data incident notification policies and procedures tracy mitrano steven schuster icpl 2006
TRANSCRIPT
![Page 1: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/1.jpg)
Data Incident Notification Policies and Procedures
Tracy MitranoSteven Schuster
ICPL 2006
![Page 2: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/2.jpg)
Background/Headlines
![Page 3: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/3.jpg)
Background/Headlines
![Page 4: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/4.jpg)
Background/Headlines
For other examples, see: http://www.privacyrights.org/ar/ChronDataBreaches.htm
You are not immune. Your campus will have to deal with incidents, and
depending on the severity, may be required to notify affected users
![Page 5: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/5.jpg)
The Need to NotifyJuly 2003 - California SB 1386December 18, 2005 - New York A04254ADecember 22, 2005 – Pennsylvania SB 712In the future (?)
S. 1408: Identity Theft Protection Act (109th Congress)
H.R. 4172: Data Accountability and Trust ActS. 1332: Personal Data Privacy and Security
Act
![Page 6: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/6.jpg)
Data Breaches 104 publicized data breaches in 2005 50 breaches in colleges/universities 50 million people affected (2 million from
colleges/universities)
Sources: ID Analytics , Privacy Rights Clearinghouse
![Page 7: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/7.jpg)
Identity Theft ~10 Million victims last three years Out of pocket cost to victims $500 – $1,500 Time spent by victims 30 – several hundred
hours In 2002, cost to business $50 - $279 billion,
based on average victim loss of $4,800 – $92,000
Cost is significantly lower if discovered quickly
Sources: Javelin Research, Federal Trade Commission, Identify Theft Resource
Center
![Page 8: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/8.jpg)
Incident Decision Making, Tools and Analysis
![Page 9: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/9.jpg)
Questions That Need to Be Answered
How are university decisions made? Who within your organization determines
notification is necessary? How does a security organization scale to
meet the number of incidents we see? How do we define “reasonable belief? How much incident analysis is necessary?
![Page 10: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/10.jpg)
How are university decisions made?
Answering this question is probably the most important but may seem impossible
StrategyEnsure everyone who has a some skin in
this decision is included
Who should be included?
![Page 11: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/11.jpg)
Cornell’s Decision Making
Data Incident Response Team (DIRT)DIRT meets for every incident
involving critical dataDIRT objectives
Thoroughly understand each incidentGuide immediate required responseDetermine requirement to notify
![Page 12: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/12.jpg)
DIRT Members Core Tam
University Audit Risk Management University Police University Counsel University
Communication CIO Director, IT Policy Director, IT Security
Incident Specific Data Steward Unit Head Local IT support Security Liaison ITMC member
![Page 13: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/13.jpg)
Scaling SecurityWhat is the mission of this office?
![Page 14: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/14.jpg)
Scaling Security Two broad components
Security operations Security architecture development
We need to recognize these demands are often at odds
We must focus on operational efficiencies Quicker identification Immediate response Selective analysis
If the computer does not contain sensitive data I don’t care to do analysis
![Page 15: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/15.jpg)
“Reasonable Belief”“… notification is required if there is
reasonable belief that data were acquired by an unauthorized individual.”
What does this mean?
![Page 16: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/16.jpg)
Performing the Analysis
Data sourcesSystem dataNetwork data
What questions need to be answered for each data source?System dataNetwork data
![Page 17: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/17.jpg)
Reasonable Belief
Nee
d t
o N
oti
fy
Confirmed Data Were Not Acquired
Reasonable Belief Data Were Not Acquired
No Data Available for Analysis
Reasonable Belief Data Were Occurred
Access to Data Confirmed
![Page 18: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/18.jpg)
Reasonable Belief
Nee
d t
o N
oti
fy
Confirmed Data Were Not Acquired
Reasonable Belief Data Were Not Acquired
No Data Available for Analysis
Reasonable Belief Data Were Occurred
Access to Data Confirmed
![Page 19: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/19.jpg)
Reasonable Belief Reasonable belief data
were acquired System compromise
occurred a significant time ago
File MAC times after compromise and not tied down to support application
Significant remote access and download
More sophisticated hacker tools
Etc.
Reasonable belief data were NOT acquired Compromise identified
quickly File MAC times
consistently before compromise
Limited or no network download
More benign hacker tools
Benign system use characteristics
Etc.
