Data Breach Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University September 2005 CSG Sponsored by the EDUCAUSE.

Slides:

Advertisements

Similar presentations

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.

Advertisements

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Operational Risks Task 13. What is CNP? CNP stands for Card Not Present and is when you order or pay for something online as you are not in front of the.

Red Flag Rules: What they are? & What you need to do

FERPA Refresher Training Start. Page 2 of 11 Copyright © 2006 Arizona Board of Regents FERPA Refresher Training What is FERPA FERPA stands for Family.

Respect aging Respect Aging: Preventing Violence against Older Persons 1. RECOGNITION 2. PREVENTION 3. INTERVENTION Violence Prevention Initiative.

Protecting Personal Information Guidance for Business.

1 Customer Service, Confidentiality and Security EASFAA 2009 Allene Begley Curto Springfield College – School of Human Services.

Chapter 9 Credit Problems and Laws

PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,

Privacy (or Data) Breaches - Examples South Carolina Department of Revenue Hackers got into the SCDOR’s computers, and stole information on up to 3.2 Million.

1. What is Identity Theft? 2. How Do Thieves Steal An Identity? 3. What Do Thieves Do with Stolen Identities? 4. What Can I Do To Avoid Becoming a Victim?

BEWARE! IDENTITY THEFT CARL JOHNSON FINANCIAL LITERACY JENKS HIGH CSHOOL.

RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.

Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.

Fraud and Identity Theft Test Review. Who should you contact if you are a victim of identity theft?

This is an audio presentation Compliance Program Training for First Tier, Downstream and Related Entities.

Greg Lamb. Introduction It is clear that we as consumers and entrepreneurs cannot expect complete privacy when discussing business matters. However… There.

Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.

Password District Data Breach Exercise [District Name] [Date] [Logo]

© Oklahoma State Department of Education. All rights reserved. 1 Beware! Consumer Fraud Standard 9. 1 Fraud and Identity Theft.

The Family Educational Rights and Privacy Act (FERPA) The Importance of Protecting Student Records This session will help you better understand the law.

Office of the Chief Information Officer Preparing for a Data Compromise: what to do when a security breach exposes sensitive data Charles R. Morrow-Jones.

Data Incident Notification Policies and Procedures Mary Ann Blair Tracy Mitrano Steven Schuster April 10, 2006 Copyright Mary Ann Blair, Tracy Mitrano,

BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 

Data Incident Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University William L. Custer Information Security Policy.

House Committee on Business and Industry House Bill Implementation of Closed Account Notification System Texas Department of Banking April 22, 2008.

** Deckplate training for Navy Sailors **.  On Thursday, 9 July, the Office of Personnel Management (OPM) announced a cyber incident exposed the federal.

Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.

PHISHING AND SPAM INTRODUCTION There’s a good chance that in the past week you have received at least one that pretends to be from your bank,

Texas House of Representatives Committee on Criminal Jurisprudence Testimony of Randall S. James Banking Commissioner Texas Department of Banking August.

Sensitive Data Accessibility Financial Management College of Education Michigan State University.

Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.

Enterprise data (decentralized control, data security and privacy) Incident Response: State and Federal Law Rodney Petersen Security Task Force Coordinator.

HQ Expectations of DOE Site IRBs Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White.

Arkansas State Law Which Governs Sensitive Information…… Part 3B

Georgia Department of Human Services Division of Aging Services (DAS): Data Breach Presenter:Harold Johnson Acting General Counsel Presentation to: Board.

Chapter 9-Section 1 Resolving Credit Problems. Disputing Charges—Credit Card Statement  Disputing Charges—the process of informing a credit card company.

Oregon Consumer Identity Theft Protection Act Communications Forum Theresa Masse, Chief Information Security Officer Department of Administrative Services.

Red Flag Training IDENTITY THEFT PREVENTION PROGRAM OVERVIEW AUTOMOTIVE.

Environment, Health and Safety OARS Online Accident Reporting System A guide to the University of Calgary’s new web- based On-line Accident Reporting System.

BTT12OI.  Do you know someone who has been scammed online? What happened?  Been tricked into sending someone else money (not who they thought they were)

SUNY Oswego Human Subjects Committee Last Revised 10/28/2011.

Addressing Unauthorized Release of Personal Information at UC Davis August 12, 2003.

FIRMA April 2010 DATA BREACHES & PRIVACY Christine M. Farquhar Managing Director, Compliance J.P. Morgan U.S. Private Banking.

Setting up a Public Information Coordinator (PIC) System Lauren Downey, Office of the Attorney General Cary Grace, City of Austin Bob Davis, Texas Department.

Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.

Protecting Yourself from Fraud including Identity Theft Personal Finance.

Protecting Your Assets By Preventing Identity Theft 1.

Protecting Yourself from Fraud including Identity Theft Advanced Level.

What you need to know if you are a Campus Security Authority at TSU CAMPUS SECURITY AUTHORITY TRAINING.

4. Select Student Services & Financial Aid Menu and Click on Online Registration menu How to Use Online Registration – Student Quick Reference Guide This.

Oregon DMV Fraud Prevention Program Tom McClellan, DMV Administrator.

