Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Incident Notification Policies and Procedures Mary Ann Blair Tracy Mitrano Steven Schuster April 10, 2006 Copyright Mary Ann Blair, Tracy Mitrano,

Published byShauna Baker Modified over 8 years ago

Similar presentations

Presentation on theme: "Data Incident Notification Policies and Procedures Mary Ann Blair Tracy Mitrano Steven Schuster April 10, 2006 Copyright Mary Ann Blair, Tracy Mitrano,"— Presentation transcript:

1 Data Incident Notification Policies and Procedures Mary Ann Blair Tracy Mitrano Steven Schuster April 10, 2006 Copyright Mary Ann Blair, Tracy Mitrano, Steven Schuster 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the author.

2 Background/Headlines “A programming error in the University of Southern California's online system for accepting applications …left the personal information of as many as 280,000 users publicly accessible” “The University of San Diego has notified almost 7,800 individuals… that hackers gained illicit access to computers containing their personal income tax data. The compromised data included names, Social Security numbers and addresses” …

3 Background/Headlines “ The undated letter aggravated many recipients, though, because it provided no details about the breach and offered no specific recommendations on steps they could take to protect their personal banking and credit accounts. “ “It's one of the worst security breach notice letters I’ve ever seen," …

4 Background/Headlines For other examples, see: http://www.privacyrights.org/ar/ChronDataBreaches.htm http://www.privacyrights.org/ar/ChronDataBreaches.htm You are not immune. Your campus will have to deal with incidents, and depending on the severity, may be required to notify affected users

5 Welcome and Introductions Name Institution Your role Have you had a data incident requiring notification? What do you hope to gain from this session?

6 Scenario What do you do???

7 Data Incident Notification Mary Ann Blair Director of Information Security Carnegie Mellon University macarr@cmu.edu

8 The Need to Notify July 2003 - California SB 1386 December 22, 2005 – Pennsylvania SB 712 In the future (?)  S. 1408: Identity Theft Protection Act (109 th Congress)  H.R. 4172: Data Accountability and Trust Act  S. 1332: Personal Data Privacy and Security Act

9 Data Breaches 104 publicized data breaches in 2005 50 breaches in colleges/universities 50 million people affected (2 million from colleges/universities) Sources: ID Analytics, Privacy Rights Clearinghouse

10 Identity Theft ~10 Million victims last three years Out of pocket cost to victims $500 – $1,500 Time spent by victims 30 – several hundred hours In 2002, cost to business $50 - $279 billion, based on average victim loss of $4,800 – $92,000 Cost is significantly lower if discovered quickly Sources: Javelin Research, Federal Trade Commission, Identify Theft Resource Center

11 Notification of Data Breach The following is based upon proposed S. 1408: Identity Theft Protection Act (109 th Congress) Reporting the Breach to the Federal Trade Commission Notification of Consumers

12 Consumer Notification... Use due diligence to investigate any suspected breach of security affecting sensitive personal information [that you] maintain. If, after the exercise of such due diligence, [you] discover a breach of security and determine that the breach of security creates a reasonable risk of identity theft, [you] shall notify each such individual.

13 Reasonable Risk of ID Theft In determining whether a reasonable risk of identity theft exists, [you] shall consider such factors as whether the data containing sensitive personal information is usable by an unauthorized third party and whether the data is in the possession and control of an unauthorized third party who is likely to commit identity theft.

14 Methods of Notification Written notice Electronic notice Substitute notice  Cost of notice exceeds $250,000  The individuals to be notified exceeds 500,000  You do not have sufficient contact information

15 Substitute Notice Notice by electronic mail when you have an email address for affected individuals Conspicuous posting of such notice on your Internet website Notification to major State-wide media

16 Content of the Notice Name of the individual whose information was the subject of the breach of security The name of the “covered entity” that was the subject of the breach of security A description of the categories of sensitive personal information of the individual that were the subject of the breach of security The specific dates between the breach of security of the sensitive personal information of the individual and discovery The toll-free numbers necessary to contact:  Each entity that was the subject of the breach of security  Each nationwide credit reporting agency  The Federal Trade Commission

17 Timing of the Notice Most expedient manner practicable, but not later than 45 days after the date on which the breach of security was discovered by the covered entity In a manner that is consistent with any measures necessary to determine the scope of the breach and restore the security and integrity of the data system There is a provision for law enforcement and homeland security related delays

18 Implications Application of state laws  Conflicting requirements  Potential for Federal preemption Congressional record may prove important Absence of case law Unfunded mandate

19 Data Incident Notification Toolkit* Provide a tool that pulls from our collective experience. A real-time aid for creating the various communications that form data breach notification. An essential part of an incident response plan. * Hosted by EDUCAUSE

20

21

22

23 Notification Templates Outlines and content for  Press Releases  Notification Letters  Incident Specific Website  Incident Response FAQs  Generic Identity Theft Web Site Sample language from actual incidents Food for thought – one size does not fit all

24 Before an Incident Generic Identity Theft Site  Public Service Announcement  Can be referenced in the event of an incident Components  What is Identity Theft  How to avoid it  What to do if Your data may have been compromised You become an actual victim of identity theft  FAQs

25 After an Incident  Press Releases  Notification Letters  Incident Specific Website (1 per incident)  Incident Response FAQs  Hotline (FAQs serve as a script for call-takers)

26 Press Release Components Who is affected/not affected? What specific types of personal information are involved? What are the (brief) details of the incident? “No evidence to indicate data has been misused…” or what the evidence points to. Expression of regret and concrete steps the institution is taking to prevent this from happening again. For more information, …

27 Notification Letter Components Press Release + What steps should individuals take? Next steps. Contact information. Signature.

