1 / 52

Data Incident Notification Toolkit

Data Incident Notification Toolkit. Mary Ann Blair Director of Information Security Carnegie Mellon University William L. Custer Information Security Policy Manager Miami University Rodney Petersen Policy Analyst and Security Task Force EDUCAUSE. Notification of Security Breach Risk.

kinsey
Download Presentation

Data Incident Notification Toolkit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Incident Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University William L. Custer Information Security Policy Manager Miami University Rodney Petersen Policy Analyst and Security Task Force EDUCAUSE

  2. Notification of Security Breach Risk The following is based upon proposed S. 1408: Identity Theft Protection Act (109th Congress) • Reporting the Breach to the Federal Trade Commission!!! • Notification of Consumers

  3. Consumer Notification . . . Use due diligence to investigate any suspected breach of security affecting sensitive personal information [that you] maintain. If, after the exercise of such due diligence, [you] discover a breach of security and determine that the breach of security creates a reasonable risk of identity theft, [you] shall notify each such individual.

  4. Reasonable Risk of ID Theft In determining whether a reasonable risk of identity theft exists, [you] shall consider such factors as whether the data containing sensitive personal information is usable by an unauthorized third party and whether the data is in the possession and control of an unauthorized third party who is likely to commit identity theft.

  5. Methods of Notification • Written notice • Electronic notice • Substitute notice • Cost of notice exceeds $250,000 • The individuals to be notified exceeds 500,000 • You do not have sufficient contact information

  6. Substitute Notice • Notice by electronic mail when you have an email address for affected individuals • Conspicuous posting of such notice on your Internet website • Notification to major State-wide media

  7. Content of the Notice • Name of the individual whose information was the subject of the breach of security • The name of the “covered entity” that was the subject of the breach of security • A description of the categories of sensitive personal information of the individual that were the subject of the breach of security • The specific dates between the breach of security of the sensitive personal information of the individual and discovery • The toll-free numbers necessary to contact: • Each entity that was the subject of the breach of security • Each nationwide credit reporting agency • The Federal Trade Commission

  8. Timing of the Notice • Most expedient manner practicable, but not later than 45 days after the date on which the breach of security was discovered by the covered entity • In a manner that is consistent with any measures necessary to determine the scope of the breach and restore the security and integrity of the data system • There is a provision for law enforcement and homeland security related delays

  9. Implications • Application of state laws • Conflicting requirements • Potential for Federal preemption • Congressional record may prove important • Absence of case law • Unfunded mandate

  10. Goal: Bootstrap the Uninitiated • When you’re under fire, you need help fast. • Provide a tool that pulls from our collective experience. • A real-time aid for creating the various communications that form data breach notification. • An essential part of an incident response plan.

  11. Data Incident Notification ToolkitHosted by EDUCAUSE • Federal/State Legal Requirements • Policies and Procedures • Threshold for Notification • Notification Templates • Incident Web Sites • Other Resources • Sample Incident Response Plans • Under Construction • Threshold for involving law enforcement

  12. Notification Templates • Outlines and content for • Press Releases • Notification Letters • Incident Specific Website • Incident Response FAQs • Generic Identity Theft Web Site • Sample language from actual incidents • Food for thought – one size does not fit all

  13. Before an Incident • Generic Identity Theft Site • Public Service Announcement • Can be referenced in the event of an incident • Components • What is Identity Theft • How to avoid it • What to do if • Your data may have been compromised • You become an actual victim of identity theft • FAQs • Verify info correct at time of publication, especially for your locale.

  14. Generic Identity Theft Site • Introduction This site contains information on how to protect yourself from identity theft as well as what to do to if your personal information becomes exposed or if you actually become a victim of identity theft. Links to additional information can be found under the Resources. • What is Identify Theft? Identity theft occurs when someone uses another person's personal information such as name, Social Security number, driver's license number, credit card number or other identifying information to take on that person's identity in order to commit fraud or other crimes. . . etc

  15. Responding to an Incident • Press Releases • Notification Letters • Incident Specific Website (1 per incident) • Incident Response FAQs • Hotline (FAQs serve as a script for call-takers)

  16. Press Release Components • Who is affected/not affected? • What specific types of personal information are involved? • What are the (brief) details of the incident? • “No evidence to indicate data has been misused…” or what the evidence points to. • Expression of regret and concrete steps the institution is taking to prevent this from happening again. • For more information, …

  17. Sample Snippets – Who is Affected/Not Affected • The server contained personal information, including names and Social Security numbers, on current, former and prospective students, as well as current and former faculty and staff. • Student laptop computers were not breached, and, at this time, school officials believe that [population e.g. current undergraduates] were not affected.

