Preparing for Data Protection Laws: How to Earn an A+ from Your Attorney General Merri Beth...
-
Upload
eleanore-glenn -
Category
Documents
-
view
218 -
download
0
Transcript of Preparing for Data Protection Laws: How to Earn an A+ from Your Attorney General Merri Beth...
Preparing for Data Protection Laws:How to Earn an A+ from Your Attorney General
Merri Beth Lavagnino, MLS, CIPP
Chief Information Technology Policy Officer
Indiana University
12 April 2007
Copyright 2007, The Trustees of Indiana University. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement
appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Overview
• Data Protection Laws• How Indiana University Prepared for
Compliance• Walk Through an Incident Using the Kit• Issues and Next Steps• Questions
DATA PROTECTION LAWS
Personal Data Protection Laws
• Thirty-some states currently have personal data protection laws
• Federal law repeatedly being proposed“Personal Data Privacy and Security Act” – (S. 495)
Leahy, Specter
“Notification of Risk to Personal Data Act” – (S. 239) Feinstein
Data Protection Laws for Specific Types of Data• Student education records (FERPA)• Personal health information (HIPAA)• Nonpublic customer information of
“financial institutions” – includes student loans (GLBA)
• Credit card transaction data (PCI DSS, a contractual requirement)
Why?
• Protect privacy of individuals• Prevent misuse by government and
business• Perception that data disclosures are
leading to increased identity theft
How Should We Approach This Plethora of Regulation?
• Find commonalities and thresholds• Determine what your institution’s position
will beHighlight differences between standard practice and what
is required by law
Indiana’s Release of Social Security Number LawIndiana Code (IC) 4-1-10
• Effective July 1, 2006, it is a crime for an Indiana state agency to disclose an individual’s Social Security Number to a party outside of the agency, unless the disclosure is authorized under Indiana state law
Who is covered?
• For the purposes of this law, a “state agency” includes the following:
A state elected official’s office
A state educational institution
A body corporate and politic of the state created by state statute
The Indiana lobby registration commission
What is Covered?
• Unauthorized disclosure to an outside party of any individual’s SSN (doesn’t have to be a “customer”), in any format:
Electronic
Paper
Oral
What Disclosures are OK?
• With the individual’s express written consent• Only the last four (4) digits of the SSN• For administering health benefits of an
employee or the employee’s dependent(s)• And a bunch of legal situations:
Disclosures to a local, state, or federal agency for the purpose of furthering an investigation
Disclosures that are expressly required (not just permitted) by state or federal law or a court order
Disclosures made in the context of certain counterterrorism investigations
Disclosures to commercial entities for use in certain activities authorized under 3 federal laws
Who Enforces?
• Enforced by the State Attorney General who can bring action against Agency
• Possibility of civil suit filed by affected individual(s) “Private right of action”
• Enforcing body will issue “Rules”
What Happens if you Don’t Comply?
• Knowing, intentional, or reckless violations are felonies:
Up to 3 years’ jail timeUp to $10,000 fines
• Negligent violations are “infractions” and are misdemeanors:
Up to 1 year jail timeUp to $5,000 fines
• Possibility of civil suit filed by affected individual(s)
Issue: What Constitutes “Negligence”?
It is not clear whether “negligent” disclosure under the law covers only affirmative transfer of an SSN…
or also covers inadvertent exposure of SSNs to unauthorized access due to inadequate security measures.
Indiana’s Personal Information Secure Disposal Law Indiana Code (IC) 24-4-14
• Effective July 1, 2006, it is a crime for a person to dispose of certain personal information of a “customer” in a non-secure manner
Who is Covered?
• For the purposes of this law, a "person" means:
an individual
a partnership
a corporation
a limited liability company
or another organization
What Actions are Covered?
• Discarding or abandoning the “personal information” of a “customer” in an area accessible to the public
• Includes placing the personal information in a container for trash collection
• Although not explicit, includes disposal of computer drives and disks
What Data is Covered?
• Social Security Numbers, OR• First initial or name PLUS last name
AND:Credit card number
Financial account number or debit card number in combination with a security code, password, or access code that permits account access
Driver’s license number
State identification number
What Discarding is OK?
