Preparing for Data Protection Laws:How to Earn an A+ from Your Attorney General

Merri Beth Lavagnino, MLS, CIPP

Chief Information Technology Policy Officer

Indiana University

12 April 2007

Copyright 2007, The Trustees of Indiana University. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement

appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Overview

• Data Protection Laws• How Indiana University Prepared for

Compliance• Walk Through an Incident Using the Kit• Issues and Next Steps• Questions

DATA PROTECTION LAWS

Personal Data Protection Laws

• Thirty-some states currently have personal data protection laws

• Federal law repeatedly being proposed“Personal Data Privacy and Security Act” – (S. 495)

Leahy, Specter

“Notification of Risk to Personal Data Act” – (S. 239) Feinstein

Data Protection Laws for Specific Types of Data• Student education records (FERPA)• Personal health information (HIPAA)• Nonpublic customer information of

“financial institutions” – includes student loans (GLBA)

• Credit card transaction data (PCI DSS, a contractual requirement)

Why?

• Protect privacy of individuals• Prevent misuse by government and

business• Perception that data disclosures are

leading to increased identity theft

How Should We Approach This Plethora of Regulation?

• Find commonalities and thresholds• Determine what your institution’s position

will beHighlight differences between standard practice and what

is required by law

Indiana’s Release of Social Security Number LawIndiana Code (IC) 4-1-10

• Effective July 1, 2006, it is a crime for an Indiana state agency to disclose an individual’s Social Security Number to a party outside of the agency, unless the disclosure is authorized under Indiana state law

Who is covered?

• For the purposes of this law, a “state agency” includes the following:

A state elected official’s office

A state educational institution

A body corporate and politic of the state created by state statute

The Indiana lobby registration commission

What is Covered?

• Unauthorized disclosure to an outside party of any individual’s SSN (doesn’t have to be a “customer”), in any format:

Electronic

Paper

Oral

What Disclosures are OK?

• With the individual’s express written consent• Only the last four (4) digits of the SSN• For administering health benefits of an

employee or the employee’s dependent(s)• And a bunch of legal situations:

Disclosures to a local, state, or federal agency for the purpose of furthering an investigation

Disclosures that are expressly required (not just permitted) by state or federal law or a court order

Disclosures made in the context of certain counterterrorism investigations

Disclosures to commercial entities for use in certain activities authorized under 3 federal laws

Who Enforces?

• Enforced by the State Attorney General who can bring action against Agency

• Possibility of civil suit filed by affected individual(s) “Private right of action”

• Enforcing body will issue “Rules”

What Happens if you Don’t Comply?

• Knowing, intentional, or reckless violations are felonies:

Up to 3 years’ jail timeUp to $10,000 fines

• Negligent violations are “infractions” and are misdemeanors:

Up to 1 year jail timeUp to $5,000 fines

• Possibility of civil suit filed by affected individual(s)

Issue: What Constitutes “Negligence”?

It is not clear whether “negligent” disclosure under the law covers only affirmative transfer of an SSN…

or also covers inadvertent exposure of SSNs to unauthorized access due to inadequate security measures.

Indiana’s Personal Information Secure Disposal Law Indiana Code (IC) 24-4-14

• Effective July 1, 2006, it is a crime for a person to dispose of certain personal information of a “customer” in a non-secure manner

Who is Covered?

• For the purposes of this law, a "person" means:

an individual

a partnership

a corporation

a limited liability company

or another organization

What Actions are Covered?

• Discarding or abandoning the “personal information” of a “customer” in an area accessible to the public

• Includes placing the personal information in a container for trash collection

• Although not explicit, includes disposal of computer drives and disks

What Data is Covered?

• Social Security Numbers, OR• First initial or name PLUS last name

AND:Credit card number

Financial account number or debit card number in combination with a security code, password, or access code that permits account access

Driver’s license number

State identification number

What Discarding is OK?

• The law only applies to personal information that is neither “encrypted” nor “redacted”Check the definitions – this one defines redacted as the

last 5 digits, not 4

What are Secure Methods of Disposal?

