Addressing Unauthorized Release of Personal Information at UC Davis

August 12, 2003

California Civil Code, Section 1798

State’s response to an estimated 160,000 cases of identity theft in 2002

Requires organizations, including institutions of higher learning, to notify state residents when unauthorized individuals have obtained personal information via a computer security breach

Effective as of July 1, 2003

UC Guidelines

Electronic Information Security (BFB IS-3) Defines personal information as first name

or first initial and last name in combination with one or more of the following:

Social Security Number Driver’s license or California ID number Account or credit card number and security

code, access code or password

UC Guidelines (cont.)

Defines security breach as when a California resident’s unencrypted personal information is believed to have been acquired by an unauthorized person.

Calls for system-wide notification procedures and the development of local guidelines.

UC Davis Implementation

Chancellor Vanderhoef Appointed UC Davis Information

Technology Security Coordinator, Bob Ono, as lead in coordinating the campus’ compliance efforts

Via May 28, 2003 memo, notified Vice Chancellors, Vice Provosts and Deans of the need to take a proactive approach by identifying ways in which security risks can be minimized

UC Davis Implementation (cont.)

IT Security Coordinator, Bob Ono Developed draft implementation plan that

identifies key roles, responsibilities and procedures for:

Minimizing risks of security breach Reporting incidents Notifying individuals whose personal

information may have been obtained by a non-authorized person

Roles and Responsibilities

CODVC Members Oversee preventative measures to secure

data Communicate with appropriate staff about

Section 1798, identity theft, and the campus implementation plan

Roles and Responsibilities (cont.)

Campus Units Inform users of their responsibilities to

secure personal information Assess risks and implement security

safeguards for systems housing personal information

Develop and maintain control records and establish monitoring procedures

Report suspected incidents

Roles and Responsibilities (cont.)

Campus Misuse Committee Investigate reported incidents Assess need for and authorize notifications Authorize case closure

Roles and Responsibilities (cont.)

IT Security Coordinator, Bob Ono Communicate components of implementation

plan to responsible parties Ensure response process is followed Ensure system-wide and campus notification

procedures are followed Coordinate incident reporting with

department personnel, Campus Misuse Committee, and UCOP

Resources

Identity Theft Prevention Web Site http://security.ucdavis.edu/identity_theft.cfm

Information Practices Act of 1977 – California Civil Code Section 1798

http://www.privacy.ca.gov/code/ipa.htm

Information Security Policy, Business and Finance Bulletin IS-3

http://www.ucop.edu/ucophome/policies/bfb/is3.pdf

Misuse of University Resources, UC Davis Policy and Procedures Manual, Section 330-95

http://manuals.ucdavis.edu/ppm/330/330-95.htm