Preventing a security breach
This presentation is the property of its rightful owner.
Sponsored Links
1 / 29

Preventing a Security Breach PowerPoint PPT Presentation


  • 36 Views
  • Uploaded on
  • Presentation posted in: General

Preventing a Security Breach. November 2012 NCASFFA. Diane G. Miller Associate General Counsel State Education Assistance Authority Phone: (919) 248-4669    [email protected] Disclaimers. What Will We Cover In This Session?. What is the scope of the problem?

Download Presentation

Preventing a Security Breach

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Preventing a security breach

Preventing a Security Breach

November 2012

NCASFFA


Preventing a security breach

Diane G. Miller Associate General Counsel State Education Assistance Authority Phone: (919) 248-4669   

[email protected]


Disclaimers

Disclaimers


What will we cover in this session

What Will We Cover In This Session?

What is the scope of the problem?

Why is this issue important for the financial aid office?

What is a security breach?

Best practices to prevent a security breach

Inventory personal information

Limit personal information you collect and keep

Secure personal information

Disposal of personal information

Prepare for a security breach


Security breaches are common

Security Breaches Are Common

More than 800 breaches that involved information about more than 3.3 million North Carolina consumers have been reported to the Attorney General's Office since 2005


Experts sc hacking largest vs state tax agency

Experts: SC Hacking Largest vs. State Tax Agency

Millions of SSNs and business records from tax returns as far back as 1998 were hacked in South Carolina

The 3.6 million tax returns included Social Security numbers and about 387,000 credit and debit card numbers that were also exposed, 6,000 of those unencrypted

Up to 657,000 businesses have also been compromised

http://www.newsobserver.com/2012/10/31/2452390/experts-sc-hacking-largest-vs.html#storylink=cpy


Computer glitch causes state unemployment agency to disclose personal info

Computer Glitch Causes State UnemploymentAgency To Disclose Personal Info

The state’s Division of Employment Security announced Tuesday that information about thousands of employers and recipients of unemployment benefits were mistakenly disclosed in letters the agency mailed during a three-week period

The agency said a computer program was implemented that generated incorrect employer addresses on letters that included the names of individuals, Social Security numbers, business names and N.C. State Unemployment Tax Act employer account numbers

http://www.newsobserver.com/2012/04/24/2021903/computer-glitch-causes-state-unemployment.html#storylink=cpy


Unc charlotte 350 000 social security numbers exposed during internet breach

UNC Charlotte: 350,000 Social Security Numbers Exposed During Internet Breach

The Social Security numbers and bank account data of approximately 350,000 University of North Carolina Charlotte students, faculty and staff has been publicly exposed, some for more than a decade

Confidential information from "general university systems" was accidentally made public for approximately three months before being discovered and reported

Caused by an IT official who misconfigured a server during an upgrade

http://www.msnbc.msn.com/id/47390650/ns/technology_and_science-security/t/huge-financial-data-breach-hits-unc-charlotte/


Mammography study hacked personal data at risk

Mammography Study HackedPersonal Data At Risk

Hundreds of thousands of women found out by letter this week that their personal information, including Social Security numbers, might have been exposed to identity theft

The Carolina Mammography Registry at the University of North Carolina School of Medicine gathers data from radiologists across the state and the breach affects women who did not know the registry existed and did not give consent to have their information included

http://www.wral.com/news/local/story/6213633/


Some relevant laws and regulations

Some Relevant Laws And Regulations

  • Gramm-Leach-Bliley Act (GLB) and the Safeguards Rule

    • requires companies defined as “financial institutions” to ensure the security and confidentiality of customer information;

    • to protect against any anticipated threats or hazards to the security of such records; and

    • to protect against the unauthorized access and use

  • Fair and Accurate Credit Transactions Act of 2003 -Red Flags Rule

  • North Carolina Identity Theft Prevention Act

  • Higher Education Act of 1965, as amended

  • Family Educational Rights and Privacy Act (FERPA)


What is a security breach

What Is A “Security Breach”?

An incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer. Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key shall constitute a security breach.N.C. Gen. Stat. § 75-61


What is a security breach1

What Is A Security Breach?

Good faith acquisition of personal information by an employee or agent of the business for a legitimate purpose is not a security breach, provided that the personal information is not used for a purpose other than a lawful purpose of the business and is not subject to further unauthorized disclosure

N.C. Gen. Stat. § 75-61


What is personal information

What Is Personal Information?

