Presentation is loading. Please wait.

Presentation is loading. Please wait.

Office of the Chief Information Officer Preparing for a Data Compromise: what to do when a security breach exposes sensitive data Charles R. Morrow-Jones.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Office of the Chief Information Officer Preparing for a Data Compromise: what to do when a security breach exposes sensitive data Charles R. Morrow-Jones."— Presentation transcript:

1 Office of the Chief Information Officer Preparing for a Data Compromise: what to do when a security breach exposes sensitive data Charles R. Morrow-Jones Director, Cyber-Security Cathy Bindewald Director, Communications, Marketing and Planning Office of the Chief Information Officer The Ohio State University

2 Office of the Chief Information Officer Acknowledgements This presentation has benefited greatly from conversations with: –Mary Ann Blair, Director of Information Security, Computing Services, Carnegie Mellon University –Tim Keller, Director, Fraud and Identity Management Solutions, TransUnion LLC –Steve Schuster, Director of IT Security, Cornell University Educause has supplied valuable material on this topic

3 Office of the Chief Information Officer Agenda Introduction What is sensitive data? Why do we need a disclosure response plan? –Legal requirements – FERPA, HIPAA, Ohio HB 104,…. –Ethical considerations Developing an enterprise disclosure response plan –creation of an intra-institutional response team –insuring that the response team is appropriately prepared –creation of advisory chains within the institution –processes for the notification of affected individuals –dealing with the news media –appropriate remediation

4 Office of the Chief Information Officer What is Sensitive Data? Data that are legally or customarily protected from disclosure. Examples of legal protections include: FERPA - Requires the safeguarding and protection of privacy for educational records HIPAA – Protects the privacy of medical records Ohio House Bill 104 – requires notification if “Personal Information” is exposed

5 Office of the Chief Information Officer Examples of Sensitive Data Name Address SSN Telephone Number Driver’s License Number Account Number PIN Email Address Password Other personal Information

6 Office of the Chief Information Officer Ohio House Bill 104 Personal Information Personal Information - a person’s name linked with any one of the following (when data elements are not encrypted, redacted or altered): SSN, driver’s license number, debit card or account number linked with a security code or password

7 Office of the Chief Information Officer House Bill 104 Requirements Effective February 17, 2006 Requires state agencies, persons and businesses to contact individuals if unencrypted personal information maintained on computers is obtained by unauthorized persons (breach of security) and access causes or is believed to cause risk of identity theft or other fraud Notice of breach must occur within 45 days of the discovery

8 Office of the Chief Information Officer House Bill 104 Definition of a Security Breach Breach of Security - unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information owned or licensed by a state agency or an agency of a political subdivision and that causes or is believed to cause risk of identity theft or other fraud

9 Office of the Chief Information Officer House Bill 104 Exclusions Exclusions - personal information publicly available information that is lawfully made available to the general public from federal, state or local government records; any published news, editorial or advertising statement

10 Office of the Chief Information Officer House Bill 104 Notification Requirements Notice/disclosure of breach may be given in the following ways –Written –Electronic –Telephone –Substitute notice - email, posting on agency website, media outlets - may be given if the agency does not have sufficient information on the residents or the cost of providing notice exceeds $250,000 or the number of those to be notified exceeds 500,000

11 Office of the Chief Information Officer House Bill 104 Inform National Credit Bureaus Credit Reporting - If more than 1,000 residents are involved in a single occurrence of a breach of security, the state agency or agency of a political subdivision shall notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the disclosure

12 Office of the Chief Information Officer House Bill 104 Failure to Comply Requires court to determine if there was bad faith in the failure to comply and if the failure to comply was intentional or reckless Civil penalties –$1,000 per day for the first 60 days –Up to $5,000 per day for days 61-90 –Up to $10,000 per day beginning the 91st day