28 Incident Web Site Components Most-Recent-Update section at top of page Link to Identity Theft website/credit agencies FAQs Toll-free Hotline contact information

29 Post Incident Handling Monitoring of victim inquiries – ensure consistent handling Handling returned letters Modify incident response plans as needed Modify policies and procedures as needed Data Security Training and Awareness

30 Legal and Policy Framework Tracy Mitrano Director of IT Policy Cornell University tbm3@cornell.edu

31

32 http://www.cit.cornell.edu/oit/policy/framework-chart.html

33 Information Security of Institutional Data Policy Statement  Every user of institutional data must manage responsibly Appendix A  Roles and Responsibilities Appendix B  Minimum Data Security Standards

34 Data Classification Cost/Benefit Analysis Costs (financial and administrative):  Administrative burden  Financial cost of new technologies  New business practices Benefits (mitigating risk):  Legal check list  Policy decisions (prioritizing institutional data)  Ethical considerations?

35 Legal Check List Type of Data Privacy Statement Annual Notice Notification Upon Breach Legislative Private Right of Action* Government Enforcement Statutory Damages Personally Identifiable ooxOxx Education Record xXooxo Medical Record xooxxx Banking Record xxooxx

36 Incident Tools and Analysis Steven Schuster Director of IT Security Cornell University sjs74@cornell.edu

37 Scenario 2 The plot thickens!!!

38 Questions That Need to Be Answered How are university decisions made? Who within your organization determines notification is necessary? How does a security organization scale to meet the number of incidents we see? How do we define “reasonable belief? How much incident analysis is necessary?

39 How are university decisions made? Answering this question is probably the most important but may seem impossible Strategy  Ensure everyone who has a some skin in this decision is included Who should be included?

40 Cornell’s Decision Making Data Incident Response Team (DIRT) DIRT meets for every incident involving critical data DIRT objectives  Thoroughly understand each incident  Guide immediate required response  Determine requirement to notify

41 DIRT Members Core Tam  University Audit  Risk Management  University Police  University Counsel  University Communication  CIO  Director, IT Policy  Director, IT Security Incident Specific  Data Steward  Unit Head  Local IT support  Security Liaison  ITMC member

42 Scaling Security What is the mission of this office?

43 Scaling Security Two broad components  Security operations  Security architecture development We need to recognize these demands are often at odds We must focus on operational efficiencies  Quicker identification  Immediate response  Selective analysis If the computer does not contain sensitive data I don’t care to do analysis

44 “Reasonable Belief” “… notification is required if there is reasonable belief that data were acquired by an unauthorized individual.” What does this mean?

45 Performing the Analysis Data sources  System data  Network data What questions need to be answered for each data source?  System data  Network data

46 “Reasonable Belief” Need to Notify Confirmed Data Were Not Acquired Reasonable Belief Data Were Not Acquired No Data Available for Analysis Reasonable Belief Data Was Occurred Access to Data Confirmed

47 Performing the Analysis

48

49

50 Conclusions Build a mechanism to address the tough question Be prepared to make judgment alls Someone’s going to have to get their hands dirty

51 Thank you! Questions?

Download ppt "Data Incident Notification Policies and Procedures Mary Ann Blair Tracy Mitrano Steven Schuster April 10, 2006 Copyright Mary Ann Blair, Tracy Mitrano,"

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Crisis Communications for Security Issues: A Nightmare You Can Manage Marilu Goodyear Donna Liss Allison Rose Lopez Jenny Mehmedovic The University of.

Crisis Communications for Security Issues: A Nightmare You Can Manage Marilu Goodyear Donna Liss Allison Rose Lopez Jenny Mehmedovic The University of.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Data Breach Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University September 2005 CSG Sponsored by the EDUCAUSE.

Data Breach Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University September 2005 CSG Sponsored by the EDUCAUSE.
PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,

PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,
Privacy (or Data) Breaches - Examples South Carolina Department of Revenue Hackers got into the SCDOR’s computers, and stole information on up to 3.2 Million.

Privacy (or Data) Breaches - Examples South Carolina Department of Revenue Hackers got into the SCDOR’s computers, and stole information on up to 3.2 Million.
Computers, Freedom and Privacy April 23, 2004 Identity Theft: Addressing the Problem in California Joanne McNabb, Chief CA Office of Privacy Protection.

Computers, Freedom and Privacy April 23, 2004 Identity Theft: Addressing the Problem in California Joanne McNabb, Chief CA Office of Privacy Protection.
Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February.

Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February.
Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.

Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.

Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
Data Classification & Privacy Inventory Workshop

Data Classification & Privacy Inventory Workshop
IT Security Challenges In Higher Education Steve Schuster Cornell University.

IT Security Challenges In Higher Education Steve Schuster Cornell University.
Office of the Chief Information Officer Preparing for a Data Compromise: what to do when a security breach exposes sensitive data Charles R. Morrow-Jones.

Office of the Chief Information Officer Preparing for a Data Compromise: what to do when a security breach exposes sensitive data Charles R. Morrow-Jones.
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.
Risk Assessment 101 Kelley Bradder VP and CIO Simpson College.

Risk Assessment 101 Kelley Bradder VP and CIO Simpson College.

Similar presentations

Ads by Google