Data Incident Notification Policies and Procedures

Tracy MitranoSteven Schuster

ICPL 2006

Background/Headlines

Background/Headlines

Background/Headlines

For other examples, see: http://www.privacyrights.org/ar/ChronDataBreaches.htm

You are not immune. Your campus will have to deal with incidents, and

depending on the severity, may be required to notify affected users

The Need to NotifyJuly 2003 - California SB 1386December 18, 2005 - New York A04254ADecember 22, 2005 – Pennsylvania SB 712In the future (?)

S. 1408: Identity Theft Protection Act (109th Congress)

H.R. 4172: Data Accountability and Trust ActS. 1332: Personal Data Privacy and Security

Act

Data Breaches 104 publicized data breaches in 2005 50 breaches in colleges/universities 50 million people affected (2 million from

colleges/universities)

Sources: ID Analytics , Privacy Rights Clearinghouse

Identity Theft ~10 Million victims last three years Out of pocket cost to victims $500 – $1,500 Time spent by victims 30 – several hundred

hours In 2002, cost to business $50 - $279 billion,

based on average victim loss of $4,800 – $92,000

Cost is significantly lower if discovered quickly

Sources: Javelin Research, Federal Trade Commission, Identify Theft Resource

Center

Incident Decision Making, Tools and Analysis

Questions That Need to Be Answered

How are university decisions made? Who within your organization determines

notification is necessary? How does a security organization scale to

meet the number of incidents we see? How do we define “reasonable belief? How much incident analysis is necessary?

How are university decisions made?

Answering this question is probably the most important but may seem impossible

StrategyEnsure everyone who has a some skin in

this decision is included

Who should be included?

Cornell’s Decision Making

Data Incident Response Team (DIRT)DIRT meets for every incident

involving critical dataDIRT objectives

Thoroughly understand each incidentGuide immediate required responseDetermine requirement to notify

DIRT Members Core Tam

University Audit Risk Management University Police University Counsel University

Communication CIO Director, IT Policy Director, IT Security

Incident Specific Data Steward Unit Head Local IT support Security Liaison ITMC member

Scaling SecurityWhat is the mission of this office?

Scaling Security Two broad components

Security operations Security architecture development

We need to recognize these demands are often at odds

We must focus on operational efficiencies Quicker identification Immediate response Selective analysis

If the computer does not contain sensitive data I don’t care to do analysis

“Reasonable Belief”“… notification is required if there is

reasonable belief that data were acquired by an unauthorized individual.”

What does this mean?

Performing the Analysis

Data sourcesSystem dataNetwork data

What questions need to be answered for each data source?System dataNetwork data

Reasonable Belief

Nee

d t

o N

oti

fy

Confirmed Data Were Not Acquired

Reasonable Belief Data Were Not Acquired

No Data Available for Analysis

Reasonable Belief Data Were Occurred

Access to Data Confirmed

Reasonable Belief

Nee

d t

o N

oti

fy

Confirmed Data Were Not Acquired

Reasonable Belief Data Were Not Acquired

No Data Available for Analysis

Reasonable Belief Data Were Occurred

Access to Data Confirmed

Reasonable Belief Reasonable belief data

were acquired System compromise

occurred a significant time ago

File MAC times after compromise and not tied down to support application

Significant remote access and download

More sophisticated hacker tools

Etc.

Reasonable belief data were NOT acquired Compromise identified

quickly File MAC times

consistently before compromise

Limited or no network download

More benign hacker tools

Benign system use characteristics

Etc.

