1. Introduction
2. General
2.1. Roles and Responsibilities
2.2. References
3. Security Breach Assessment Procedure
3.1. Incident Awareness
3.2. Personal Information Data Store Inventory
3.3. Incident Assessment
4. Security Breach Reporting Procedure
5. Post Incident Activities
5.1. Post Incident Review
5.1.1. Lessons Learned Assessment
5.1.2. Policy Changes Based on Lessons Learned
5.1.3. Post Incident Report and Archive of Documentation
5.2. Post Incident Notification
6. APPENDIX I: Sensitive Data Store Inventory Information Submission Form
7. APPENDIX II: Incident Assessment Questionnaire
8. APPENDIX III: Factors for Notification
1. Introduction
California legislation SB 1386, signed into law in September 2002, requires all institutions and organizations that collect certain personal information to protect it against possible "identity
theft." In addition, if an incident occurs that involves the compromise of personal information, the individuals whose personal information may have been compromised must be notified; and, the
designated campus authority must notify the Office of the President. IS-3 subsection IV.D describes the requirements that must be met in order to be compliant with law and UC policy.
Required protections and notification procedures are to be in place by July 1, 2003.
California legislation AB 1298, signed into law in October, 2007, added medical information and health insurance information to the definition of personal information. This guideline describes how the requirements shall be met.
2. General
This guideline covers instances of unauthorized access to personal data as well as unauthorized or improper distribution of personal data. In this context, unauthorized improper use implies any unauthorized distribution, outside the scope of the university, of personal data that was obtained by authorized access.
For the purpose of this guideline, personal information is defined to mean:
- First name OR first initial and last name in combination with one or more of the following:
- Social security number,
- Or driver's license number,
- Or California identification number,
- Or financial account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial
account,
- Or medical information,
- Or health insurance information.
The relevant California requirement defines medical information to mean any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; and health insurance information to mean an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including any appeals records.
For the purpose of this guideline, in the case of any unauthorized intrusion into a server that stores personal information, it can be presumed that the personal information stored there was not acquired if reasonable technical evaluation and best practices leads to the conclusion that the information was not acquired. Refer to Appendix III, UCOP Factors for notification for guidance in determining data acquisition (a URL link will replace the appendix when one becomes available). In this context, an intrusion is defined to be an unauthorized access to personal data by a person(s) wherein the possibility of general data capture or transfer to a destination outside the intended scope of the university exists.
2.1. Roles and Responsibilities
Campus Sensitive Data Incident Coordinator The position of campus sensitive data incident coordinator is appointed by the chancellor for a duration defined by the chancellor. The
associate vice president for Information Resources and Communications at UCOP shall be made aware of the sensitive data incident coordinator's name and contact information. The sensitive data incident coordinator is responsible for ensuring that the Personal Information Data Store Inventory is updated with the information provided by personal information data store proprietors.
The following are responsibilities of the sensitive data incident coordinator:
- coordinate assessment and communication efforts in the case of an incident,
- ensure the maintenance of the Sensitive Data Incident tracking database,
- ensure that post incident evaluations are conducted and documented,
- support policy modifications resulting from Sensitive Data incidents,
- and ensure the maintenance of the Sensitive Data Incident documentation repository.
Currently, Doug Drury, Manager, Information Systems Office, IS&C (email: data-inventory@ucsb.edu; phone: 893-5036) serves as the UCSB Campus Sensitive Data Incident Coordinator.
Personal Information Data Store Proprietor: A personal information data store proprietor is the department director or senior manager who is the functional owner of the application that is the primary source of the personal information. It is the responsibility of the data store proprietor to ensure that the inventory of personal information data stores is kept current for the data
stores for which the proprietor is responsible. The responsibility of keeping the inventory current may be accomplished by an organization or individual other than the proprietor upon mutual
agreement between the proprietor and the other organization.
