secure it 2005 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Secure IT 2005 PowerPoint Presentation
Download Presentation
Secure IT 2005

Loading in 2 Seconds...

play fullscreen
1 / 27

Secure IT 2005 - PowerPoint PPT Presentation


  • 107 Views
  • Uploaded on

Secure IT 2005. Implementations of California Database Notification Act Civil Code 1798.29 (AKA SB1386) Felecia Vlahos Information Security Officer San Diego State University. Secure IT 2005 – CCC 1798.29. http://www.leginfo.ca.gov/calaw.html (check civil code box, type 1798.29)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Secure IT 2005' - gunnar


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
secure it 2005

Secure IT 2005

Implementations of

California Database Notification Act

Civil Code 1798.29 (AKA SB1386)

Felecia Vlahos

Information Security Officer

San Diego State University

secure it 2005 ccc 1798 29
Secure IT 2005 – CCC 1798.29

http://www.leginfo.ca.gov/calaw.html(check civil code box, type 1798.29)

Any agency that owns or licenses computerized data that includes personal

information shall disclose any breach of the security of the system

following discovery or notification of the breach in the security of the data to

any resident of California whose unencrypted personal information was, or

is reasonably believed to have been, acquired by an unauthorized person.

The disclosure shall be made in the most expedient time possible and

without unreasonable delay, …

secure it 2005 ccc 1798 291
Secure IT 2005 – CCC 1798.29

Personal information: individual's first name or first initial and last name in

combination with any one or more of the following data elements, when either

the name or the data elements are not encrypted:

(1) Social security number. (last four SSN + DOB, Tax ID)

(2) Driver's license number or California Identification Card number.

(3) Account number, credit or debit card number, in combination with any

required security code, access code, or password that would permit

access to an individual's financial account (ACH).

Breach of the security of the system...Reasonably believed to have been:

unauthorized acquisition of computerized data that compromises the

security, confidentiality, or integrity of personal information maintained by

the agency.

secure it 2005 ccc 1798 292
Secure IT 2005 – CCC 1798.29

http://www.leginfo.ca.gov/calaw.html(check civil code box, type 1798.29)

… resident of California whose unencrypted personal information was, or

is reasonably believed to have been, acquired by an unauthorized person.

The disclosure shall be made in the most expedient time possible and

without unreasonable delay, consistent with the legitimate needs of law

Enforcement, as provided in subdivision (c), or any measures necessary to

determine the scope of the breach and restore the reasonable integrity of

The data system…

secure it 2005 ccc 1798 293
Secure IT 2005 – CCC 1798.29

Resident of California:

Unencrypted:

Most expedient time possible and without unreasonable delay:

Needs of law enforcement: will impede a criminal investigation….the

law enforcement agency determines that it will not compromise the investigation

Any measures necessary to determine the scope of the breach:

Restore the reasonable integrity:

secure it 2005 ccc 1798 294
Secure IT 2005 – CCC 1798.29

(g) … "notice" may be provided by one of the following methods:

  • Written notice.
  • Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code.
  • Substitute notice, if the agency demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000), or that the affected class of subject persons to be notified exceeds 500,000, or the agency does not have sufficient contact information.
secure it 2005 ccc 1798 295
Secure IT 2005 – CCC 1798.29

Substitute notice shall consist of all of the following:

  • E-mail notice when the agency has an e-mail address for the subject persons.
  • Conspicuous posting of the notice on the agency's Web site
  • Notification to majorstatewide media.

(h) Notwithstanding subdivision (g), an agency that

maintains its own notification procedures as part

of an information security policy for the treatment

of personal information and is otherwise consistent

with the timing requirements of this part shall be

deemed to be in compliance with the notification

requirements of this section if it notifies subject

persons in accordance with its policies in the

event of a breach of security of the system.

secure it 2005 ccc 1798 296
Secure IT 2005 – CCC 1798.29

Notification of Risk to Personal Data Act

http://thomas.loc.gov/cgi-bin/bdquery/z?d108:s.01350

(click on Text of Legislation)

Déjà vu…California Database Notification Act…additions highlighted in pink:

(7) REASONABLE NOTIFICATION PROCEDURES- …

(A) ???

(B) … notice to be given … after the security program indicates that the breach of security of the system has resulted in fraud or unauthorized transactions, but does not necessarily require notice in other circumstances; and

(C) are subject to examination for compliance … the Gramm-Leach Bliley Act …

(b) CIVIL REMEDIES-

(1) PENALTIES- Any agency, …, that violates this section shall be subject to a fine of not more than $5,000 per violation, to a maximum of $25,000 per day while such violations persist. (1,034,335,000)

(2) EQUITABLE RELIEF- ….

(3) OTHER RIGHTS AND REMEDIES- …

(c) ENFORCEMENT- The Federal Trade Commission is authorized to enforce compliance with this section, including the assessment of fines under subsection (b)(1).

SEC. 5. EFFECT ON STATE LAW.

 The provisions of this Act shall supersede any inconsistent provisions of law of any State … except as provided under sections 1798.82 and 1798.29 of the California Civil Code.

SEC. 6. EFFECTIVE DATE.

