Getting Legal: Building the ISO/Legal Counsel Relationship through GLB Dr. Dan Manson Cal Poly...

Getting Legal: Building the Getting Legal: Building the ISO/Legal Counsel ISO/Legal Counsel

Relationship through GLBRelationship through GLB

Dr. Dan MansonDr. Dan Manson

Cal Poly PomonaCal Poly Pomona

[email protected]@csupomona.edu

TopicsTopics

Background on Legal Counsel in CSUBackground on Legal Counsel in CSUFirst ContactFirst ContactNotice of Breach of SecurityNotice of Breach of Security Information Security Program (GLB)Information Security Program (GLB) Incident Response TeamIncident Response TeamNew LawsNew LawsConclusionConclusion

Why the ISO Needs a Relationship Why the ISO Needs a Relationship With LegalWith Legal

““A strategy focused on relationships with A strategy focused on relationships with processes geared to encounters is processes geared to encounters is doomed to end in poor results and low doomed to end in poor results and low customer satisfaction.”customer satisfaction.”

Robert F. Nolan Management Consultants, based on Barbara Gutek’s “The Brave New Service Strategy”, AMACOM, 2000.

AcknowledgmentAcknowledgment

My sincere thanks for the professional My sincere thanks for the professional advice and support provided from Cal Poly advice and support provided from Cal Poly Pomona’s legal counsel, Marlene JonesPomona’s legal counsel, Marlene Jones

BackgroundBackground

23 campuses in Cal State University 23 campuses in Cal State University SystemSystem

21 legal counsels in Cal State system21 legal counsels in Cal State system5 based on campus, remainder at 5 based on campus, remainder at

Chancellor’s OfficeChancellor’s Office

First Contact – June 19thFirst Contact – June 19th

Received e-mail from legal counselReceived e-mail from legal counselAsked whether we drafted information Asked whether we drafted information

security program to comply with applicable security program to comply with applicable state and federal lawsstate and federal laws

Breach of Security and Notice Breach of Security and Notice TimelineTimeline

Discovered July 30Discovered July 30Eight e-mails plus several phone calls Eight e-mails plus several phone calls

between July 30 and August 1between July 30 and August 1Notification letter completed August 1Notification letter completed August 1

Notice of BreachNotice of Breach

On July 30, 2003, the University discovered that lists ofOn July 30, 2003, the University discovered that lists ofnames and social security numbers of students in sevennames and social security numbers of students in sevenclass sections were stored in files accessible withoutclass sections were stored in files accessible withoutproper authorization. Although there was no evidence thatproper authorization. Although there was no evidence thatany personal data was retrieved from the files, theany personal data was retrieved from the files, theUniversity took immediate steps to restrict the files andUniversity took immediate steps to restrict the files andprovide the requisite notice under civil code sectionprovide the requisite notice under civil code section1798.29 of the Information Practices Act. We1798.29 of the Information Practices Act. Wehave no reason to believe that your information hashave no reason to believe that your information hasbeen misused; however, we are bringing this event to yourbeen misused; however, we are bringing this event to yourattention with the suggestion that you be on the lookout forattention with the suggestion that you be on the lookout forany possible misuse of your personal information.any possible misuse of your personal information.

The Financial Modernization Act of The Financial Modernization Act of 1999 (GLB)1999 (GLB)

Institutions that comply with the Family Institutions that comply with the Family Educational Rights and Privacy Act (FERPA) are Educational Rights and Privacy Act (FERPA) are exempted from parts of federal privacy rules that exempted from parts of federal privacy rules that were established for financial institutions under were established for financial institutions under the Gramm-Leach-Bliley Act (GLB). the Gramm-Leach-Bliley Act (GLB).

The FTC is taking the position that its The FTC is taking the position that its safeguarding rules DO apply to institutions of safeguarding rules DO apply to institutions of higher education, affecting student loan records higher education, affecting student loan records in particular and possibly others. in particular and possibly others.

http://www.nacubo.org/documents/business_topics/COHEAO_notes.doc

Information Security ProgramInformation Security Program

First draft July 8First draft July 8thth

Many E-mails and several face-to-face Many E-mails and several face-to-face meetings over next 3 months meetings over next 3 months

Draft Information Security Program Draft Information Security Program presented to Cabinet September 11presented to Cabinet September 11thth

Memo sent to campus President October Memo sent to campus President October 99thth

Academic Senate questions raised and Academic Senate questions raised and addressedaddressed

GLB Safeguarding RequirementsGLB Safeguarding Requirements

GLB mandates that the University appoint GLB mandates that the University appoint an information security coordinator, an information security coordinator, conduct a risk assessment of likely conduct a risk assessment of likely security and privacy risks, institute a security and privacy risks, institute a training program for all employees who training program for all employees who have access to Covered Data and have access to Covered Data and Information, oversee service providers and Information, oversee service providers and contracts, and evaluate and adjust the contracts, and evaluate and adjust the Program periodically. Program periodically.

