data incident notification policies and procedures mary ann blair tracy mitrano steven schuster...
TRANSCRIPT
Data Incident Notification Policies and Procedures
Mary Ann Blair
Tracy Mitrano
Steven Schuster
April 10, 2006
Copyright Mary Ann Blair, Tracy Mitrano, Steven Schuster 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the author.
Background/Headlines
“A programming error in the University of Southern California's online system for accepting applications …left the personal information of as many as 280,000 users publicly accessible” “The University of San Diego has notified almost 7,800 individuals… that hackers gained illicit access to computers containing their personal income tax data. The compromised data included names, Social Security numbers and addresses” …
Background/Headlines
“ The undated letter aggravated many recipients, though, because it provided no details about the breach and offered no specific recommendations on steps they could take to protect their personal banking and credit accounts. “
“It's one of the worst security breach notice letters I’ve ever seen," …
Background/Headlines
For other examples, see: http://www.privacyrights.org/ar/ChronDataBreaches.htm
You are not immune. Your campus will have to deal with incidents, and depending on the severity, may be required to notify affected users
Welcome and Introductions
Name
Institution
Your role
Have you had a data incident requiring notification?
What do you hope to gain from this session?
Scenario
What do you do???
Data Incident Notification
Mary Ann Blair
Director of Information Security
Carnegie Mellon University
The Need to Notify
July 2003 - California SB 1386December 22, 2005 – Pennsylvania SB 712In the future (?) S. 1408: Identity Theft Protection Act (109th
Congress) H.R. 4172: Data Accountability and Trust Act S. 1332: Personal Data Privacy and Security
Act
Data Breaches
104 publicized data breaches in 2005
50 breaches in colleges/universities
50 million people affected (2 million from colleges/universities)
Sources: ID Analytics , Privacy Rights Clearinghouse
Identity Theft
~10 Million victims last three yearsOut of pocket cost to victims $500 – $1,500Time spent by victims 30 – several hundred hoursIn 2002, cost to business $50 - $279 billion, based on average victim loss of $4,800 – $92,000Cost is significantly lower if discovered quickly
Sources: Javelin Research, Federal Trade Commission, Identify Theft Resource
Center
Notification of Data Breach
The following is based upon proposed S. 1408: Identity Theft Protection Act (109th Congress)
Reporting the Breach to the Federal Trade Commission
Notification of Consumers
Consumer Notification
. . . Use due diligence to investigate any suspected breach of security affecting sensitive personal information [that you] maintain. If, after the exercise of such due diligence, [you] discover a breach of security and determine that the breach of security creates a reasonable risk of identity theft, [you] shall notify each such individual.
Reasonable Risk of ID Theft
In determining whether a reasonable risk of identity theft exists, [you] shall consider such factors as whether the data containing sensitive personal information is usable by an unauthorized third party and whether the data is in the possession and control of an unauthorized third party who is likely to commit identity theft.
Methods of Notification
Written notice
Electronic notice
Substitute notice Cost of notice exceeds $250,000 The individuals to be notified exceeds
500,000 You do not have sufficient contact information
Substitute Notice
Notice by electronic mail when you have an email address for affected individuals
Conspicuous posting of such notice on your Internet website
Notification to major State-wide media
Content of the Notice
Name of the individual whose information was the subject of the breach of securityThe name of the “covered entity” that was the subject of the breach of securityA description of the categories of sensitive personal information of the individual that were the subject of the breach of securityThe specific dates between the breach of security of the sensitive personal information of the individual and discoveryThe toll-free numbers necessary to contact: Each entity that was the subject of the breach of security Each nationwide credit reporting agency The Federal Trade Commission
Timing of the Notice
Most expedient manner practicable, but not later than 45 days after the date on which the breach of security was discovered by the covered entity
In a manner that is consistent with any measures necessary to determine the scope of the breach and restore the security and integrity of the data system
There is a provision for law enforcement and homeland security related delays
Implications
Application of state laws Conflicting requirements Potential for Federal preemption
Congressional record may prove important
Absence of case law
Unfunded mandate
Data Incident Notification Toolkit*
Provide a tool that pulls from our collective experience.A real-time aid for creating the various communications that form data breach notification.An essential part of an incident response plan.
