sensitive data exposure risks & response at indiana university jonny sweeny it incident response...
TRANSCRIPT
![Page 1: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/1.jpg)
Sensitive Data ExposureRisks & Response
at Indiana UniversityJonny Sweeny
IT Incident Response ManagerIndiana University
IHETS Tech Summit30 March 2007
Copyright 2007, The Trustees of Indiana University. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
![Page 2: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/2.jpg)
Overview
• Indiana’s New State Data Protection Laws(and a few other data protection laws and regulations)
• Indiana University’s Preparation• Indiana University’s Incident Response• What We’ve Learned• Questions
![Page 3: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/3.jpg)
Indiana’s New State Data Protection Laws
![Page 4: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/4.jpg)
Three Data Protection Laws I’ll Review
• Release of SSN• Disposal of Sensitive Data• Notice of Security Breach
![Page 5: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/5.jpg)
#1 - Release of Social Security Number Law
Indiana Code (IC) 4-1-10
• Effective July 1, 2006, it is a crime for an Indiana state agency to disclose an individual’s Social Security Number to a party outside of the agency, unless the disclosure is authorized under Indiana state law
![Page 6: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/6.jpg)
What is a State Agency?
• For the purposes of this law, a “state agency” includes the following:– A state elected official’s office– A state educational institution– A body corporate and politic of the state
created by state statute– The Indiana lobby registration
commission
![Page 7: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/7.jpg)
Types of Disclosures Covered
• Any individual’s SSN (doesn’t have to be a “customer”), in any format:– Electronic– Paper– Oral
![Page 8: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/8.jpg)
What SSN Disclosures are Authorized?• Disclosures for which we have the individual’s
express written consent• Disclosures of only the last four (4) digits of the SSN• Disclosures for the purpose of administering health
benefits of an employee or the employee’s dependent(s)
• Except where prohibited by state or federal law or a court order:– Disclosures to a local, state, or federal agency– Disclosures by our Police Department to an individual,
entity, or local, state or federal agency, for the purpose of furthering an investigation
• Disclosures that are expressly required (not just permitted) by state or federal law or a court order
• Disclosures made in the context of certain counterterrorism investigations
• Disclosures to commercial entities for use in certain activities authorized under 3 federal laws
![Page 9: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/9.jpg)
Penalties for Unauthorized Disclosures – State Agency
• Enforced by the State Attorney General who can bring action against Agency
• Possibility of civil suit filed by affected individual(s)
• Costs associated– Constituent trust, time and other
resources needed to notify as required by the third law we are going to discuss
![Page 10: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/10.jpg)
Penalties for Unauthorized Disclosures – Employees
• Knowing, intentional, or reckless violations are felonies:
• Up to 3 years’ jail time• Up to $10,000 fines
• Negligent violations are “infractions” are misdemeanors:
• Up to 1 year jail time• Up to $5,000 fines
• Possibility of civil suit filed by affected individual(s)
![Page 11: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/11.jpg)
What Constitutes “Negligence”?
It is not clear whether “negligent” disclosure under the law covers only affirmative transfer of an SSN…
or also covers inadvertent exposure of SSNs to unauthorized access due to inadequate security measures.
![Page 12: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/12.jpg)
#2--Personal Information Secure Disposal Law
Indiana Code (IC) 24-4-14
• Effective July 1, 2006, it is a crime for a person to dispose of certain personal information of a “customer” in a non-secure manner
![Page 13: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/13.jpg)
What is a Person?
• For the purposes of this law, a "person" means:– an individual– a partnership– a corporation– a limited liability company– or another organization
![Page 14: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/14.jpg)
What Does “Dispose of” Mean?
• Discarding or abandoning the “personal information” of a “customer” in an area accessible to the public
• Includes placing the personal information in a container for trash collection
• Don’t forget about disposal of computer drives and disks…
![Page 15: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/15.jpg)
What Types of “Personal Information” are Covered?
