1 / 25

Getting Legal: Building the ISO/Legal Counsel Relationship through GLB

Getting Legal: Building the ISO/Legal Counsel Relationship through GLB. Dr. Dan Manson Cal Poly Pomona dmanson@csupomona.edu. Topics. Background on Legal Counsel in CSU First Contact Notice of Breach of Security Information Security Program (GLB) Incident Response Team New Laws

ting
Download Presentation

Getting Legal: Building the ISO/Legal Counsel Relationship through GLB

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Getting Legal: Building the ISO/Legal Counsel Relationship through GLB Dr. Dan Manson Cal Poly Pomona dmanson@csupomona.edu

  2. Topics • Background on Legal Counsel in CSU • First Contact • Notice of Breach of Security • Information Security Program (GLB) • Incident Response Team • New Laws • Conclusion

  3. Why the ISO Needs a Relationship With Legal • “A strategy focused on relationships with processes geared to encounters is doomed to end in poor results and low customer satisfaction.” Robert F. Nolan Management Consultants, based on Barbara Gutek’s “The Brave New Service Strategy”, AMACOM, 2000.

  4. Acknowledgment • My sincere thanks for the professional advice and support provided from Cal Poly Pomona’s legal counsel, Marlene Jones

  5. Background • 23 campuses in Cal State University System • 21 legal counsels in Cal State system • 5 based on campus, remainder at Chancellor’s Office

  6. First Contact – June 19th • Received e-mail from legal counsel • Asked whether we drafted information security program to comply with applicable state and federal laws

  7. Breach of Security and Notice Timeline • Discovered July 30 • Eight e-mails plus several phone calls between July 30 and August 1 • Notification letter completed August 1

  8. Notice of Breach On July 30, 2003, the University discovered that lists of names and social security numbers of students in seven class sections were stored in files accessible without proper authorization. Although there was no evidence that any personal data was retrieved from the files, the University took immediate steps to restrict the files and provide the requisite notice under civil code section 1798.29 of the Information Practices Act. We have no reason to believe that your information has been misused; however, we are bringing this event to your attention with the suggestion that you be on the lookout for any possible misuse of your personal information.

  9. The Financial Modernization Act of 1999 (GLB) • Institutions that comply with the Family Educational Rights and Privacy Act (FERPA) are exempted from parts of federal privacy rules that were established for financial institutions under the Gramm-Leach-Bliley Act (GLB). • The FTC is taking the position that its safeguarding rules DO apply to institutions of higher education, affecting student loan records in particular and possibly others. http://www.nacubo.org/documents/business_topics/COHEAO_notes.doc

  10. Information Security Program • First draft July 8th • Many E-mails and several face-to-face meetings over next 3 months • Draft Information Security Program presented to Cabinet September 11th • Memo sent to campus President October 9th • Academic Senate questions raised and addressed

  11. GLB Safeguarding Requirements • GLB mandates that the University appoint an information security coordinator, conduct a risk assessment of likely security and privacy risks, institute a training program for all employees who have access to Covered Data and Information, oversee service providers and contracts, and evaluate and adjust the Program periodically. Source:http://www.csupomona.edu/~dsa/satechs/docs/Information_Security_Prog.doc

  12. Information Security Program Preamble “This Information Security Program (Program) was prepared by the Instructional and Information Technology Division (I&IT) in order to protect sensitive information and data, and to comply with Federal Law. This Program will affect I&IT, as well as other areas of the University, including, but not limited to, Academic Affairs, Administrative Affairs, President’s Office, University Advancement, Extended University, and Student Affairs and will also affect non-state entities operating on campus, such as CSU approved auxiliaries. The goal of the Program is to protect sensitive information and data and to assure compliance with applicable law related to information security.” Source:http://www.csupomona.edu/~dsa/satechs/docs/Information_Security_Prog.doc

  13. Incident Response Team • Campus IRT started in July • Team asked for meeting with legal counsel • Legal counsel asked for list of questions

  14. Partial List of Questions and Answers • At what point do we bring in legal counsel to the IRT process? When you need assistance to determine if the notice requirements of Civil Code 1798.29 contained in are triggered or if you believe that the there has been an intentional violation of the Information Practices Act.