Personal information includes: an individual’s Social Security number (SSN), employer taxpayer identification number (TIN), driver’s license or state identification number, passport number, checking/saving account number, credit/debit card number, PIN, digital signature, biometric data, fingerprints or any number that can be used to access his financial resources. 

N.C. Gen. Stat. § 75-61


What is personal information1

What Is Personal Information?

Personal information does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, including name, address, and telephone number, and does not include information made lawfully available to the general public from federal, state, or local government records.N.C. Gen. Stat. § 75-61


Dunn tops national list for fraud id theft complaints

Dunn Tops National List For Fraud,ID Theft Complaints

The Federal Trade Commission released its latest report in February on consumer fraud-related complaints in the U.S.

The Dunn metropolitan area ranked No. 4 in the country for consumer fraud complaints per capita and No. 5 nationwide for identity theft complaints

From North Carolina’s Attorney General to local law enforcement, no one can explain for certain why Dunn consistently makes the list

http://www.wral.com/news/local/story/11045172/


Step one take stock

Step One - Take Stock

What PII do you have?

Where is your PII stored?

Who has access to your PII?


Step two scale down

Step Two - Scale Down

Are you collecting unnecessary PII?

Are you keeping PII too long?

Be familiar with your record retention requirements


Step three lock it

Step Three - Lock It

Protect the PII that you keep

Physical security

Electronic security

Training


Police mom leaves baby on top of car drives off

Police: Mom Leaves Baby On Top Of Car, Drives Off

A 19-year-old mother is under arrest on child abuse and aggravated DUI charges after police say she left her five-week-old baby strapped in a car seat on top of her car and drove off

She realized the baby was missing when she reached home

That's when XXX called her friends and asked them to trace the route she had taken

The friends ran into the officers who had already found the baby

XXX arrived shortly thereafter and was arrested

http://usatoday30.usatoday.com/news/nation/story/2012-06-02/baby-left-on-roof-of-car/55349990/1


Step four pitch it

Step Four - Pitch It

Properly dispose of PII that you no longer need

Paper

Electronic storage devices


Destruction of personal information records

Destruction Of Personal Information Records

Any business that conducts business in North Carolina and any business that maintains or otherwise possesses personal information of a resident of North Carolina must take reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal.N.C. Gen. Stat. § 75-64


Destruction of personal information records1

Destruction Of Personal Information Records

"Disposal" includes the following:      a. The discarding or abandonment of records containing personal information.      b. The sale, donation, discarding, or transfer of any medium, including computer equipment or computer media, containing records of personal information, or other nonpaper media upon which records of personal information are stored, or other equipment for nonpaper storage of information.

N.C. Gen. Stat. § 75-61


Cabinet was surplus files inside were personal

Cabinet Was Surplus, Files Inside Were Personal

XXX drilled open a filing cabinet that was locked when he bought it

Inside were files that were records of former UNC grad students and applicants: names, addresses, grade point averages and Social Security numbers

XXX contacted the surplus store, and a staff member drove to XXX’s home the next day, gathered the files, and thanked XXX for calling

To reward his good deed, UNC sent XXX a thank you letter and a T-shirt

http://www.wral.com/news/local/story/1203863/


Mccain palin team sells info rich blackberrys to tv station

McCain-Palin Team Sells Info-richBlackberrys To TV Station

An investigative reporter for WTTG bought two BlackBerry devices for $20 a piece containing confidential information from the McCain-Palin campaign at a "gone out of business" sale at the campaign's headquarters in Arlington, Va.

One contained 50 phone numbers for people connected to the campaign, as well as hundreds of e-mails from early September until a few days after the election.

The second device contained 300 'contacts,' including the former Virginia governor

http://www.foxnews.com/story/0,2933,465985,00.html


Step five plan ahead

Step Five - Plan Ahead

Plan ahead for a security breach

Be prepared to act with reasonable speed

Review your institutional policy and procedures for responding to a security breach

Consider your obligations under all privacy laws and regulations


More information

More Information

http://business.ftc.gov/documents/bus69-protecting-personal-information-guide-business

http://www.ftc.gov/opa/reporter/privacy/privacypromises.shtml

http://business.ftc.gov/privacy-and-security

http://www.ncdoj.gov/getdoc/6633be99-552d-4e62-ae06-c15accad4142/Protect-Your-Business.aspx


Questions comments

Questions? Comments?

Thank you!


  • Login