• Social Security Numbers, OR• First initial or name PLUS last name
AND:– Credit card number– Financial account number or debit card
number in combination with a security code, password, or access code that permits account access
– Driver’s license number– State identification number
![Page 16: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/16.jpg)
When is PI Not Covered?
• The law only applies to personal information that is neither “encrypted” nor “redacted”– “Encrypted”:
• transformed through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key; or
• secured by another method that renders the personal information unreadable or unusable
– “Redacted”: information is altered or truncated so no more than the last 5 digits of SSN or last 4 of other personal information are accessible
![Page 17: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/17.jpg)
Who are “Customers”?
• Anyone who has received or contracted for the direct or indirect provision of goods or services and whose personal information you store, and
• Anyone who has given you their personal information in connection with a transaction with you
• For IU:– Includes students, parents, employees, bookstore and
theater customers, vendors who give us personal information, etc….
![Page 18: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/18.jpg)
What Types of Disposal are Secure Enough?
• Shredding• Incinerating• Mutilating• Erasing• Methods that otherwise render the
information illegible or unusable
![Page 19: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/19.jpg)
Relationship to Other Data Security Laws…
• State disposal law EXEMPTS persons who are already maintaining and complying with disposal program under:– HIPAA – Gramm-Leach-Bliley– Fair Credit Reporting Act – Driver’s Privacy Protection Act– USA Patriot Act/Executive Order 13224
![Page 20: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/20.jpg)
#3 – Notice of Security Breach Law
Indiana Code (IC) 4-1-11 • Effective July 1, 2006, a State Agency
must notify individuals whose “unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person” as a result of a system security breach
![Page 21: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/21.jpg)
What Types of “Personal Information” are Covered?
• First initial or name PLUS last name AND at least one of the following:– SSN (> last 4 digits)– Driver’s license number– State identification card number– Credit card number– Debit card number– Financial Account number– Security code, access code, or password
of financial account
![Page 22: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/22.jpg)
What Does “Unencrypted” Mean?
• It’s not defined in this law – best to assume the definition in the disposal law would apply
![Page 23: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/23.jpg)
Some Exceptions
• This law only addresses computerized (electronic) data, not paper data
• Also, the law doesn’t cover theft of portable electronic devices with personal information stored on them, if access is protected by a password that has not been disclosed
Of course, IU can still give notice as a policy matter if we had these types of disclosures…
![Page 24: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/24.jpg)
When Does Notice Have to be Given?
• “without unreasonable delay” • Consistent with
– legitimate needs of law enforcement, and
– measures needed to determine scope of breach and restore system integrity
• Notice may be delayed if law enforcement determines notice will impede criminal investigation
![Page 25: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/25.jpg)
How May Notice Be Given?
• In writing• By email• By conspicuous posting on IU website
and notice to major statewide media, if– Cost of notice to individuals is $250K or
more,– More than 500,000 people must be
notified, or– We have insufficient contact information
for personal notice
![Page 26: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/26.jpg)
Who Else Must Be Notified?
• The Indiana Attorney General• If more than 1,000 individuals’
information involved, must notify all consumer reporting agencies– Equifax, TransUnion, Experian– Heads up to them that individuals may
be requesting credit reports to monitor for attempted identity theft
![Page 27: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/27.jpg)
Review and Compare:
• Release of SSN• Disposal of Sensitive Data• Notice of Security Breach
![Page 28: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/28.jpg)
Other Regulations• Many other privacy/security rules and
regulations dealing with specific categories of data to be protected:– FERPA: student education records– GLB: nonpublic customer information of
“financial institutions” – HIPAA: personal health information– FACTA: consumer report data– PCI DSS: credit card transaction
information
![Page 29: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/29.jpg)
Payment Card Industry Data Security Standards (PCI DSS)
• Merchant bank agreements impose payment card data security standards
• Extensive and rigorous requirements that apply to all components of IT system involved with cardholder data access, retention and processing
• Requires immediate notice to payment card company in case of security breach
• Noncompliance may lead to fines, revocation of right to accept cards for payment
![Page 30: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/30.jpg)
Indiana University’s Preparation
![Page 31: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/31.jpg)
Indiana University
• Indiana University has eight campuses: – the original campus in Bloomington;– an urban campus in Indianapolis, which
also includes the IU Medical Center; – and six regional campuses in the cities
of Gary, South Bend, Fort Wayne, Kokomo, Richmond, and New Albany.