Understanding Privacy An Overview of our Responsibilities.

Yes, it’s the holidays... A time of joy, a time of good cheer, a time of celebration... From the Office of the Chief Human Capital Officer (CHCO ) Privacy.

Chapter 9 Objectives 1.Explain how to dispute errors on billing statements 2. Explain the purposes and types of bankruptcy and list strategies for avoiding.

Information Security Seminar

Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,

Protecting Personal Information Guidance for Business.

Red Flags Rule An Introduction County College of Morris

Identity Theft Pub 4012 – Tab P Pub 4491 – Lesson 1

Protecting Yourself from Fraud including Identity Theft

Identity Theft Prevention Program Training

Clemson University Red Flags Rule Training

UNUSUAL INCIDENT REPORTS AND MAJOR UNUSUAL INCIDENTS

Getting the Green Light on the Red Flags Rule

Founded in 2002, Credit Abuse Resistance Education (CARE) educates high school and college students on the responsible use of credit and other fundamentals.

Presentation transcript:

Data Breach Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University September 2005 CSG Sponsored by the EDUCAUSE Security Task Force Policy and Law Sub Committee Data Breach Notification Sub Group

A Dubious Honor Owe a debt of thanks to those among us who have ‘pioneered’ data breach notification “There but for the grace…” For some it’s the law, for others it’s just the right thing to do. Soon or later we all will be required by law to notify.

Goal: Bootstrap the Uninitiated When you’re under fire, you need help fast. Provide a tool that pulls from our collective experience. A real-time aid for creating the various communications that form data breach notification. An essential part of an incident response plan.

Data Breach Notification Toolkit Hosted by EDUCAUSE Federal/State Legal Requirements Policies and Procedures Threshold for Notification Notification Templates Incident Web Sites Other Resources Sample Incident Response Plans Under Construction Threshold for involving law enforcement

Notification Templates Outlines and content for Press Releases Notification Letters Incident Specific Website Incident Response FAQs Generic Identity Theft Web Site Sample language from actual incidents Food for thought – one size does not fit all

Before an Incident Generic Identity Theft Site Public Service Announcement Can be referenced in the event of an incident Components What is Identity Theft How to avoid it What to do if Your data may have been compromised You become an actual victim of identity theft FAQs Verify info correct at time of publication, especially for your locale.

Generic Identity Theft Site Introduction This site contains information on how to protect yourself from identity theft as well as what to do to if your personal information becomes exposed or if you actually become a victim of identity theft. Links to additional information can be found under the Resources. What is Identify Theft? Identity theft occurs when someone uses another person's personal information such as name, Social Security number, driver's license number, credit card number or other identifying information to take on that person's identity in order to commit fraud or other crimes... etc

Responding to an Incident Press Releases Notification Letters Incident Specific Website (1 per incident) Incident Response FAQs Hotline (FAQs serve as a script for call-takers)

Press Release Components What are you doing? Announcing a breach? A theft? Announcing that the case has been resolved? That notification has occurred? Who is affected/not affected? What specific types of personal information are involved? What are the (brief) details of the incident? “No evidence to indicate data has been misused…” or what the evidence points to. Expression of regret and concrete steps the institution is taking to prevent this from happening again. For more information, …

Sample Snippets – Who is Affected/Not Affected The server contained personal information, including names and Social Security numbers, on current, former and prospective students, as well as current and former faculty and staff. The server contained personal information, including names and Social Security numbers, on current, former and prospective students, as well as current and former faculty and staff. The vast majority of students involved were new students within the past five years. Student laptop computers were not breached, and, at this time, school officials believe that [population e.g. current undergraduates] were not affected.

Notification Letter Components What happened and when? How was it detected? What specific types of personal information are involved and for whom? What steps are being taken? “No evidence to indicate data has been misused…” or what the evidence points to. What steps should individuals take? Expression of regret and/or commitment to security. Next steps. Contact information. Signature.

Sample Snippets – Notification Letter Anticipated next steps, if any. e.g. intention to notify if any additional information becomes available? Example: The theft of this information raises a number of possible risks to you. One is theft of identity for financial gain. The University will be sending you a package of materials outlining steps you can take to protect yourself from this. Another risk is theft of identity for purposes of international travel or foreign entry. The University is currently working with several federal agencies, including the Immigration and Naturalization Service, and we have been informed that because of this theft, you may be asked further questions to verify your identity when leaving or entering the United States. Who to contact for additional information Contact/name, number, hours of availability, web site, hotline, address, etc. Example: Should you have further questions about this matter, please contact [name of contact}, [title of contact], at [ address of contact] or [phone number].[ Signature Who makes most sense – president, dean, other contact familiar to the individual, consider multiple signatories for different constituent groups.

Incident Web Site Components Most-Recent-Update section at top of page Link to Identity Theft website/credit agencies FAQs Press Releases Toll-free Hotline contact information

Reactions Concerns? Perceived Value? Necessary to anonymize snippets?

Coming Attractions Threshold for notification Best practice detection – monitoring, logging, tools, etc. What would you like to see?

Thank you