Preventing a Security Breach. November 2012 NCASFFA. Diane G. Miller Associate General Counsel State Education Assistance Authority Phone: (919) 248-4669 [email protected] Disclaimers. What Will We Cover In This Session?. What is the scope of the problem?
What is the scope of the problem?
Why is this issue important for the financial aid office?
What is a security breach?
Best practices to prevent a security breach
Inventory personal information
Limit personal information you collect and keep
Secure personal information
Disposal of personal information
Prepare for a security breach
More than 800 breaches that involved information about more than 3.3 million North Carolina consumers have been reported to the Attorney General's Office since 2005
Millions of SSNs and business records from tax returns as far back as 1998 were hacked in South Carolina
The 3.6 million tax returns included Social Security numbers and about 387,000 credit and debit card numbers that were also exposed, 6,000 of those unencrypted
Up to 657,000 businesses have also been compromised
The state’s Division of Employment Security announced Tuesday that information about thousands of employers and recipients of unemployment benefits were mistakenly disclosed in letters the agency mailed during a three-week period
The agency said a computer program was implemented that generated incorrect employer addresses on letters that included the names of individuals, Social Security numbers, business names and N.C. State Unemployment Tax Act employer account numbers
The Social Security numbers and bank account data of approximately 350,000 University of North Carolina Charlotte students, faculty and staff has been publicly exposed, some for more than a decade
Confidential information from "general university systems" was accidentally made public for approximately three months before being discovered and reported
Caused by an IT official who misconfigured a server during an upgrade
Hundreds of thousands of women found out by letter this week that their personal information, including Social Security numbers, might have been exposed to identity theft
The Carolina Mammography Registry at the University of North Carolina School of Medicine gathers data from radiologists across the state and the breach affects women who did not know the registry existed and did not give consent to have their information included
An incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer. Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key shall constitute a security breach.N.C. Gen. Stat. § 75-61
Good faith acquisition of personal information by an employee or agent of the business for a legitimate purpose is not a security breach, provided that the personal information is not used for a purpose other than a lawful purpose of the business and is not subject to further unauthorized disclosure
N.C. Gen. Stat. § 75-61
Personal information includes: an individual’s Social Security number (SSN), employer taxpayer identification number (TIN), driver’s license or state identification number, passport number, checking/saving account number, credit/debit card number, PIN, digital signature, biometric data, fingerprints or any number that can be used to access his financial resources.
N.C. Gen. Stat. § 75-61
Personal information does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, including name, address, and telephone number, and does not include information made lawfully available to the general public from federal, state, or local government records.N.C. Gen. Stat. § 75-61
The Federal Trade Commission released its latest report in February on consumer fraud-related complaints in the U.S.
The Dunn metropolitan area ranked No. 4 in the country for consumer fraud complaints per capita and No. 5 nationwide for identity theft complaints
From North Carolina’s Attorney General to local law enforcement, no one can explain for certain why Dunn consistently makes the list
What PII do you have?
Where is your PII stored?
Who has access to your PII?
Are you collecting unnecessary PII?
Are you keeping PII too long?
Be familiar with your record retention requirements
Protect the PII that you keep
A 19-year-old mother is under arrest on child abuse and aggravated DUI charges after police say she left her five-week-old baby strapped in a car seat on top of her car and drove off
She realized the baby was missing when she reached home
That's when XXX called her friends and asked them to trace the route she had taken
The friends ran into the officers who had already found the baby
XXX arrived shortly thereafter and was arrested
Properly dispose of PII that you no longer need
Electronic storage devices
Any business that conducts business in North Carolina and any business that maintains or otherwise possesses personal information of a resident of North Carolina must take reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal.N.C. Gen. Stat. § 75-64
"Disposal" includes the following: a. The discarding or abandonment of records containing personal information. b. The sale, donation, discarding, or transfer of any medium, including computer equipment or computer media, containing records of personal information, or other nonpaper media upon which records of personal information are stored, or other equipment for nonpaper storage of information.
N.C. Gen. Stat. § 75-61
XXX drilled open a filing cabinet that was locked when he bought it
Inside were files that were records of former UNC grad students and applicants: names, addresses, grade point averages and Social Security numbers
XXX contacted the surplus store, and a staff member drove to XXX’s home the next day, gathered the files, and thanked XXX for calling
To reward his good deed, UNC sent XXX a thank you letter and a T-shirt
An investigative reporter for WTTG bought two BlackBerry devices for $20 a piece containing confidential information from the McCain-Palin campaign at a "gone out of business" sale at the campaign's headquarters in Arlington, Va.
One contained 50 phone numbers for people connected to the campaign, as well as hundreds of e-mails from early September until a few days after the election.
The second device contained 300 'contacts,' including the former Virginia governor
Plan ahead for a security breach
Be prepared to act with reasonable speed
Review your institutional policy and procedures for responding to a security breach
Consider your obligations under all privacy laws and regulations