13 Office of the Chief Information Officer The Disclosure Response Plan

14 Office of the Chief Information Officer Creating an Intra-institutional Compromise Response Team Purpose: –For each situation involving a possible data compromise, determine whether notification is required To be successful: –Team structure must match the decision making culture of the organization –Authorization to make the notification decision must be delegated to the team –All incidents must be referred to the team

15 Office of the Chief Information Officer Response Team Membership (Cornell DIRT Example) Core Team: CIO Director, IT Policy Director, IT Security University Audit University Council University Police University Communication Risk Management Incident Specific Additions: Data Steward Unit Head Local IT Support Security Liaison ITMC member

16 Office of the Chief Information Officer Response Team Membership (Possible Additional Membership) Core Team: CIO Director, IT Policy Director, IT Security University Audit University Council University Police University Communication Risk Management Leader, Help Desk Incident Specific Additions: Data Steward Division Head (e.g. Dean) Unit Head (e.g. Chair) Local IT Support Security Liaison ITMC member Office of Human Resources IT Security Technicians

17 Office of the Chief Information Officer Preparing the Response Team Convene the Response Team –Introduce members, promote interaction Conduct Table Top Exercises –Exercises can readily be developed using the Educause material listed on the Resources slide

18 Office of the Chief Information Officer Create Advisory Chains Who needs to know? Define advisory chains before an incident happens Utilize your response team as initiators CIOProvostPresident Media Relations Local Newspaper Local TV

19 Office of the Chief Information Officer Create a Generic Identity Theft Website Create a generic identity theft website as a public service announcement to your institution’s community. Possible content: –What is identity theft? –How to protect yourself from identity theft –Steps to take if your data becomes compromised or stolen –Information about how to contact credit reporting agencies; Social Security administration; ID theft clearinghouse; local law enforcement – Other resources

20 Office of the Chief Information Officer In the Event of an Event… Alert the team – if possible, give a preliminary assessment Initiate communication with advisory chains. Assemble and assess evidence of disclosure Convene team, reach notification decision Transmit decision via advisory chains If decision is to notify, begin notification processes appropriate to scale of incident.

21 Office of the Chief Information Officer Reaching the Decision to Notify “Reasonable Belief” Increasing need to notify Confirmation that sensitive data were not acquired Confirmation that sensitive data were acquired No meta-data available for analysis Reasonable belief that data were acquired Reasonable belief that data were not acquired

22 Office of the Chief Information Officer Typical Components of a Notification Plan Written notification Dedicated telephone assistance Dedicated Web site Features Maintain University reputation Increase ‘customer’ confidence Benefits Reduce potential damage (Credit file monitoring) Press release(s) Reduce potential for litigation?

23 Office of the Chief Information Officer Construct a Press Release A good press release includes: Who is affected/not affected? What specific types of personal information were exposed? What are the (brief) details of the incident? “No evidence that the data have been misused” or what misuse the evidence points to Expression of regret and concrete steps the institution is taking to prevent a reoccurrence Contact point for more information

24 Office of the Chief Information Officer Notifying the Affected Individuals Who needs to be notified? How? When? –Legal requirements about who, how and when –It may be appropriate to delay notification if law enforcement is involved and approves delay – Sending letters vs. sending e-mail Studies have shown that personal is better than impersonal –Going beyond basic requirements Offering to pay for credit report monitoring

25 Office of the Chief Information Officer Contents of the Notification Letter Press Release plus: The next steps individuals should take Next steps by the University (in addition to those in the press release) Contact information, including telephone number, dedicated e-mail address and dedicated website Signature

26 Office of the Chief Information Officer Contents of the Incident Specific Website –Most Recent Update section at the top of the page – –Reiterate actions taken to ensure improved security in future –Links to identity theft & credit agency websites –FAQ’s –Toll-free contact number –url: www.universityname.edu/datatheft

27 Office of the Chief Information Officer Dedicated Telephone Assistance This should be a toll-free number, dedicated to this incident Staff answering the assistance line should be individuals familiar with and focused on the situation (i.e., probably not staffed from a generic help desk) Number and staffing should remain in place until call volume drops to zero

28 Office of the Chief Information Officer Dealing with the News Media Speak with a single voice -identify a spokesperson for the institution Be sure the spokesperson is well briefed – ideally, she/he will be part of the response team Inform everyone involved of the identity of the spokesperson, and ask that all inquiries be referred to him/her.