  15. Civil Code 1798.29 Section (a) • “Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.”

  16. Partial List of Questions and Answers • What procedures would you (as legal counsel) like to see the IRT follow? Notification under CC 1798.29 must be prompt and records should be kept to verify that the statutorily required notice was provided.

  17. Partial List of Questions and Answers • When do we take incidents to legal versus public safety? If you have evidence of a crime or violation of the Information Practices Act by a third party, you should report it to the campus police after providing notice as required by the Act. If you have concerns that a University student or employee has violated the Act, you should contact the appropriate administrator who may consult with the University Counsel.

  18. New Laws • California Civil Code § 1798.85 (signed Oct. 12, 2003) • Senate Bill 1279 (in progress)

  19. California Civil Code § 1798.85 • Effective Date • January 1, 2004, unless otherwise indicated below. • Prohibitions • Under the law, the following actions are prohibited: • Publicly post or publicly display in any manner an individual’s SSN. “Publicly post” or “publicly display” means to intentionally communicate or otherwise make available to the general public. • Print an individual’s SSN on any card required for the individual to access products or services provided by the person or entity. • Require an individual to transmit his or her SSN over the Internet, unless the connection is secure or the SSN is encrypted. Source: http://www.ucop.edu/irc/policy/ssnlaw.pdf

  20. California Civil Code § 1798.85 • Require an individual to use his or her SSN to access an Internet Web site, unless a password or unique personal identification number or other authentication device is also required to access the Internet Web site. (Effective January 1, 2005) • Print an individual’s SSN on any materials that are mailed to the individual, unless state or federal law requires the SSN to be on the document to be mailed. Notwithstanding this paragraph, SSNs may be included in applications and forms sent by mail, including documents sent as part of an application or enrollment process, or to establish, amend or terminate an account, contract or policy, or to confirm the accuracy of the SSN. An SSN that is permitted to be mailed under this section may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened. (Effective January 1, 2005) Source: http://www.ucop.edu/irc/policy/ssnlaw.pdf

  21. California Civil Code § 1798.85 • Encode or embed the SSN in or on a card or document, including, but not limited to, using a bar code, chip, magnetic strip, or other technology, in place of removing the SSN as an effort to comply with these new provisions • Allowable Uses of the SSN • As a Requirement of Law or for Administrative Purposes: Social Security numbers may be collected, used, or released as required by state or federal law, or used for internal verification or administrative purposes. Source: http://www.ucop.edu/irc/policy/ssnlaw.pdf

  22. California Civil Code § 1798.85 • Grandfather Clause: If a state or local agency used an individual’s SSN in the manner prohibited above prior to January 1, 2004, it is allowed to continue to use that individual’s SSN in the same manner on or after January 1, 2004, if all of the following conditions are met: • The use of the SSN is continuous. If the use is stopped for any reason, the prohibitions apply. • The individual is provided an annual disclosure that informs the individual that he or she has the right to stop the use of his or her SSN in a manner prohibited under the law. • A written request by an individual to stop the use of his or her SSN in the manner prohibited by the law is implemented within thirty days of the receipt of the request. • There may not be a fee or charge for implementing the request. • The person or entity does not deny services to an individual because the individual makes a written request to stop the use of his or her SSN. • This grandfather clause concerns the use of an individual’s SSN and not the practice of using SSNs in general. Source: http://www.ucop.edu/irc/policy/ssnlaw.pdf

  23. California Civil Code § 1798.85 • Guidance about Truncating the SSN • The law does not prohibit printing a truncated SSN on a document to be mailed to the individual. • If an SSN is truncated, however, only the last four digits should be displayed, e.g., XXX-XX-1234 Source: http://www.ucop.edu/irc/policy/ssnlaw.pdf

  24. Senate Bill 1279 (in progress) • SB 1279 seeks to widen the definition of breachable data to include all data, rather than only computerized data. Under SB 1279, any personal data maintained on voice systems or on paper would be covered by the same provisions that currently apply only to computerized data. • The bill would also require companies that suffer a security breach involving personal information to provide two years of credit-monitoring services, without charge, to each affected individual. Source: http://www.computerworld.com/securitytopics/security/story/0,10801,91309,00.html

  25. Conclusions • Planning needed to handle crisis • Preventive law like preventative medicine • ISO’s need to understand legal issues • ISO’s need a working relationship with legal counsel • Need ISO/CIO/Legal relationship

More Related