![Page 20: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/20.jpg)
Reasonable Belief
Nee
d t
o N
oti
fy
Confirmed Data Were Not Acquired
Reasonable Belief Data Were Not Acquired
No Data Available for Analysis
Reasonable Belief Data Were Occurred
Access to Data Confirmed
![Page 21: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/21.jpg)
Performing the Analysis
![Page 22: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/22.jpg)
Performing the Analysis
![Page 23: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/23.jpg)
Performing the Analysis
![Page 24: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/24.jpg)
The Bottom LineBuild a mechanism to address the
tough questionBe prepared to make judgment allsSomeone’s going to have to get their
hands dirty
![Page 25: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/25.jpg)
Legal and Policy Framework
![Page 26: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/26.jpg)
MarketMarket
ArchitectureArchitecture
Norms Norms
LawLaw
Internet&
IT Policy
Internet&
IT Policy
![Page 27: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/27.jpg)
Big “P” and Little “p” Policy
Big “P” policy involves external issues, such as national security, electronic surveillance laws, privacy, or digital copyright.USA-Patriot Act
http://www.cit.cornell.edu/oit/policy/PatriotAct/Digital Copyright
http://www.cit.cornell.edu/oit/policy/copyright/Privacy in the Electronic Realm
http://www.cit.cornell.edu/oit/policy/privacy/CALEA: Communications Law Enforcement
Assistance Acthttp://www.cit.cornell.edu/oit/policy/calea/
![Page 28: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/28.jpg)
Little “p” PolicyLittle “p” policy is institutional policy.
Preservation and protection of institutional interests and assetsIf your policy does not stand up to this test, best
to rethink
Cornell ModelCentralized University Policy Office
http://www.policy.cornell.edu/Famous “policy on policies!”
http://www.policy.cornell.edu/vol4_1.cfmBalance of statement and procedure
At the institutional level of procedure, but not backline
![Page 29: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/29.jpg)
Cornell Model… Is not the model for every institution!
Policy is part and parcel of the culture, traditions and structure of each institution.
Observed irony The more decentralized the institution, the more in need
of centralized policy process to routinize compliance and practices around the college or university.
The less decentralized, the more likely that policy occurs naturally within existing structure.
Size does not always determine: Georgetown as counter-example to Cornell University.
![Page 30: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/30.jpg)
Two Generalizations about Policy and
Process: (1) Critical to have a policy process…
Legal compliance primarily Deference to the complex nature of higher education
secondarily Especially as higher education becomes more international
in scope and information technologies is increasingly intermingled with the law, the market and changing norms within the society
…no matter what the particular culture or structure of your institution.
![Page 31: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/31.jpg)
Two Generalizations about Process: (2)
It almost always does, or should, boil down to three essential steps: Responsible office brings forward concept to a high level
committee Audit, Counsel, VPs, Dean of Faculty or even President and
Provost Mid-level review for implementation
The greater the representation of the campus community the better
Back to the high level for signoff and promulgation.
![Page 32: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/32.jpg)
http://www.cit.cornell.edu/oit/policy/framework-chart.html
![Page 33: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/33.jpg)
Information Security of Institutional Data
Policy StatementEvery user of institutional data must
manage responsibly
Appendix ARoles and Responsibilities
Appendix BMinimum Data Security Standards
![Page 34: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/34.jpg)
Data Classification Cost/Benefit AnalysisCosts (financial and administrative):
Administrative burdenFinancial cost of new technologiesNew business practices
Benefits (mitigating risk):Legal check listPolicy decisions (prioritizing institutional
data)Ethical considerations?
![Page 35: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/35.jpg)
Legal Check ListType of Data
Privacy Statement
AnnualNotice
NotificationUponBreach
Legislative PrivateRight ofAction*
GovernmentEnforcement
Statutory Damages
PersonallyIdentifiable
o o x O x x
EducationRecord
x X o o x o
MedicalRecord
x o o x x x
Banking Record
x x o o x x
![Page 36: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/36.jpg)
When Notifications are Required
![Page 37: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/37.jpg)
Content of the Notice Name of the individual whose information was the subject of
the breach of security The name of the “covered entity” that was the subject of the
breach of security A description of the categories of sensitive personal
information of the individual that were the subject of the breach of security
The specific dates between the breach of security of the sensitive personal information of the individual and discovery
The toll-free numbers necessary to contact: Each entity that was the subject of the breach of security Each nationwide credit reporting agency The Federal Trade Commission
![Page 38: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/38.jpg)
Timing of the Notice Most expedient manner practicable, but not
later than 45 days after the date on which the breach of security was discovered by the covered entity
In a manner that is consistent with any measures necessary to determine the scope of the breach and restore the security and integrity of the data system
There is a provision for law enforcement and homeland security related delays
![Page 39: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/39.jpg)
Data Incident Notification Toolkit*
Provide a tool that pulls from our collective experience.
A real-time aid for creating the various communications that form data breach notification.
An essential part of an incident response plan.
http://www.educause.edu/DataIncidentNotificationToolkit/9320
* Hosted by EDUCAUSE
![Page 40: Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006](https://reader035.vdocument.in/reader035/viewer/2022062407/56649dc65503460f94abaa82/html5/thumbnails/40.jpg)
Notification Templates
Outlines and content for Press Releases Notification Letters Incident Specific Website Incident Response FAQs Generic Identity Theft Web Site
Sample language from actual incidents
Food for thought – one size does not fit all