1 / 27

Secure IT 2005

Secure IT 2005. Implementations of California Database Notification Act Civil Code 1798.29 (AKA SB1386) Felecia Vlahos Information Security Officer San Diego State University. Secure IT 2005 – CCC 1798.29. http://www.leginfo.ca.gov/calaw.html (check civil code box, type 1798.29)

gunnar
Download Presentation

Secure IT 2005

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Secure IT 2005 Implementations of California Database Notification Act Civil Code 1798.29 (AKA SB1386) Felecia Vlahos Information Security Officer San Diego State University

  2. Secure IT 2005 – CCC 1798.29 http://www.leginfo.ca.gov/calaw.html(check civil code box, type 1798.29) Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, …

  3. Secure IT 2005 – CCC 1798.29 Personal information: individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number. (last four SSN + DOB, Tax ID) (2) Driver's license number or California Identification Card number. (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account (ACH). Breach of the security of the system...Reasonably believed to have been: unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the agency.

  4. Secure IT 2005 – CCC 1798.29 http://www.leginfo.ca.gov/calaw.html(check civil code box, type 1798.29) … resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law Enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of The data system…

  5. Secure IT 2005 – CCC 1798.29 Resident of California: Unencrypted: Most expedient time possible and without unreasonable delay: Needs of law enforcement: will impede a criminal investigation….the law enforcement agency determines that it will not compromise the investigation Any measures necessary to determine the scope of the breach: Restore the reasonable integrity:

  6. Secure IT 2005 – CCC 1798.29 (g) … "notice" may be provided by one of the following methods: • Written notice. • Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code. • Substitute notice, if the agency demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000), or that the affected class of subject persons to be notified exceeds 500,000, or the agency does not have sufficient contact information.

  7. Secure IT 2005 – CCC 1798.29 Substitute notice shall consist of all of the following: • E-mail notice when the agency has an e-mail address for the subject persons. • Conspicuous posting of the notice on the agency's Web site • Notification to majorstatewide media. (h) Notwithstanding subdivision (g), an agency that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this part shall be deemed to be in compliance with the notification requirements of this section if it notifies subject persons in accordance with its policies in the event of a breach of security of the system.

  8. Secure IT 2005 – CCC 1798.29 Notification of Risk to Personal Data Act http://thomas.loc.gov/cgi-bin/bdquery/z?d108:s.01350 (click on Text of Legislation) Déjà vu…California Database Notification Act…additions highlighted in pink: (7) REASONABLE NOTIFICATION PROCEDURES- … (A) ??? (B) … notice to be given … after the security program indicates that the breach of security of the system has resulted in fraud or unauthorized transactions, but does not necessarily require notice in other circumstances; and (C) are subject to examination for compliance … the Gramm-Leach Bliley Act … (b) CIVIL REMEDIES- (1) PENALTIES- Any agency, …, that violates this section shall be subject to a fine of not more than $5,000 per violation, to a maximum of $25,000 per day while such violations persist. (1,034,335,000) (2) EQUITABLE RELIEF- …. (3) OTHER RIGHTS AND REMEDIES- … (c) ENFORCEMENT- The Federal Trade Commission is authorized to enforce compliance with this section, including the assessment of fines under subsection (b)(1). SEC. 5. EFFECT ON STATE LAW.  The provisions of this Act shall supersede any inconsistent provisions of law of any State … except as provided under sections 1798.82 and 1798.29 of the California Civil Code. SEC. 6. EFFECTIVE DATE.  This Act shall take effect on the expiration of the date which is 6 months after the date of enactment of this Act.

  9. Secure IT 2005 – CCC 1798.29

  10. Secure IT 2005 – CCC 1798.29Inquiry Statistics Incident #1, 1084 notified, 43 inquires, 4%

  11. Secure IT 2005 – CCC 1798.29Inquiry Statistics Incident #2, 206,867 notified, 1520 inquires, .7%

  12. Secure IT 2005 – CCC 1798.29Inquiry Statistics Incident #3, 17,000 notified, 61 inquires, .4%

  13. Secure IT 2005 – CCC1798.29Inquiry Statistics Incident #1 (1084) Peak 1 week Volume 3 weeks Incident #2 (206,867) Peak 2 weeks Volume 4 weeks Incident #3 (17,000) Peak 1 week Volume 4 weeks

  14. Secure IT 2005 – CCC 1798.29Types of Responses • TransUnion credit bureau • Other bureau direct numbers • Credit questions • Outsource inquiries • Speaking engagements • FTC Lawyer • Link on web site to submit complaints • Scans news stories • Gramm-Leach-Bliley Act

  15. Secure IT 2005 – CCC 1798.29Types of Responses…cont • Vendors • Silver bullet to prevent incident • Call back in 3-6 months • Send product email • Am I affected? • Database look up • Don’t web page look up • Confirm info, do not offer • Parents calling for child

  16. Secure IT 2005 – CCC 1798.29Types of Responses…cont • Media • Email questions • Refer to Media POC • Deceased child/spouse • Remove my data • How did you get my info? • Why did you retain? • International issues • (Non-affected users) remove my info

  17. Secure IT 2005 – CCC 1798.29Types of Responses…cont • Incident verification • Students without identity theft/fraud • No file established, can’t perform fraud alert • FTC top risk category • With identity theft/fraud • Report to local law enforcement in location where • Statistical expectation based on no. of notices • Log info, look for patterns • Provide police report • Parents in Oregon, student in California, fraud in Arizona

  18. Secure IT 2005 – CCC 1798.29Returned Notices Incident #1, 1084 notified, 247 returns, 23%

  19. 900 800 700 600 500 400 300 200 100 0 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 Secure IT 2005 – CCC 1798.29Returned Notices Incident #2; 206,867 notified; 1994 forwarding; .1% 37,377 no forwarding, 18%

  20. Secure IT 2005 – CCC 1798.29Returned Notices Incident #3; 17,000 notified; 190 forwarding; 1% 5191 no forwarding, 31%

  21. Incident management ISO/Legal Counsel/Public Relations? Inquiry plan (in-house, out-sourced) Inquiry training Inquiry statistics Web site (maximum information) Reference links (FTC?) for identity theft/fraud FAQ Explanation of incident Not linked or indexed (unless used as notification) Inquires web page Expiration date Hit statistics Secure IT 2005 – CCC 1798.29Incident Preparation

  22. Secure IT 2005 – CCC 1798.29Incident Preparation…cont. • Notice (minimal information) • References, not financial expertise • One page • Identify groups of affected individuals • Bureau contacts phone • Fraud alert numbers • 800 number for inquiries • Warn of phishing calls • Returns • Return statistics • Media POC

  23. Secure IT 2005 – CCC 1798.29 • Database look up • First, Middle, Last Name • ID# • DOB • Source of information • Retain original data source • Six month reference • Legal requirements for retention • Template letters to suspend files (copies) • Police report # and copies

  24. Secure IT 2005 – CCC 1798.29 Berkeley http://idalert.berkeley.edu/

  25. Secure IT 2005 – CCC 1798.29 FTC Statistics: http://www.consumer.gov/idtheft/stats.html

  26. Secure IT 2005 – CCC 1798.29 Felecia’s favorite ID Theft site: http://www.ou.edu/oupd/inetmenu.htm

  27. Secure IT 2005 – CCC 1798.29 Free Credit Report Annually: https://www.annualcreditreport.com

More Related