29 Office of the Chief Information Officer Remediation Be sure that the exposure has been identified and removed. –Your system administrators/computer security staff should be charged with doing this – Law enforcement’s needs for evidence takes priority over clean-up

30 Office of the Chief Information Officer Resources Blair, Mitrano and Schuster, “Data Incident Notification Policies and Procedures”, Presented to the Educause/Internet2 Security Professionals Conference, April, 2006 Educause, “Data Incident Notification Toolkit”, http://www.educause.edu/DataIncidentNotificationToolkit/9320 Educause, “Data Incident Notification Templates”, http://www.educause.edu/LibraryDetailPage/666?ID=CSD4237 Keller, “ Managing a Data Compromise: Is Your Organization Prepared?” Presented at the OSU Second Annual Security Day, October, 2005 http//cio.osu.edu/communications/community/2005/prepared.ppt Petersen, “Security Breaches: Notification, Treatment and Prevention”, EDUCAUSE Review (Volume 40, Number 4, July/August 2005)

31 Office of the Chief Information Officer Questions for Another Time… How do you discover disclosures? –Device theft –Weak/stolen/poorly managed passwords –Poorly managed accounts –Improper/poorly managed access permissions –Use of email or IM to move information –Weak vulnerability detection/management –Inadequate host based defenses –HR risk / disgruntled employee / poor separation of duties –Process risks – inadequate security review of technical information systems –Process risks – inadequate process controls for publicly accessible information How do you know which machines house sensitive data?

32 Office of the Chief Information Officer Author Contact Information Cathy Bindewald Bindewald.2@osu.edu 614.247.6980 Charles Morrow-Jones Morrow-jones.2@osu.edu 614.292.1302

Download ppt "Office of the Chief Information Officer Preparing for a Data Compromise: what to do when a security breach exposes sensitive data Charles R. Morrow-Jones."

Similar presentations

Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Data Breach Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University September 2005 CSG Sponsored by the EDUCAUSE.

Data Breach Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University September 2005 CSG Sponsored by the EDUCAUSE.
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.

I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
Helping you protect your customers against fraud Division of Finance and Corporate Securities.

Helping you protect your customers against fraud Division of Finance and Corporate Securities.
PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,

PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,
Identity Theft Solutions. ©SHRM 20082 Introduction Identification theft became the number one criminal activity issue in 2004 and has remained at the.

Identity Theft Solutions. ©SHRM Introduction Identification theft became the number one criminal activity issue in 2004 and has remained at the.
Computers, Freedom and Privacy April 23, 2004 Identity Theft: Addressing the Problem in California Joanne McNabb, Chief CA Office of Privacy Protection.

Computers, Freedom and Privacy April 23, 2004 Identity Theft: Addressing the Problem in California Joanne McNabb, Chief CA Office of Privacy Protection.
RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.

RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.
1.3.1.G1 © Family Economics & Financial Education – Revised October 2004 – Consumer Protection Unit – Identity Theft Funded by a grant from Take Charge.

1.3.1.G1 © Family Economics & Financial Education – Revised October 2004 – Consumer Protection Unit – Identity Theft Funded by a grant from Take Charge.
Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.

Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.

Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
Data Classification & Privacy Inventory Workshop

Data Classification & Privacy Inventory Workshop
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
IT Security Challenges In Higher Education Steve Schuster Cornell University.

IT Security Challenges In Higher Education Steve Schuster Cornell University.

Similar presentations

Ads by Google