Tidewater Consortium for Higher Education Improving Emergency Preparedness for Higher Education Through Using Digital Technology and Critical.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

Data Classification & Privacy Inventory Workshop

Information Security Policies Larry Conrad September 29, 2009.

Data Security At Cornell Steve Schuster. Questions I’d like to Answer ► Why do we care about data security? ► What are our biggest challenges at Cornell?

University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

IT Security Challenges In Higher Education Steve Schuster Cornell University.

Office of the Chief Information Officer Preparing for a Data Compromise: what to do when a security breach exposes sensitive data Charles R. Morrow-Jones.

The Pieces and the Puzzle of IT Policy University Computer Policy and Law Program April 7, 2004.

Legal, Policy and Regulatory Challenges for IT Executive Leadership/Seminars on Academic Computing Tracy Mitrano Cornell University Executive Leadership/Seminars.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

© 2003, EDUCAUSE Information Privacy: Public Policy and Institutional Policies Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.

Data Incident Notification Policies and Procedures Mary Ann Blair Tracy Mitrano Steven Schuster April 10, 2006 Copyright Mary Ann Blair, Tracy Mitrano,

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.

ICPL Institute for Computer Policy & Law H. David Lambert Vice President for Information Services and Chief Information Officer Georgetown University e-Discovery:

Fiscal Compliance for Department Heads & Directors Daniel Adams Audit Services.

Data Incident Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University William L. Custer Information Security Policy.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

National Association of College and University Attorneys 1 November 11, 2009 NACUA Fall 2009 Workshop November 2009.

Peer Information Security Policies: A Sampling Summer 2015.

1 EDUCAUSE Midwest Regional Conference Top Strategies for Working with Stakeholders: Synopses of Recommendations from the Identity Management Summit Mark.

1. What is the DMCA? Digital Millennium Copyright Act. Signed into law in Provides the legal framework for copyright holders to claim copyright.

Central Piedmont Community College Internal Audit.

2015 ANNUAL TRAINING By: Denise Goff

Other Laws (Primarily for E-Government) COEN 351.

PAR CONFERENCE Homeland Defense A Provider’s Perspective Lessons from TMI Dennis Felty November 15, 2001.

Audit objectives, Planning The Audit

Enterprise data (decentralized control, data security and privacy) Incident Response: State and Federal Law Rodney Petersen Security Task Force Coordinator.

Managing the Privacy Function at a Large Company Kimberly S. Gray, Esq., CIPP Chief Privacy Officer Highmark Inc.

FTC RED FLAG RULE As many as nine million Americans have their identities stolen each year. Identity thieves may drain their accounts, damage their credit,

Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.

Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.

Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.

Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.

Addressing Unauthorized Release of Personal Information at UC Davis August 12, 2003.

Federal Legislation and Higher Education Digital Millennium Copyright Act Compliance and Education Networking 2003 Copyright 2003 Tracy Mitrano.

The Impact of Evolving IT Security Concerns On Cornell Information Technology Policy.

CU – Boulder Security Incidents Jon Giltner. Our Challenge.

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.

IT Security Challenges In Higher Education Steve Schuster Cornell University Copyright Steve Schuster This work is the intellectual property of.

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.

IT Summit November 4th, 2009 Presented by: IT Internal Audit Team Leroy Amos Sue Ann Lipinski Suzanne Lopez Janice Shelton.

NATIONAL INCIDENT MANAGEMENT SYSTEM Department of Homeland Security Executive Office of Public Safety.

CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

Contingency Management Indiana University of Pennsylvania John P. Draganosky.

Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.

Fusion Center ITS security and Privacy Operations Joe Thomas

Soft Selling Tough Issues

Chapter # 1 Overview of Ethics

Red Flags Rule An Introduction County College of Morris

Alabama Data Breach Notification Act: What 911 Districts Need to Know

What is IT audit? An examination of how IT systems where implemented to ensure that they meet the organization’s business needs without compromising.

Presentation transcript:

Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006

Background/Headlines

 For other examples, see:  You are not immune.  Your campus will have to deal with incidents, and depending on the severity, may be required to notify affected users

The Need to Notify  July California SB 1386  December 18, New York A04254A  December 22, 2005 – Pennsylvania SB 712  In the future (?)  S. 1408: Identity Theft Protection Act (109 th Congress)  H.R. 4172: Data Accountability and Trust Act  S. 1332: Personal Data Privacy and Security Act

Data Breaches  104 publicized data breaches in 2005  50 breaches in colleges/universities  50 million people affected (2 million from colleges/universities) Sources: ID Analytics, Privacy Rights Clearinghouse

Identity Theft  ~10 Million victims last three years  Out of pocket cost to victims $500 – $1,500  Time spent by victims 30 – several hundred hours  In 2002, cost to business $50 - $279 billion, based on average victim loss of $4,800 – $92,000  Cost is significantly lower if discovered quickly Sources: Javelin Research, Federal Trade Commission, Identify Theft Resource Center

Incident Decision Making, Tools and Analysis

Questions That Need to Be Answered  How are university decisions made?  Who within your organization determines notification is necessary?  How does a security organization scale to meet the number of incidents we see?  How do we define “reasonable belief?  How much incident analysis is necessary?

How are university decisions made?  Answering this question is probably the most important but may seem impossible  Strategy  Ensure everyone who has a some skin in this decision is included  Who should be included?