Personal Information Data Store Custodian: A personal information data store custodian is an individual or organization that is responsible for providing technical or system administration support for the data store. It is the responsibility of the personal information data store custodian to ensure that the implementation and administration of the personal information data store conforms to IS-3 requirements, as a minimum, and to campus and industry best practices for system security where appropriate.
2.2. References
The basis for this document are the requirements defined by IS-3 in general and specific requirements contained in IS-3 subsection IV.D entitled "Notification in Instances of Security Breaches Involving Personal Information Data." IS-3 may be reviewed at http://www.ucop.edu/ucophome/policies/bfb/is3.pdf.
3. Security Breach Assessment Procedure
This guideline assumes that system security measures regarding network, firewall, intrusion detection, user accounts, and file security are in place and are in compliance with the other
requirements of IS-3.
3.1. Incident Awareness
The campus may become aware of security breaches related to personal information by detection on campus via such methods as system audits, intrusion detection, and network
analysis among others. The campus may also become aware of a potential security breach by means of an individual(s) reporting a suspected incident. In the case of an individual reporting a
suspected security breach, the actions specified in this guideline will not be initiated unless the report can be corroborated using accepted system and/or network monitoring methods.
3.2. Personal Information Data Store Inventory
By definition, an incident must involve one of the Personal Information Data Stores maintained on campus. An inventory of all data stores that contain personal information as described by IS-3
shall be maintained. It shall be the responsibility of the personal information data store proprietor to ensure that the applicable data stores are included in the inventory.
This inventory shall include:
- the name of the data store,
- the type of data store (e.g. Adabas file, SQL Server database, Sybase database, flat file, etc.),
- the name of the server on which the data store is maintained,
- the name, department, and contact information of the personal information data store proprietor,
- the name and contact information of the personal information data store custodian,
- acceptable levels and methods of data store security,
- all applications that interact with the data store,
- and the types of users who use the applications (e.g. students, faculty, staff).
Since the Personal Information Data Store Inventory is itself sensitive information, access to read or update the inventory and the data stored there shall be controlled. Appendix I contains an
inventory information submission form.
3.3. Incident Assessment
For the purpose of this guideline, if a system that houses a data store that contains personal information is accessed by unauthorized means, it can be presumed that the personal information stored there has not been compromised if reasonable technical evaluation and best practices leads to the conclusion that the data store was not compromised. Once the organization becomes aware of a potential compromise, the following incident assessment process shall be used to a) determine if an incident actually occurred, b) assess the method of incursion, and c) assess the scope of the incident. The assessment should be completed in the most expedient timeframe possible.
- It is likely that the evaluation required to determine whether the personal information was acquired will be different for each incident. However, evaluation should include as a minimum:
- review of system logs,
- evaluation of the type, and typical intent, of the system intrusion,
- any explicit evidence supporting or refuting the concept that the data was accessed,
- and any additional evaluation of network traffic or system state that may help support a conclusion.
Refer to Appendix III for additional guidance on how to determine if data were acquired.
- If reasonable technical evaluation lead to the conclusion that the data store was compromised, document the method by which this conclusion was reached.
- Contact the campus Sensitive Data Incident Coordinator and notify him/her that a potential incident has been detected.
- Disconnect the system from all networks. In the case of servers that house multiple applications, it may be appropriate to only isolate the impacted application. Follow established
procedures for notifying system users to expect down-time without disclosing the possibility of a sensitive data incident.
- Disable all non-administrative logins to the system.
- Change passwords to all administrative logins to the system.
- Notify campus network support personnel that all logs relative to the server should be saved.
- Document the means by which the unauthorized system access was detected and confirmed. If possible, this should include the network address from which the access was initiated and
the means by which system access was gained (e.g. user id/password used, network port/application compromised, etc.).
- Execute a full backup of the entire system.
- If possible, determine the date and time the compromise began and the date and time that the compromise ended.
- Determine and document the type of individuals stored in the data store (e.g. students, faculty, staff, non-campus related, etc.).