• The law only applies to personal information that is neither “encrypted” nor “redacted”Check the definitions – this one defines redacted as the
last 5 digits, not 4
What are Secure Methods of Disposal?
• Shredding• Incinerating• Mutilating• Erasing• Methods that otherwise render the
information illegible or unusable
Relationship to Other Data Security Laws
• State disposal law EXEMPTS persons who are already maintaining and complying with disposal program under:HIPAA
Financial Modernization Act (Gramm-Leach-Bliley)
Fair Credit Reporting Act
Driver’s Privacy Protection Act
USA Patriot Act/Executive Order 13224
Indiana’s Notice of Security Breach LawIndiana Code (IC) 4-1-11 • Effective July 1, 2006, a State Agency
must notify individuals whose “unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person” as a result of a system security breach
What Data is Covered?
• First initial or name PLUS last name AND at least one of the following:SSN (> last 4 digits)Driver’s license numberState identification card numberCredit card numberDebit card numberFinancial Account numberSecurity code, access code, or password of financial
account
What Data is Not Covered?
• Non-computerized/electronic data• Theft of portable electronic devices with
personal information stored on them, if access is protected by a password that has not been disclosed
• “Encrypted” data
Of course, IU can still give notice as a policy matter when we have these types of disclosures…
What is Required?
• Notification of individuals affected• “Without unreasonable delay” • Consistent with:
legitimate needs of law enforcement
measures needed to determine scope of breach and restore system integrity
How May Notice Be Given?
• In writing• By email• By conspicuous posting on IU website
and notice to major statewide media, if:Cost of notice to individuals is $250K or more,More than 500,000 people must be notified, orWe have insufficient contact information for personal
notice
Who Else Must Be Notified?
• The Indiana Attorney General (within 2 business days)
• If more than 1,000 individuals’ information involved, must notify all consumer reporting agenciesEquifax, TransUnion, Experian
Heads up to them that individuals may be requesting credit reports to monitor for attempted identity theft
Payment Card Industry Data Security Standards (PCI DSS)
• Merchant bank agreements impose payment card data security standards
• Requires immediate notice (within 24 hours) to payment card company in case of security breach
• Noncompliance may lead to fines, revocation of right to accept cards for payment
You CAN Address All Laws and Regulations In One Strategy…
• In general laws and regulations are focusing on requiring ADMINISTRATIVE, PHYSICAL and TECHNICAL measures to maintain the security of sensitive data
• University policy will most likely require MORE than the laws or regulations do
HOW INDIANA UNIVERSITY PLANNED FOR COMPLIANCE
Indiana University
• Indiana University has eight campuses: the original campus in Bloomington;an urban campus in Indianapolis, which also includes the
IU Medical Center; and six regional campuses in the cities of Gary, South
Bend, Fort Wayne, Kokomo, Richmond, and New Albany
• Total students: ~ 98,000• Total faculty and staff: ~22,000
Decentralized Environment
• “Data Stewards” responsible for policy and practice concerning their dataIncluding granting access to their systems, and training
about appropriate use of their data
• Campuses, colleges, departments, units responsible for local technology and security of that technology
• Individuals responsible for appropriate and secure use of the data
Strategy• IT Security & Policy Office partnered with
University Counsel and Internal Audit to devise planStudied the new laws
Identified issues and questions about interpretation
Counsel conferred with Counsels of other large universities in the state
Several meetings with Attorney General’s Office
Discussed with Data Stewards
Decided how we would interpret the laws for our institution
Decided to leverage criminal penalties and retirement of SSN as employee and student identifier
Strategy Continued…Composed a letter jointly signed by Counsel and IT Policy
Officer, sent by President to all faculty and staff
Counsel and IT Policy Officer gave dozens of individual presentations on new laws and what to do, to every group possible, from Chancellors all the way down to departmental staff
Created web page to compile information and resources in one place - itpo.iu.edu/policies/bestpractices/dataprotection.html
Prepared to provide analysis of specific situations to assist units in determining compliance
Updated “Sensitive Data Exposure Incident Response Kit” to prepare for July 1 requirements
Major Emphases with All Groups• Identify what data you have, and where• Get rid of it (in a secure manner)
“Because I need it” not acceptable argument
• If absolutely required to keep, secure itOn professionally administered server with private IP with strict
access controls