• Shredding• Incinerating• Mutilating• Erasing• Methods that otherwise render the

information illegible or unusable

Relationship to Other Data Security Laws

• State disposal law EXEMPTS persons who are already maintaining and complying with disposal program under:HIPAA

Financial Modernization Act (Gramm-Leach-Bliley)

Fair Credit Reporting Act

Driver’s Privacy Protection Act

USA Patriot Act/Executive Order 13224

Indiana’s Notice of Security Breach LawIndiana Code (IC) 4-1-11 • Effective July 1, 2006, a State Agency

must notify individuals whose “unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person” as a result of a system security breach

What Data is Covered?

• First initial or name PLUS last name AND at least one of the following:SSN (> last 4 digits)Driver’s license numberState identification card numberCredit card numberDebit card numberFinancial Account numberSecurity code, access code, or password of financial

account

What Data is Not Covered?

• Non-computerized/electronic data• Theft of portable electronic devices with

personal information stored on them, if access is protected by a password that has not been disclosed

• “Encrypted” data

Of course, IU can still give notice as a policy matter when we have these types of disclosures…

What is Required?

• Notification of individuals affected• “Without unreasonable delay” • Consistent with:

legitimate needs of law enforcement

measures needed to determine scope of breach and restore system integrity

How May Notice Be Given?

• In writing• By email• By conspicuous posting on IU website

and notice to major statewide media, if:Cost of notice to individuals is $250K or more,More than 500,000 people must be notified, orWe have insufficient contact information for personal

notice

Who Else Must Be Notified?

• The Indiana Attorney General (within 2 business days)

• If more than 1,000 individuals’ information involved, must notify all consumer reporting agenciesEquifax, TransUnion, Experian

Heads up to them that individuals may be requesting credit reports to monitor for attempted identity theft

Payment Card Industry Data Security Standards (PCI DSS)

• Merchant bank agreements impose payment card data security standards

• Requires immediate notice (within 24 hours) to payment card company in case of security breach

• Noncompliance may lead to fines, revocation of right to accept cards for payment

You CAN Address All Laws and Regulations In One Strategy…

• In general laws and regulations are focusing on requiring ADMINISTRATIVE, PHYSICAL and TECHNICAL measures to maintain the security of sensitive data

• University policy will most likely require MORE than the laws or regulations do

HOW INDIANA UNIVERSITY PLANNED FOR COMPLIANCE

Indiana University

• Indiana University has eight campuses: the original campus in Bloomington;an urban campus in Indianapolis, which also includes the

IU Medical Center; and six regional campuses in the cities of Gary, South

Bend, Fort Wayne, Kokomo, Richmond, and New Albany

• Total students: ~ 98,000• Total faculty and staff: ~22,000

Decentralized Environment

• “Data Stewards” responsible for policy and practice concerning their dataIncluding granting access to their systems, and training

about appropriate use of their data

• Campuses, colleges, departments, units responsible for local technology and security of that technology

• Individuals responsible for appropriate and secure use of the data

Strategy• IT Security & Policy Office partnered with

University Counsel and Internal Audit to devise planStudied the new laws

Identified issues and questions about interpretation

Counsel conferred with Counsels of other large universities in the state

Several meetings with Attorney General’s Office

Discussed with Data Stewards

Decided how we would interpret the laws for our institution

Decided to leverage criminal penalties and retirement of SSN as employee and student identifier

Strategy Continued…Composed a letter jointly signed by Counsel and IT Policy

Officer, sent by President to all faculty and staff

Counsel and IT Policy Officer gave dozens of individual presentations on new laws and what to do, to every group possible, from Chancellors all the way down to departmental staff

Created web page to compile information and resources in one place - itpo.iu.edu/policies/bestpractices/dataprotection.html

Prepared to provide analysis of specific situations to assist units in determining compliance

Updated “Sensitive Data Exposure Incident Response Kit” to prepare for July 1 requirements

Major Emphases with All Groups• Identify what data you have, and where• Get rid of it (in a secure manner)

“Because I need it” not acceptable argument

• If absolutely required to keep, secure itOn professionally administered server with private IP with strict

access controls

Better yet, not online at all

• Fix contracts for all transfers of data• Report suspected disclosures IMMEDIATELY• If questions or resource issues, TELL US