- Determine if the data store contains, or has an associated source of contact information for all individuals whose personal information is stored. Contact information may consist of current
telephone number, current address, or current email address.
- If current contact information exists, document the name of the associated data store, and obtain a listing of contact information for all individuals whose data is contained in the
compromised data store. The listing shall relate the name of the individual with the contact information.
- If current contact information does not exist, or if contact information for only a subset of the individuals exists, obtain a list of names of individuals for whom current contact information does not exist.
- Contact the campus Sensitive Data Incident Coordinator and provide copies of all documentation listed above and any other clarifying information that may be relevant to the incident.
- System operational capability may be restored as soon as either it is confirmed that a breach did not take place, or as soon as law enforcement and/or appropriate campus authorities (e.g.
vice chancellor) provide direction.
Appendix II contains an incident assessment questionnaire that may be used to help document the assessment.
4. Security Breach Reporting Procedure
Communication with individuals whose identities may have been compromised is a requirement of California state law. The most appropriate method of communicating an incident to affected
individuals may vary depending on specifics of the compromise incident. Once the campus Sensitive Data Incident Coordinator has been notified of a potential incident, the campus police shall
be notified, and provided with the contact information of the individual(s) conducting the incident assessment. If unauthorized access to personal information is confirmed the campus Sensitive
Data Incident Coordinator shall follow the following procedure for reporting the incident. The reporting procedure should be completed in the most expedient timeframe possible after the scope of the breach has been defined and the integrity of the system is restored.
- Notify the campus police the incident has been confirmed and provide them with the contact person conducting the incident assessment.
- Create an entry in the Personal Information Incident tracking database.
- Notify, in writing, the Associate Vice President for Information Resources and Communications at UCOP that an incident has been confirmed.
- The following individuals shall evaluate the result of the incident assessment:
- the individual(s) who conducted or supported the assessment,
- the campus Sensitive Data Incident Coordinator,
- the Assistant Vice Chancellor of Public Affairs,
- the campus Chief of Police,
- other law enforcement officials deemed necessary by the campus Chief of Police,
- the Vice Chancellor within whose directorate the compromised system resides,
- the Vice Chancellor within whose directorate functional ownership of the data resides,
- the Vice Chancellor within whose directorate primary technical support of the data resides.
- Upon completion of the evaluation, the above individuals in conjunction with campus counsel, if necessary, shall determine the best method of communicating the incident to the appropriate individuals whose personal information was compromised. Appropriate communication approaches shall be followed in order to comply with law. California state law regarding appropriate communication approaches may be reviewed at http://www.leginfo.ca.gov/calaw.html. Select Civil Code, and view section 1798.29.
- The communication content shall be developed, reviewed, and approved.
- Minutes of this/these meetings shall be kept.
- With the concurrence of the appropriate law enforcement representatives (to ensure that the investigation is not impeded or compromised) and the appropriate vice chancellor(s),
communication of the incident to affected individuals, using the communication approach deemed appropriate, shall commence.
5. Post Incident Activities
Post incident evaluation and documentation is key to learning lessons from an incident and ensuring long-term resolution of problems. At the conclusion of each incident, a Post Incident Review will be conducted to evaluate lessons learned, initiate any necessary changes in practices or policy, and collect and archive all documentation related to the incident. In addition,
communication with UCOP will take place in accordance with IS-3 subsection IV.D.
5.1. Post Incident Review
The Sensitive Incident Data Coordinator is responsible for coordinating the Post Incident Review. The post incident review should be conducted after all necessary incident communication has
taken place and after sufficient time has elapsed after the incident such that effectiveness of the communication can be evaluated. The same individuals involved in the security breach
assessment process (section 4) should be involved in the post incident review. The following topics should be included in the post incident review.
5.1.1 Lessons Learned Assessment
As a minimum, the following should be evaluated and documented.