• Total students: ~ 98,000• Total faculty and staff: ~22,000
![Page 32: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/32.jpg)
Decentralized Environment
• “Data Stewards” responsible for policy and practice concerning their data– Including granting access to their systems,
and training about use of their data
• Colleges, departments, & units are responsible for local technology and security of that technology
• Individuals responsible for following policy
![Page 33: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/33.jpg)
Strategy• IT Security & Policy Office partnered with
University Counsel and Internal Audit to devise plan:– Composed a letter, sent by President to all faculty
and staff– Gave presentations on new laws and what to do, to
the Chancellors, to departmental staff, and everyone in between!
– Created web page to compile information and resources in one place
– Ensured Incident Response was ready– Advise as needed
![Page 34: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/34.jpg)
Indiana University’s Incident Response
![Page 35: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/35.jpg)
Prior Preparation• Already had procedures and “Kit” in
place prior to the law being passed, due to existing industry best practice of notifying individuals
• Revised “Kit” to include new requirements of the Indiana law
• Presentations and Letter educated about how to report these incidents
![Page 36: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/36.jpg)
Incident Response Overview
• Unit takes immediate action to report incident to IT Security & Policy Office (ITSPO)
• An Incident Team is immediately assembled to advise and assist in :– containing and limiting the exposure– investigating the attack– ensuring appropriate approvals– handling notification to the affected individuals
and agencies• Incident “belongs” to the unit that caused
it, but is “coordinated” by the ITSPO• Post mortem held 2-6 weeks afterwards
![Page 37: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/37.jpg)
What Kind of Breaches?
• Prior to new law:– Faculty member kept old computer when new
ones were distributed, patches were not kept up to date, had grade rosters on it
– Outsourced server not properly secured • Since July, 2006:
– Secretary mistakenly emailed to wrong address, with spreadsheet attached
– Laptop of faculty member stolen from his locked car in his garage, had grade rosters on it
– Library posted archive data on web– Flash drive lost, with programmer’s data on it
• No damages yet reported – but we err on the side of caution
![Page 38: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/38.jpg)
IU’s Sensitive Data Exposure Incident Kit
I. ChecklistII. Sample Notification LettersIII. Template for Web Page and FAQIV. Sample Press ReleasesV. Dealing with Contacts from Press
(with Sample Talking Points)
VI. Dealing with Contacts from Individuals
![Page 39: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/39.jpg)
![Page 40: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/40.jpg)
![Page 41: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/41.jpg)
What We’ve Learned
![Page 42: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/42.jpg)
Experience Tells Us…
• TIME IS CRITICAL• Unit will not have experience to handle
on their own– Important to have coordination by one unit,
sharing materials and knowledge gained• Focus should be on the individuals
affected, not the press• The Attorney General has given us an
A+!• Not sure if that is good or bad…
![Page 43: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/43.jpg)
Issues
• Can we proactively look for this data, or will we get in trouble with the AG?
• How to ensure every employee is trained appropriately, regardless of whether they have access to a data repository or not
• Staying up to date with legislation both at state and federal levels…
![Page 44: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/44.jpg)
Issues (cont.)
• In proactively looking for this data, we are considering approaches that are:– Systematic– Manageable– Relatively Thorough
![Page 45: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/45.jpg)
Questions?
![Page 46: Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March](https://reader036.vdocuments.site/reader036/viewer/2022081518/5519c362550346047c8b472c/html5/thumbnails/46.jpg)
Jonny [email protected]
Indiana University IT Security & Policy Office
http://itpo.iu.eduhttp://itso.iu.edu
Data Protection Web Page http://itpo.iu.edu/policies/bestpractices/
dataprotection.html