Web Page

- Overview

- Actions You Can Take to Secure Sensitive Data

- What to Do if Sensitive Data is Exposed

- Details of Each of the New Indiana Laws

Sensitive Data Exposure Incident Kit - Checklist- Sample Notification

Letters- Template for Web Page

FAQ- Sample Press Releases- Tips on Dealing with

Contacts from Press and from Individuals Affected

What Kind of Exposures Have We Had?• Prior to new law:

Faculty member kept old computer when new ones were distributed, patches were not kept up to date, had old grade rosters on it (student records, SSN’s)

Outsourced server not properly secured (credit card #’s)

• Since July, 2006:Secretary mistakenly emailed to wrong address, with

spreadsheet attached (student records, SSN’s)Laptop of faculty member stolen from his locked car in his

garage, had grade rosters on it (student records, SSN’s)Library posted archive data on web (SSN’s)Flash drive lost, with programmer’s data on it (personal data,

SSN’s)Faculty saved files to file server which was a web server

(student data, SSN’s)

WALK THROUGH AN INCIDENT USING THE KIT

Let’s Pretend You Have A Suspected Sensitive Data Exposure Incident…

• Since you attended one of our presentations and you read the letter sent by the President, you know what to do first, right?

Right!

• You take immediate action to contain the exposureUnplug network cableLeave powered onDon’t touch it!

• You take immediate action to report incident to IT Security & Policy OfficeYou call published numbers until you get a human, no

matter what day or time it is

First Steps…• We call you and ask a lot of questions• We email you the Kit and Contact List• We assign you first tasks from the Checklist in

the Kit• We stress to you that the incident “belongs” to

you, but response is “coordinated” by the ITSPO• We tell you we expect notifications to go out

WITHIN ONE WEEK• We hang up with you, and assemble an Incident

Team (includes you)• Incident Team meets on conference call

Done

Task Owner

1) Immediately contain and limit the exposure - Unplug network cable (NOT power cable) from compromised system - Do not access (do not logon) or alter compromised system - Do not power off the compromised system - Write down what you saw and what actions have been taken so far

Unit

2) Alert Information Technology Security & Policy Office (ITSPO) - Call XXX or XXX or XXX. If you don’t get one of them IN PERSON, then: - Call UITS Support Center or NOC (these are 24 x 7 services) and ask them to page ITSPO - Also send details to it-incident@iu.edu

Unit

3) Preliminary assessment of type and scope of data exposed Unit

4) Obtain forensic evidence - Obtain image of drive(s) - Install and run utility such as WOLF

ITSPO

5) Consult with University Information Technology Security & Policy Office (ITSPO) - Discuss communications strategy [don’t talk to anyone outside of the Incident Team about the incident until authorized - say you are doing computer maintenance if you need to say anything] - Receive current Sensitive Data Exposure Incident Kit and Appendix - Do not continue with this plan until receiving go ahead from ITSPO

Unit and ITSPO

6) Assemble Incident Response Team - Set up conference calls for daily updates by Incident Team members

ITSPO

7) Call Counsel - Keep contact(s) updated

8) Call University Data Steward(s) for type(s) of university data exposed - Registrar for Student Records - Bursar for Student Financial Records - HR for Employee Records - Keep contact(s) updated

9) Call Campus Data Manager(s) for type(s) of university data exposed - Registrar for Student Records - Bursar for Student Financial Records - HR for Employee Records - Keep contact(s) updated

10) If Credit Card, Bank Account, or other financial data exposed: - Call University Treasurer’s Office - Keep contact(s) updated

11) If Protected Health Information exposed: - Call HIPAA Compliance Officer - Keep contact(s) updated

12) If appropriate, notify Law Enforcement; determine if criminal proceedings are recommended - IU Police Department - FBI local office - Secret Service local office

ITSPO

ITSPO

13) Call Communications Office(s) - University - Campus - School/College/Dept - VP for IT - Identify Communications Point Person(s) - Keep contact(s) updated

ITSPO

14) Call School/College/Dept Administration - Keep contact(s) updated15) Call IT Administration - VP for IT - Campus CIO/Dean of IT - Keep contact(s) updated

ITSPO

16) Call Campus Administration - Campus Chancellor - Keep contact(s) updated

17) Call University Administration- President/Chancellor - Keep contact(s) updated

18) Call Internal Audit - Keep contact(s) updated

19) Perform forensics - Report of findings

ITSPO

ITSPO

20) Final assessment of type and scope of data exposed, and the availability and type of contact data for individuals affected

Unit

21) Decisions to make: - Notify affected individuals? - Issue press release?

