David Hotchkiss - RE: RE: SB1386 Template

David: The Board has directed that we identify more than one potential contractor that can provide both the forensic analysis and resolve the infestations, from which the Chancellor can select. Could you help identify one to two others? Thank you, Scott Scott Dickey | Senior Government Law & Litigation Counsel 350 Sansome Street, Suite 300 | San Francisco, CA 94104 t: 415-678-3800 | f: 415-678-3838 | d: 415-678-3827 w: www.publiclawgroup.com Confidentiality Note: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -----Original Message----- From: David Hotchkiss [mailto:dhotchkiss@ccsf.edu] Sent: Fri 12/16/2011 9:19 AM To: Scott Dickey; Scott Dickey Subject: Fwd: RE: SB1386 Template Scott I don't seem to find an answer to the email I sent you on Dec 7th. I reiterate my concern of sending out a notice prior to performing a forensic study. The study will identify the scope of the breach and allow us to determine the best way to restore the reasonable integrity of the network. The study would determine if we should send the notice to 100 people or 100,000 people. At this point we cannot rule out that the infestation has penetrated Banner (the HR, payroll and student information system) or Medicat (student medical records). This activity is well beyond the capabilities of the IT staff. It has been eight days since I sent the below email. Time is of the essence with this matter. Even if you are correct in your interpretation of SB1386, don't we have a responsibility to our students and employees to ensure the proper safeguarding of their personal data as well as to give them an honest appraisal of the situation? On Dec 7th you told me that you were going to speak to the Chancellor about this and the Purchase Order I gave him on Dec 5th. Since I have not received the PO I presume that the Chancellor has not signed it. Do you know what is happening with it?

From: "Scott Dickey" <sdickey@publiclawgroup.com>To: "David Hotchkiss" <dhotchkiss@ccsf.edu>Date: 12/17/2011 9:07 AMSubject: RE: RE: SB1386 Template

Page 1 of 3RE: RE: SB1386 Template

12/19/2011file://C:\Documents and Settings\dhotchkiss\Local Settings\Temp\XPgrpwise\4EEC5BC7POA_DOMpo...

David A. Hotchkiss, Ph.D., PMP Chief Technology Officer San Francisco Community College District Phone: 415.452.5586 >>> David Hotchkiss 12/7/2011 1:45 PM >>> Scott: Thanks for the template. One question. Is it your recommendation to go forward with sending out the notification letter before a forensic study is done so we can determine what was sent and how to mitigate the issues? I am not certain that I am comfortable with the statement "want to assure you that we are reviewing and revising our procedures and practices to minimize the risk of recurrence." when SB1386 indicates we should be determining the scope of the breach and the steps needed to restore the reasonable integrity of the system. See Civil Code Section 1798.29(a) "... The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system." David A. Hotchkiss, Ph.D., PMP Chief Technology Officer San Francisco Community College District Phone: 415.452.5586 >>> "Scott Dickey" <sdickey@publiclawgroup.com> 12/7/2011 11:50 AM >>> David: Here's a draft template for notification. Please feel free to beef up the second paragraph, regarding what happened. Call with questions. Thanks! Scott From: David Hotchkiss [mailto:dhotchkiss@ccsf.edu] Sent: Friday, December 02, 2011 1:07 PM To: Scott Dickey Cc: Don Griffin Subject: SB1386 Template Scott Just a follow-up email from our conversation on Wednesday and Thursday requesting a template to meet the requirement of SB1386 Personal information, privacy (Section 1798.82 and Section 1798.29 of the Civil Code). Specifically Section 1798.29.a. which requires the disclosure of the potential acquisition of personal information upon discovery or notification of a breach in security.

Page 2 of 3RE: RE: SB1386 Template

12/19/2011file://C:\Documents and Settings\dhotchkiss\Local Settings\Temp\XPgrpwise\4EEC5BC7POA_DOMpo...

Thank you for your assistance in this matter. David A. Hotchkiss, Ph.D., PMP Chief Technology Officer San Francisco Community College District Phone: 415.452.5586

Page 3 of 3RE: RE: SB1386 Template

12/19/2011file://C:\Documents and Settings\dhotchkiss\Local Settings\Temp\XPgrpwise\4EEC5BC7POA_DOMpo...