- The process by which the incident was handled to determine if any process changes are required to make the process more efficient or effective.
- The security measures that were in place around the compromised data store to determine if security approaches should be changed.
- The result of communication to impacted individuals to determine the effectiveness of the communication.
Lessons learned should be communicated to the campus through means such as
- a detailed presentation to the Information Technology Planning Group (ITPG) that includes details regarding the incident and steps taken to address the incident,
- email to the D-List, CSF, and ACCF that provides an overview of the incident and steps taken to address the issue,
- presentation to the Information Technology Board (ITB) that includes an overview of the incident, an overview of steps taken to address the issue, description of archived incident
documentation, and suggested policy changes.
5.1.2. Policy Changes Based on Lessons Learned
Based on the Lessons Learned Assessment, any changes in department or campus practices or policy should be initiated by the proprietor, or the custodian, or the campus Sensitive Data
Incident Coordinator in conjunction with the campus Policy Coordinator.
5.1.3. Post Incident Report and Archive of Documentation
At the conclusion of the post incident review, an incident closure report will be developed by the Sensitive Data Incident Coordinator and will include a description of the incident, the response
process used, the notification process used, actions taken to prevent further incidents, and, if appropriate, a statement from campus counsel stating that the incident was handled in a manner consistent
with IS-3 and applicable law. All documentation associated with the incident including incident assessment documentation, communication to impacted individuals, campus officials, off-campus officials and organizations, and UC officials should be retained in the Sensitive Data Incident documentation repository and should be cross-referenced to the Sensitive Data Incident tracking database. The records shall be retained and accessible in a manner consistent with the UC Records Management Program principles and schedules.
5.2. Post Incident Notification
The Post Incident Report shall be provided to all participants in the post incident review process, and to the Associate Vice President for Information Resources and Communications at UCOP in accordance with IS-3 subsection IV.D.
6. APPENDIX I: Sensitive Data Store Inventory Information Submission Form
The Proprietor or the Custodian of the Personal Information data store may complete this Personal Information Data Store Inventory questionnaire. Please clearly mark the proper selections and submit the completed form to the UCSB Campus Sensitive Data Incident Coordinator (Doug Drury, IS&C; email: data-inventory@ucsb.edu).
- Select the data elements stored in your data store (select all elements that apply).
___ Person Name (First Name or First Initial, Last Name)
___ Social Security Number
___ California Identification or Driver's License Number
___ Financial Account Number, Debit, or Credit Card Number in combination with access code or password that would permit access to account
___ Medical Information
___ Health Insurance Information
- Select the type of individual for whom data is stored in this data store (select all that apply).
___ Academic Employees
___ Staff
___ Student
___ Other (specify)
- Select the data management tool used to store the data.
___ Adabas
___ Microsoft Access
___ Microsoft Excel
___ Microsoft SQL Server
___ Sybase
___ Oracle
___ FileMaker
___ 4D
___ Other (specify)
- Provide the host name of the server where the data are stored.
- Provide the name of the application used to access the data.
- Select the operating system on which the data management tool storing the data runs.
___ MVS
___ Microsoft Windows based operating system (specify version)
___ Apple Macintosh operating system (specify version)
___ Unix or Unix variant (specify vendor version)
___ Other (specify)
- Select the operating system on which the application accessing data runs (select all that are appropriate for your use of the application).
___ MVS
___ Microsoft Windows based operating system (specify version)
___ Apple Macintosh operating system (specify version)
___ Unix or Unix variant (specify vendor version)
___ Other (specify)
- Provide the name, phone number, and email address of Proprietor of this data/application. The Proprietor is the person who functionally owns the data/application (e.g. Accounting is the
Proprietor of the General Ledger).
- Provide the name, phone number, and email address of Custodian of this data/application. The Custodian is the person who provides technical support/oversight for the data/application
(e.g. IS&C is the Custodian of the General Ledger).