Reasonable Belief

Nee

d t

o N

oti

fy

Confirmed Data Were Not Acquired

Reasonable Belief Data Were Not Acquired

No Data Available for Analysis

Reasonable Belief Data Were Occurred

Access to Data Confirmed

Performing the Analysis

Performing the Analysis

Performing the Analysis

The Bottom LineBuild a mechanism to address the

tough questionBe prepared to make judgment allsSomeone’s going to have to get their

hands dirty

Legal and Policy Framework

MarketMarket

ArchitectureArchitecture

Norms Norms

LawLaw

Internet&

IT Policy

Internet&

IT Policy

Big “P” and Little “p” Policy

Big “P” policy involves external issues, such as national security, electronic surveillance laws, privacy, or digital copyright.USA-Patriot Act

http://www.cit.cornell.edu/oit/policy/PatriotAct/Digital Copyright

http://www.cit.cornell.edu/oit/policy/copyright/Privacy in the Electronic Realm

http://www.cit.cornell.edu/oit/policy/privacy/CALEA: Communications Law Enforcement

Assistance Acthttp://www.cit.cornell.edu/oit/policy/calea/

Little “p” PolicyLittle “p” policy is institutional policy.

Preservation and protection of institutional interests and assetsIf your policy does not stand up to this test, best

to rethink

Cornell ModelCentralized University Policy Office

http://www.policy.cornell.edu/Famous “policy on policies!”

http://www.policy.cornell.edu/vol4_1.cfmBalance of statement and procedure

At the institutional level of procedure, but not backline

Cornell Model… Is not the model for every institution!

Policy is part and parcel of the culture, traditions and structure of each institution.

Observed irony The more decentralized the institution, the more in need

of centralized policy process to routinize compliance and practices around the college or university.

The less decentralized, the more likely that policy occurs naturally within existing structure.

Size does not always determine: Georgetown as counter-example to Cornell University.

Two Generalizations about Policy and

Process: (1) Critical to have a policy process…

Legal compliance primarily Deference to the complex nature of higher education

secondarily Especially as higher education becomes more international

in scope and information technologies is increasingly intermingled with the law, the market and changing norms within the society

…no matter what the particular culture or structure of your institution.

Two Generalizations about Process: (2)

It almost always does, or should, boil down to three essential steps: Responsible office brings forward concept to a high level

committee Audit, Counsel, VPs, Dean of Faculty or even President and

Provost Mid-level review for implementation

The greater the representation of the campus community the better

Back to the high level for signoff and promulgation.

http://www.cit.cornell.edu/oit/policy/framework-chart.html

Information Security of Institutional Data

Policy StatementEvery user of institutional data must

manage responsibly

Appendix ARoles and Responsibilities

Appendix BMinimum Data Security Standards

Data Classification Cost/Benefit AnalysisCosts (financial and administrative):

Administrative burdenFinancial cost of new technologiesNew business practices

Benefits (mitigating risk):Legal check listPolicy decisions (prioritizing institutional

data)Ethical considerations?

Legal Check ListType of Data

Privacy Statement

AnnualNotice

NotificationUponBreach

Legislative PrivateRight ofAction*

GovernmentEnforcement

Statutory Damages

PersonallyIdentifiable

o o x O x x

EducationRecord

x X o o x o

MedicalRecord

x o o x x x

Banking Record

x x o o x x

When Notifications are Required

Content of the Notice Name of the individual whose information was the subject of

the breach of security The name of the “covered entity” that was the subject of the

breach of security A description of the categories of sensitive personal

information of the individual that were the subject of the breach of security

The specific dates between the breach of security of the sensitive personal information of the individual and discovery

The toll-free numbers necessary to contact: Each entity that was the subject of the breach of security Each nationwide credit reporting agency The Federal Trade Commission

Timing of the Notice Most expedient manner practicable, but not

later than 45 days after the date on which the breach of security was discovered by the covered entity

In a manner that is consistent with any measures necessary to determine the scope of the breach and restore the security and integrity of the data system

There is a provision for law enforcement and homeland security related delays

Data Incident Notification Toolkit*

Provide a tool that pulls from our collective experience.

A real-time aid for creating the various communications that form data breach notification.

An essential part of an incident response plan.

http://www.educause.edu/DataIncidentNotificationToolkit/9320

* Hosted by EDUCAUSE

Notification Templates

Outlines and content for Press Releases Notification Letters Incident Specific Website Incident Response FAQs Generic Identity Theft Web Site

Sample language from actual incidents

Food for thought – one size does not fit all