 This Act shall take effect on the expiration of the date which is 6 months after the date of enactment of this Act.

secure it 2005 ccc 1798 29 inquiry statistics
Secure IT 2005 – CCC 1798.29Inquiry Statistics

Incident #1, 1084 notified, 43 inquires, 4%

secure it 2005 ccc 1798 29 inquiry statistics1
Secure IT 2005 – CCC 1798.29Inquiry Statistics

Incident #2, 206,867 notified, 1520 inquires, .7%

secure it 2005 ccc 1798 29 inquiry statistics2
Secure IT 2005 – CCC 1798.29Inquiry Statistics

Incident #3, 17,000 notified, 61 inquires, .4%

secure it 2005 ccc1798 29 inquiry statistics
Secure IT 2005 – CCC1798.29Inquiry Statistics

Incident #1 (1084)

Peak 1 week

Volume 3 weeks

Incident #2 (206,867)

Peak 2 weeks

Volume 4 weeks

Incident #3 (17,000)

Peak 1 week

Volume 4 weeks

secure it 2005 ccc 1798 29 types of responses
Secure IT 2005 – CCC 1798.29Types of Responses
  • TransUnion credit bureau
    • Other bureau direct numbers
    • Credit questions
    • Outsource inquiries
    • Speaking engagements
  • FTC Lawyer
    • Link on web site to submit complaints
    • Scans news stories
    • Gramm-Leach-Bliley Act
secure it 2005 ccc 1798 29 types of responses cont
Secure IT 2005 – CCC 1798.29Types of Responses…cont
  • Vendors
    • Silver bullet to prevent incident
    • Call back in 3-6 months
    • Send product email
  • Am I affected?
    • Database look up
    • Don’t web page look up
    • Confirm info, do not offer
  • Parents calling for child
secure it 2005 ccc 1798 29 types of responses cont1
Secure IT 2005 – CCC 1798.29Types of Responses…cont
  • Media
    • Email questions
    • Refer to Media POC
  • Deceased child/spouse
  • Remove my data
  • How did you get my info?
  • Why did you retain?
  • International issues
  • (Non-affected users) remove my info
secure it 2005 ccc 1798 29 types of responses cont2
Secure IT 2005 – CCC 1798.29Types of Responses…cont
  • Incident verification
  • Students without identity theft/fraud
    • No file established, can’t perform fraud alert
    • FTC top risk category
  • With identity theft/fraud
    • Report to local law enforcement in location where
    • Statistical expectation based on no. of notices
    • Log info, look for patterns
    • Provide police report
    • Parents in Oregon, student in California, fraud in Arizona
secure it 2005 ccc 1798 29 returned notices
Secure IT 2005 – CCC 1798.29Returned Notices

Incident #1, 1084 notified, 247 returns, 23%

secure it 2005 ccc 1798 29 returned notices1

900

800

700

600

500

400

300

200

100

0

1

3

5

7

9

11

13

15

17

19

21

23

25

27

29

31

Secure IT 2005 – CCC 1798.29Returned Notices

Incident #2; 206,867 notified; 1994 forwarding; .1%

37,377 no forwarding, 18%

secure it 2005 ccc 1798 29 returned notices2
Secure IT 2005 – CCC 1798.29Returned Notices

Incident #3; 17,000 notified; 190 forwarding; 1%

5191 no forwarding, 31%

secure it 2005 ccc 1798 29 incident preparation
Incident management

ISO/Legal Counsel/Public Relations?

Inquiry plan (in-house, out-sourced)

Inquiry training

Inquiry statistics

Web site (maximum information)

Reference links (FTC?) for identity theft/fraud

FAQ

Explanation of incident

Not linked or indexed (unless used as notification)

Inquires web page

Expiration date

Hit statistics

Secure IT 2005 – CCC 1798.29Incident Preparation
secure it 2005 ccc 1798 29 incident preparation cont
Secure IT 2005 – CCC 1798.29Incident Preparation…cont.
  • Notice (minimal information)
    • References, not financial expertise
    • One page
    • Identify groups of affected individuals
    • Bureau contacts phone
    • Fraud alert numbers
    • 800 number for inquiries
    • Warn of phishing calls
    • Returns
    • Return statistics
  • Media POC
secure it 2005 ccc 1798 298
Secure IT 2005 – CCC 1798.29
  • Database look up
    • First, Middle, Last Name
    • ID#
    • DOB
    • Source of information
  • Retain original data source
    • Six month reference
    • Legal requirements for retention
  • Template letters to suspend files (copies)
  • Police report # and copies
secure it 2005 ccc 1798 299
Secure IT 2005 – CCC 1798.29

Berkeley http://idalert.berkeley.edu/

secure it 2005 ccc 1798 2910
Secure IT 2005 – CCC 1798.29

FTC Statistics: http://www.consumer.gov/idtheft/stats.html

secure it 2005 ccc 1798 2911
Secure IT 2005 – CCC 1798.29

Felecia’s favorite ID Theft site: http://www.ou.edu/oupd/inetmenu.htm

secure it 2005 ccc 1798 2912
Secure IT 2005 – CCC 1798.29

Free Credit Report Annually: https://www.annualcreditreport.com