Cornell’s Decision Making  Data Incident Response Team (DIRT)  DIRT meets for every incident involving critical data  DIRT objectives  Thoroughly understand each incident  Guide immediate required response  Determine requirement to notify

DIRT Members  Core Tam  University Audit  Risk Management  University Police  University Counsel  University Communication  CIO  Director, IT Policy  Director, IT Security  Incident Specific  Data Steward  Unit Head  Local IT support  Security Liaison  ITMC member

Scaling Security  What is the mission of this office?

Scaling Security  Two broad components  Security operations  Security architecture development  We need to recognize these demands are often at odds  We must focus on operational efficiencies  Quicker identification  Immediate response  Selective analysis  If the computer does not contain sensitive data I don’t care to do analysis

“Reasonable Belief”  “… notification is required if there is reasonable belief that data were acquired by an unauthorized individual.”  What does this mean?

Performing the Analysis  Data sources  System data  Network data  What questions need to be answered for each data source?  System data  Network data

Reasonable Belief Need to Notify Confirmed Data Were Not Acquired Reasonable Belief Data Were Not Acquired No Data Available for Analysis Reasonable Belief Data Were Occurred Access to Data Confirmed

Reasonable Belief Need to Notify Confirmed Data Were Not Acquired Reasonable Belief Data Were Not Acquired No Data Available for Analysis Reasonable Belief Data Were Occurred Access to Data Confirmed

Reasonable Belief  Reasonable belief data were acquired  System compromise occurred a significant time ago  File MAC times after compromise and not tied down to support application  Significant remote access and download  More sophisticated hacker tools  Etc.  Reasonable belief data were NOT acquired  Compromise identified quickly  File MAC times consistently before compromise  Limited or no network download  More benign hacker tools  Benign system use characteristics  Etc.

Reasonable Belief Need to Notify Confirmed Data Were Not Acquired Reasonable Belief Data Were Not Acquired No Data Available for Analysis Reasonable Belief Data Were Occurred Access to Data Confirmed

Performing the Analysis

The Bottom Line  Build a mechanism to address the tough question  Be prepared to make judgment alls  Someone’s going to have to get their hands dirty

Legal and Policy Framework

Internet & IT Policy Law NormsArchitectureMarket

Big “P” and Little “p” Policy  Big “P” policy involves external issues, such as national security, electronic surveillance laws, privacy, or digital copyright.  USA-Patriot Act   Digital Copyright   Privacy in the Electronic Realm   CALEA: Communications Law Enforcement Assistance Act 

Little “p” Policy  Little “p” policy is institutional policy.  Preservation and protection of institutional interests and assets  If your policy does not stand up to this test, best to rethink  Cornell Model  Centralized University Policy Office   Famous “policy on policies!”   Balance of statement and procedure  At the institutional level of procedure, but not backline

Cornell Model…  Is not the model for every institution!  Policy is part and parcel of the culture, traditions and structure of each institution.  Observed irony  The more decentralized the institution, the more in need of centralized policy process to routinize compliance and practices around the college or university.  The less decentralized, the more likely that policy occurs naturally within existing structure.  Size does not always determine: Georgetown as counter-example to Cornell University.

Two Generalizations about Policy and Process: (1)  Critical to have a policy process…  Legal compliance primarily  Deference to the complex nature of higher education secondarily  Especially as higher education becomes more international in scope and information technologies is increasingly intermingled with the law, the market and changing norms within the society  …no matter what the particular culture or structure of your institution.

Two Generalizations about Process: (2)  It almost always does, or should, boil down to three essential steps:  Responsible office brings forward concept to a high level committee  Audit, Counsel, VPs, Dean of Faculty or even President and Provost  Mid-level review for implementation  The greater the representation of the campus community the better  Back to the high level for signoff and promulgation.

Information Security of Institutional Data  Policy Statement  Every user of institutional data must manage responsibly  Appendix A  Roles and Responsibilities  Appendix B  Minimum Data Security Standards

Data Classification  Cost/Benefit Analysis  Costs (financial and administrative):  Administrative burden  Financial cost of new technologies  New business practices  Benefits (mitigating risk):  Legal check list  Policy decisions (prioritizing institutional data)  Ethical considerations?

Legal Check List Type of Data Privacy Statement Annual Notice Notification Upon Breach Legislative Private Right of Action* Government Enforcement Statutory Damages Personally Identifiable oox O xx Education Record x X ooxo Medical Record xooxxx Banking Record xxooxx

When Notifications are Required

Content of the Notice  Name of the individual whose information was the subject of the breach of security  The name of the “covered entity” that was the subject of the breach of security  A description of the categories of sensitive personal information of the individual that were the subject of the breach of security  The specific dates between the breach of security of the sensitive personal information of the individual and discovery  The toll-free numbers necessary to contact:  Each entity that was the subject of the breach of security  Each nationwide credit reporting agency  The Federal Trade Commission

Timing of the Notice  Most expedient manner practicable, but not later than 45 days after the date on which the breach of security was discovered by the covered entity  In a manner that is consistent with any measures necessary to determine the scope of the breach and restore the security and integrity of the data system  There is a provision for law enforcement and homeland security related delays

Data Incident Notification Toolkit*  Provide a tool that pulls from our collective experience.  A real-time aid for creating the various communications that form data breach notification.  An essential part of an incident response plan.  tificationToolkit/ tificationToolkit/9320 * Hosted by EDUCAUSE

Notification Templates  Outlines and content for  Press Releases  Notification Letters  Incident Specific Website  Incident Response FAQs  Generic Identity Theft Web Site  Sample language from actual incidents  Food for thought – one size does not fit all