Response Team

22) If Social Security number exposed: - Notify Attorney General WITHIN 2 BUSINESS DAYS

University Counsel

23) If Credit Card data exposed: - Call Credit Card Processor(s) and/or Merchant Bank(s) - Call VISA Fraud Control Group at (650) 432-2978 - Provide all compromised accounts to Visa Fraud Control Group WITHIN 24 HOURS - Provide an incident report to Visa WITHIN 4 BUSINESS DAYS

Treasurer

24) If number of individuals affected by a “breach of the security system” exceeds 1,000: - Notify Credit Bureaus University

Counsel

25) Notify affected individuals - Identify letter issuer and letterhead to be used - Compose draft text - Prepare envelopes (postage, addresses) - Prepare mail merge - Prepare for printing of letter - Prepare for stuffing of envelopes - Obtain approval for text from: - OVPIT - University Counsel - Unit Executive Administration - University and/or Campus Communications Office - Data Steward - Print, stuff envelopes, mail letter

UnitUnitUnitUnitUnitUnitITSPO

Unit

26) Create web site for affected individuals - Identify URL and location - Restrict access until ready to go live - Compose draft design of page and what content to include - Compose draft FAQ - Prepare for web site to go live - Obtain approval for FAQ text and other content from: - OVPIT - University Counsel - Unit Executive Administration - University and/or Campus Communications Office - Data Steward - Make site live before letters arrive in mailboxes

UnitUnitUnitUnitUnitITSPO

27) Prepare telephone support for affected individuals - Identify appropriate person(s) to handle calls - Identify/set up telephone number to use - Train person handling calls/provide talking points

UnitUnitITSPO/Com

28) Prepare for email support for affected individuals (optional) - Identify appropriate person(s) to handle email - Identify/set up email address to use - Train person handling email/provide talking points

UnitUnitITSPO/Com

29) Press Release and other press planning - Identify contact for media - Compose draft text - Obtain approval for text from: - OVPIT - University Counsel - Unit Executive Administration - University and/or Campus Communications Office - Data Steward - Issue press release

UnitUnitITSPO

Unit

30) Inform affected staff whom to send any individual or press contacts to - Unit staff - ITSPO staff - UITS management - Campus Deans? Staff in areas that might be asked, such as Registrar?

UnitITSPOITSPO

31) Collect staff time spent weekly during event and record in the incident

Unit and ITSPO

32) Schedule a debriefing meeting afterwards to review what could have been done better, how to avoid in the future

ITSPO

33) Other issues this incident highlighted: - Why was that data located there? - What more could have been done to avoid the intrusion?34) Study remediation needs -Issue report-Letter to Dean or Director

Response Tea

35) Implement remediation needs Unit

ISSUES AND NEXT STEPS

Why is the Attorney General Happy?

• We’re fast• One unit coordinates on behalf of the

institutionHe sees same procedures applied every time

He sees approved wording being recycled

He gets same story from all involved

• We focus on the individuals affected, not on the press

Also…

• All incidents (so far) have been mistakes – not due to systematic lack of attention to data protection

• It’s abundantly clear we aren’t hiding anything… ;)

Issues

• Who does non-IT based exposures?• Contact info for long-gone persons• Contracts• Express written consent• Overly zealous ITSPO staff

And I’m Wondering…

• When are we going to admit we are over-notifying???

“…was or is reasonably believed to have been acquired by an unauthorized person…”

Next Steps

• Consider data protection as next NCAM theme

• Move toward model of annual online training for all employees, regardless of whether they have access to a data repository or not

• Discuss with AG proactively searching for SSN’s and other sensitive data