* Hosted by EDUCAUSE
Notification Templates
Outlines and content for Press Releases Notification Letters Incident Specific Website Incident Response FAQs Generic Identity Theft Web Site
Sample language from actual incidents
Food for thought – one size does not fit all
Before an Incident
Generic Identity Theft Site Public Service Announcement Can be referenced in the event of an incidentComponents What is Identity Theft How to avoid it What to do if
• Your data may have been compromised• You become an actual victim of identity theft
FAQs
After an Incident
Press Releases Notification Letters Incident Specific Website (1 per incident) Incident Response FAQs Hotline (FAQs serve as a script for call-takers)
Press Release Components
Who is affected/not affected?
What specific types of personal information are involved?
What are the (brief) details of the incident?
“No evidence to indicate data has been misused…” or what the evidence points to.
Expression of regret and concrete steps the institution is taking to prevent this from happening again.
For more information, …
Notification Letter Components
Press Release +
What steps should individuals take?
Next steps.
Contact information.
Signature.
Incident Web Site Components
Most-Recent-Update section at top of page
<Replicate Notification Letter Components modified for more generic audience >
Link to Identity Theft website/credit agencies
FAQs
Toll-free Hotline contact information
Post Incident Handling
Monitoring of victim inquiries – ensure consistent handling
Handling returned letters
Modify incident response plans as needed
Modify policies and procedures as needed
Data Security Training and Awareness
http://www.cit.cornell.edu/oit/policy/framework-chart.html
Information Security of Institutional Data
Policy Statement Every user of institutional data must manage
responsibly
Appendix A Roles and Responsibilities
Appendix B Minimum Data Security Standards
Data Classification
Cost/Benefit AnalysisCosts (financial and administrative): Administrative burden Financial cost of new technologies New business practices
Benefits (mitigating risk): Legal check list Policy decisions (prioritizing institutional data) Ethical considerations?
Legal Check List
Type of Data
Privacy
Statement
Annual
Notice
Notification
Upon
Breach
Legislative Private
Right of
Action*
Government
EnforcementStatutory Damages
Personally
Identifiable o o x O x x
Education
Record x X o o x o
Medical
Record x o o x x x
Banking Record x x o o x x
Incident Tools and Analysis
Steven Schuster
Director of IT Security
Cornell University
Scenario 2
The plot thickens!!!
Questions That Need to Be Answered
How are university decisions made?
Who within your organization determines notification is necessary?
How does a security organization scale to meet the number of incidents we see?
How do we define “reasonable belief?
How much incident analysis is necessary?
How are university decisions made?
Answering this question is probably the most important but may seem impossible
Strategy Ensure everyone who has a some skin in this
decision is included
Who should be included?
Cornell’s Decision Making
Data Incident Response Team (DIRT)DIRT meets for every incident involving critical dataDIRT objectives Thoroughly understand each incident Guide immediate required response Determine requirement to notify
DIRT Members
Core Tam University Audit Risk Management University Police University Counsel University
Communication CIO Director, IT Policy Director, IT Security
Incident Specific Data Steward Unit Head Local IT support Security Liaison ITMC member
Scaling Security
What is the mission of this office?
Scaling Security
Two broad components Security operations Security architecture development
We need to recognize these demands are often at oddsWe must focus on operational efficiencies Quicker identification Immediate response Selective analysis
• If the computer does not contain sensitive data I don’t care to do analysis
“Reasonable Belief”
“… notification is required if there is reasonable belief that data were acquired by an unauthorized individual.”
What does this mean?
Performing the Analysis
Data sources System data Network data
What questions need to be answered for each data source? System data Network data
“Reasonable Belief”N
eed
to
No
tify
Confirmed Data Were Not Acquired
Reasonable Belief Data Were Not Acquired
No Data Available for Analysis
Reasonable Belief Data Was Occurred
Access to Data Confirmed
Performing the Analysis
Performing the Analysis
Performing the Analysis
Conclusions
Build a mechanism to address the tough question
Be prepared to make judgment alls
Someone’s going to have to get their hands dirty
Thank you!
Questions?