Better yet, not online at all
• Fix contracts for all transfers of data• Report suspected disclosures IMMEDIATELY• If questions or resource issues, TELL US
Web Page
- Overview
- Actions You Can Take to Secure Sensitive Data
- What to Do if Sensitive Data is Exposed
- Details of Each of the New Indiana Laws
Sensitive Data Exposure Incident Kit - Checklist- Sample Notification
Letters- Template for Web Page
FAQ- Sample Press Releases- Tips on Dealing with
Contacts from Press and from Individuals Affected
What Kind of Exposures Have We Had?• Prior to new law:
Faculty member kept old computer when new ones were distributed, patches were not kept up to date, had old grade rosters on it (student records, SSN’s)
Outsourced server not properly secured (credit card #’s)
• Since July, 2006:Secretary mistakenly emailed to wrong address, with
spreadsheet attached (student records, SSN’s)Laptop of faculty member stolen from his locked car in his
garage, had grade rosters on it (student records, SSN’s)Library posted archive data on web (SSN’s)Flash drive lost, with programmer’s data on it (personal data,
SSN’s)Faculty saved files to file server which was a web server
(student data, SSN’s)
WALK THROUGH AN INCIDENT USING THE KIT
Let’s Pretend You Have A Suspected Sensitive Data Exposure Incident…
• Since you attended one of our presentations and you read the letter sent by the President, you know what to do first, right?
Right!
• You take immediate action to contain the exposureUnplug network cableLeave powered onDon’t touch it!
• You take immediate action to report incident to IT Security & Policy OfficeYou call published numbers until you get a human, no
matter what day or time it is
First Steps…• We call you and ask a lot of questions• We email you the Kit and Contact List• We assign you first tasks from the Checklist in
the Kit• We stress to you that the incident “belongs” to
you, but response is “coordinated” by the ITSPO• We tell you we expect notifications to go out
WITHIN ONE WEEK• We hang up with you, and assemble an Incident
Team (includes you)• Incident Team meets on conference call
Done
Task Owner
1) Immediately contain and limit the exposure - Unplug network cable (NOT power cable) from compromised system - Do not access (do not logon) or alter compromised system - Do not power off the compromised system - Write down what you saw and what actions have been taken so far
Unit
2) Alert Information Technology Security & Policy Office (ITSPO) - Call XXX or XXX or XXX. If you don’t get one of them IN PERSON, then: - Call UITS Support Center or NOC (these are 24 x 7 services) and ask them to page ITSPO - Also send details to [email protected]
Unit
3) Preliminary assessment of type and scope of data exposed Unit
4) Obtain forensic evidence - Obtain image of drive(s) - Install and run utility such as WOLF
ITSPO
5) Consult with University Information Technology Security & Policy Office (ITSPO) - Discuss communications strategy [don’t talk to anyone outside of the Incident Team about the incident until authorized - say you are doing computer maintenance if you need to say anything] - Receive current Sensitive Data Exposure Incident Kit and Appendix - Do not continue with this plan until receiving go ahead from ITSPO
Unit and ITSPO
6) Assemble Incident Response Team - Set up conference calls for daily updates by Incident Team members
ITSPO
7) Call Counsel - Keep contact(s) updated
8) Call University Data Steward(s) for type(s) of university data exposed - Registrar for Student Records - Bursar for Student Financial Records - HR for Employee Records - Keep contact(s) updated
9) Call Campus Data Manager(s) for type(s) of university data exposed - Registrar for Student Records - Bursar for Student Financial Records - HR for Employee Records - Keep contact(s) updated
10) If Credit Card, Bank Account, or other financial data exposed: - Call University Treasurer’s Office - Keep contact(s) updated
11) If Protected Health Information exposed: - Call HIPAA Compliance Officer - Keep contact(s) updated
12) If appropriate, notify Law Enforcement; determine if criminal proceedings are recommended - IU Police Department - FBI local office - Secret Service local office
ITSPO
ITSPO
13) Call Communications Office(s) - University - Campus - School/College/Dept - VP for IT - Identify Communications Point Person(s) - Keep contact(s) updated
ITSPO
14) Call School/College/Dept Administration - Keep contact(s) updated15) Call IT Administration - VP for IT - Campus CIO/Dean of IT - Keep contact(s) updated
ITSPO
16) Call Campus Administration - Campus Chancellor - Keep contact(s) updated
17) Call University Administration- President/Chancellor - Keep contact(s) updated
18) Call Internal Audit - Keep contact(s) updated
19) Perform forensics - Report of findings
ITSPO
ITSPO
20) Final assessment of type and scope of data exposed, and the availability and type of contact data for individuals affected
Unit
21) Decisions to make: - Notify affected individuals? - Issue press release?