  18. Notification Letter Components Press Release + • What steps should individuals take? • Next steps. • Contact information. • Signature.

  19. Sample Snippets – Notification Letter • Anticipated next steps, if any. e.g. intention to notify if any additional information becomes available? Example: The theft of this information raises a number of possible risks to you. One is theft of identity for financial gain.  The University will be sending you a package of materials outlining steps you can take to protect yourself from this.  • Who to contact for additional information Contact/name, number, hours of availability, web site, hotline, email address, etc. Example: Should you have further questions about this matter, please contact [name of contact}, [title of contact], at [email address of contact] or [phone number]. • Signature Who makes most sense – president, dean, other contact familiar to the individual, consider multiple signatories for different constituent groups.

  20. Incident Web Site Components • Most-Recent-Update section at top of page • <Replicate Notification Letter Components modified for more generic audience > • Link to Identity Theft website/credit agencies • FAQs • Toll-free Hotline contact information

  21. Data Incident Nofication Toolkit • http://www.educause.edu/9320 • Page Location: EDUCAUSE Home > EDUCAUSE Major Initiatives > Security Task Force > Resources > DATA INCIDENT NOTIFICATION TOOLKIT

  22. Coming Attractions • Threshold for notification • Best practice detection – monitoring, logging, tools, etc. • What would you like to see?

  23. Miami University Fact Sheet • Established 1809 - Ohio land grant institution • Liberal education core • 100 undergraduate majors • 22,600 Students • Oxford, Ohio campus 15,300 undergraduates 1400 graduate students • Hamilton – 3300 undergraduates • Middletown – 2600 undergraduates • European Center in Luxembourg

  24. What Is This Session About?Notification • If confidential data is exposed • Using the toolkit • Procedures should be in place already • Part of Incident Response • IR is part of an Operations Plan

  25. Focus Of This Talk • Usefulness of the Toolkit • Case Study Approach • How Miami used the toolkit after an incident

  26. What Is The Toolkit? • The resources on the Educause site • http://www.educause.edu/ • DataIncidentNotificationToolkit/9320

  27. What Is In The Toolkit (1) • Press Release tools • Notification Letter components • Incident Specific Web Site Template • Incident FAQ • Generic Identity Theft Web Site

  28. What Is In The Toolkit (2) • Lots of links to other helpful sites • www

  29. The Incident Reported • A report containing names, Social Security numbers and grades for 21,762 students from fall term 2002 was discovered in a file accessible through the Internet • Monday, September 12, 2005 • Reported at 9:02 a.m.

  30. IT Responds First • 9:05 Find the exposed file • 9:10 Remove the file • 9:12 Contact IT senior management • 11:00 Answers from log files • 11:15 Offer advice to management

  31. Nine Questions • I interviewed Miami staff after the event • What follows are nine questions • Did the toolkit answer them?

  32. Q1: Advise To Notify? • Should IT advise notification? • Answer: yes? • Help from the toolkit?

  33. A Black Box • A black box would be nice • Notify? Yes / No • No black box in the toolkit

  34. Factors Considered • Exposed file was several years old • Logs for 7 months • Very little activity • Increase of activity • Two site concerned us

  35. Access Graphed

  36. Helps For Decision • Toolkit links to California law • Useful guidance for Ohio

  37. Q2: Should We Notify? • VP team to consider it • Director of University Communications included • Phone calls to 6 institutions • Help from the toolkit?

  38. Q3: How Find Time? • Time is critical in an emergency • Web searches take time • Reading takes time • Help from the toolkit? Yes

  39. Pre Selected Material • The toolkit saved us much time by selecting some of the best materials in advance

  40. Q4: Where Is the Table of Contents? • Notification taxonomy? • Ways to notify • Help from the Toolkit? Yes

  41. What Miami Did • Press Release • FAQ • Notification Letter via e-mail • Telephone Hotline • US Mail – hired an agency to help

  42. Q5: What Are The Topics? • Topics to include in any notification • Basic facts, concern, apology, action, commitment • Help from the toolkit? Yes • Plenty of examples

  43. What Miami Did • Miami chose the open kumona approach • Read the examples • Wrote from scratch

  44. Q6: What Wording To Use? • Words are important in crisis • The Press hangs on words • Help from the toolkit? Yes

  45. What Miami Did • Read the examples • Composed letters from scratch • Used form letters from consultant

  46. Q7: Thing To Avoid • Things not to say • How not to create panic • Help from the toolkit? Some

  47. Q8: What Was Extra? • What tools did Miami not use? Why

More Related