- Provide a description of all the security methods used to protect the data (e.g. firewall, encryption, passwords, off-line storage, intrusion detection software, activity logging, etc.).
7. APPENDIX II: Incident Assessment Questionnaire
Completion of this questionnaire will assist in accumulating and cataloging information helpful in the assessment of a potential personal information data incident. Presentation of the data
collected on this form will be required during the formal incident assessment process.
- When was the potential incident detected (date, time)?
- How and by whom was the potential incident detected?
- Can it be shown, through the use of system logs or other means, that the intrusion did not penetrate to the level access required to obtain sensitive data?
- If so, make a copy of the system log and retain the copy for long term future reference.
- If not, proceed.
- Document the following system isolation steps:
- What steps were taken to isolate the system from further intrusion? (include the date and time that the system was isolated.)
- When/how were all non-administrative logins disabled?
- Were the administrative passwords changed?
- When was the post-incident system backup created (one should be created as soon after discovery as possible)? Where is it stored?
- Could the method of intrusion be determined, and was it fully documented?
- Could the start date/time and end date/time of the intrusion be detected, and was it fully documented?
- Document the UCSB role (faculty, staff, student. other) served by individuals for whom data security was breached.
- Does the breached data store contain current contact information?
- If yes, what are the business practices that lead you to believe that the contact information is consistently current?
- If yes, are the contact data current for all individuals and are the contact data fields populated for all individuals?
- If no, are the individuals still affiliated with the university?
- See paragraph 3.3 for instructions regarding required data lists. Comply with those requests to the fullest extent possible.
7. APPENDIX III: Factors for Notification
Threshold for Security Breach Notification
Background
California law requires notification to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person as the result of a security breach. No criteria for reasonable belief are provided in the statute. The University of California Business and Finance Bulletin IS-3 Electronic Information Resources Section IV.D identifies requirements for University of California compliance with this statute. Section IV.A, which addresses data sensitivity, requires that campuses implement procedures to provide physical and logical security of this information.
Deciding Whether or Not to Notify
Campuses should consider the factors listed below in making a determination to notify for any security incidents subject to this regulation.
The Office of Privacy Protection in the California Department of Consumer Affairs recommends that the following factors be considered when making a determination to notify.
Acquisition
In determining whether unencrypted notice-triggering information has been acquired, or is reasonably believed to have been acquired, by an unauthorized person, consider the following factors, among others:
- Indications that the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device containing unencrypted notice-triggering information.
- Indications that the information has been downloaded or copied, for example: an ftp log that contains the name of a file containing notice triggering information.
- Indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported.
The University of California recommends consideration of these additional factors:
- Duration of exposure.
- Indications that any download or copy activity has occurred, even if there is no specific evidence that there was a download or copy of data subject to the law.
- The extent to which the compromise indicates a directed attack, such as a pattern showing the machine itself was specifically targeted.
- Indication that the attack intended to seek and collect personal information.
Campuses may use additional criteria to determine whether to notify.
Campuses should feel free to contact campus counsel at any step of the process if they have questions or want legal consultation.
Other Considerations
In addition to the factors listed above, there may be other circumstances to be considered when deciding whether or not to abide strictly by the requirements imposed by the law. As an example, although the law doesn not apply to data that is encrypted, if encrypted information is reasonably believed to have been acquired as a result of a security breach, the extent to which the encryption method would prevent the information from being used should be considered when deciding whether or not to notify.
The law states: "Good faith acquisition of personal information by an employee or agent of the agency for the purposes of the agency is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure." However, notification would be required if an employee misuses authorized access to disclose personal information. Note as well that an employee disclosing previously encrypted personal information on an unauthorized basis would trigger notification.
If there is difficulty reaching a decision whether or not there is a reasonable belief that data may have been acquired as defined by this law, campuses may also consider the potential damage to individuals if the wrong decision is made. For example, one should weigh the potential for identity theft or financial abuse if it turns out that the data had been acquired and no notice was sent.
DD