Response Team
22) If Social Security number exposed: - Notify Attorney General WITHIN 2 BUSINESS DAYS
University Counsel
23) If Credit Card data exposed: - Call Credit Card Processor(s) and/or Merchant Bank(s) - Call VISA Fraud Control Group at (650) 432-2978 - Provide all compromised accounts to Visa Fraud Control Group WITHIN 24 HOURS - Provide an incident report to Visa WITHIN 4 BUSINESS DAYS
Treasurer
24) If number of individuals affected by a “breach of the security system” exceeds 1,000: - Notify Credit Bureaus University
Counsel
25) Notify affected individuals - Identify letter issuer and letterhead to be used - Compose draft text - Prepare envelopes (postage, addresses) - Prepare mail merge - Prepare for printing of letter - Prepare for stuffing of envelopes - Obtain approval for text from: - OVPIT - University Counsel - Unit Executive Administration - University and/or Campus Communications Office - Data Steward - Print, stuff envelopes, mail letter
UnitUnitUnitUnitUnitUnitITSPO
Unit
26) Create web site for affected individuals - Identify URL and location - Restrict access until ready to go live - Compose draft design of page and what content to include - Compose draft FAQ - Prepare for web site to go live - Obtain approval for FAQ text and other content from: - OVPIT - University Counsel - Unit Executive Administration - University and/or Campus Communications Office - Data Steward - Make site live before letters arrive in mailboxes
UnitUnitUnitUnitUnitITSPO
27) Prepare telephone support for affected individuals - Identify appropriate person(s) to handle calls - Identify/set up telephone number to use - Train person handling calls/provide talking points
UnitUnitITSPO/Com
28) Prepare for email support for affected individuals (optional) - Identify appropriate person(s) to handle email - Identify/set up email address to use - Train person handling email/provide talking points
UnitUnitITSPO/Com
29) Press Release and other press planning - Identify contact for media - Compose draft text - Obtain approval for text from: - OVPIT - University Counsel - Unit Executive Administration - University and/or Campus Communications Office - Data Steward - Issue press release
UnitUnitITSPO
Unit
30) Inform affected staff whom to send any individual or press contacts to - Unit staff - ITSPO staff - UITS management - Campus Deans? Staff in areas that might be asked, such as Registrar?
UnitITSPOITSPO
31) Collect staff time spent weekly during event and record in the incident
Unit and ITSPO
32) Schedule a debriefing meeting afterwards to review what could have been done better, how to avoid in the future
ITSPO
33) Other issues this incident highlighted: - Why was that data located there? - What more could have been done to avoid the intrusion?34) Study remediation needs -Issue report-Letter to Dean or Director
Response Tea
35) Implement remediation needs Unit
ISSUES AND NEXT STEPS
Why is the Attorney General Happy?
• We’re fast• One unit coordinates on behalf of the
institutionHe sees same procedures applied every time
He sees approved wording being recycled
He gets same story from all involved
• We focus on the individuals affected, not on the press
Also…
• All incidents (so far) have been mistakes – not due to systematic lack of attention to data protection
• It’s abundantly clear we aren’t hiding anything… ;)
Issues
• Who does non-IT based exposures?• Contact info for long-gone persons• Contracts• Express written consent• Overly zealous ITSPO staff
And I’m Wondering…
• When are we going to admit we are over-notifying???
“…was or is reasonably believed to have been acquired by an unauthorized person…”
Next Steps
• Consider data protection as next NCAM theme
• Move toward model of annual online training for all employees, regardless of whether they have access to a data repository or not
• Discuss with AG proactively searching for SSN’s and other sensitive data