Source:http://www.csupomona.edu/~dsa/satechs/docs/Information_Security_Prog.doc

Information Security Program Information Security Program PreamblePreamble

““This Information Security Program (Program) was preparedThis Information Security Program (Program) was preparedby the Instructional and Information Technology Divisionby the Instructional and Information Technology Division(I&IT) in order to protect sensitive information and data,(I&IT) in order to protect sensitive information and data,and to comply with Federal Law. This Program will affectand to comply with Federal Law. This Program will affectI&IT, as well as other areas of the University, including, butI&IT, as well as other areas of the University, including, butnot limited to, Academic Affairs, Administrative Affairs,not limited to, Academic Affairs, Administrative Affairs,President’s Office, University Advancement, ExtendedPresident’s Office, University Advancement, ExtendedUniversity, and Student Affairs and will also affect non-stateUniversity, and Student Affairs and will also affect non-stateentities operating on campus, such as CSU approvedentities operating on campus, such as CSU approvedauxiliaries. The goal of the Program is to protect sensitiveauxiliaries. The goal of the Program is to protect sensitiveinformation and data and to assure compliance withinformation and data and to assure compliance withapplicable law related to information security.”applicable law related to information security.”

Source:http://www.csupomona.edu/~dsa/satechs/docs/Information_Security_Prog.doc

Incident Response TeamIncident Response Team

Campus IRT started in JulyCampus IRT started in JulyTeam asked for meeting with legal counselTeam asked for meeting with legal counselLegal counsel asked for list of questionsLegal counsel asked for list of questions

Partial List of Questions and Partial List of Questions and AnswersAnswers

At what point do we bring in legal At what point do we bring in legal counsel to the IRT process? counsel to the IRT process? When you When you need assistance to determine if the need assistance to determine if the notice requirements of Civil Code notice requirements of Civil Code 1798.29 contained in are triggered or 1798.29 contained in are triggered or if you believe that the there has been if you believe that the there has been an intentional violation of the an intentional violation of the Information Practices Act. Information Practices Act.

Civil Code 1798.29 Section (a)Civil Code 1798.29 Section (a) ““Any agency that owns or licenses computerized Any agency that owns or licenses computerized

data that includes personal information shall data that includes personal information shall disclose any breach of the security of the system disclose any breach of the security of the system following discovery or notification of the breach in following discovery or notification of the breach in the security of the data to any resident of California the security of the data to any resident of California whose unencrypted personal information was, or is whose unencrypted personal information was, or is reasonably believed to have been, acquired by an reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be unauthorized person. The disclosure shall be made in the most expedient time possible and made in the most expedient time possible and without unreasonable delay, consistent with the without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to in subdivision (c), or any measures necessary to determine the scope of the breach and restore the determine the scope of the breach and restore the reasonable integrity of the data system.” reasonable integrity of the data system.”


What procedures would you (as legal What procedures would you (as legal counsel) like to see the IRT follow? counsel) like to see the IRT follow? Notification under CC 1798.29 must be Notification under CC 1798.29 must be prompt and records should be kept to prompt and records should be kept to verify that the statutorily required verify that the statutorily required notice was provided.notice was provided.


When do we take incidents to legal versus When do we take incidents to legal versus public safety? public safety? If you have evidence of a If you have evidence of a crime or violation of the Information crime or violation of the Information Practices Act by a third party, you should Practices Act by a third party, you should report it to the campus police after report it to the campus police after providing notice as required by the Act. If providing notice as required by the Act. If you have concerns that a University you have concerns that a University student or employee has violated the Act, student or employee has violated the Act, you should contact the appropriate you should contact the appropriate administrator who may consult with the administrator who may consult with the University Counsel.University Counsel.

New LawsNew Laws

California Civil Code § 1798.85 (signed California Civil Code § 1798.85 (signed Oct. 12, 2003)Oct. 12, 2003)

Senate Bill 1279 (in progress)Senate Bill 1279 (in progress)

California Civil Code § 1798.85California Civil Code § 1798.85 Effective DateEffective Date January 1, 2004, unless otherwise indicated below.January 1, 2004, unless otherwise indicated below. ProhibitionsProhibitions Under the law, the following actions are prohibited:Under the law, the following actions are prohibited: Publicly post or publicly display in any manner an Publicly post or publicly display in any manner an

individual’s SSN. “Publicly post” or “publicly display” individual’s SSN. “Publicly post” or “publicly display” means to intentionally communicate or otherwise make means to intentionally communicate or otherwise make available to the general public.available to the general public.

Print an individual’s SSN on any card required for the Print an individual’s SSN on any card required for the individual to access products or services provided by the individual to access products or services provided by the person or entity.person or entity.

Require an individual to transmit his or her SSN over the Require an individual to transmit his or her SSN over the Internet, unless the connection is secure or the SSN is Internet, unless the connection is secure or the SSN is encrypted.encrypted.

Source: http://www.ucop.edu/irc/policy/ssnlaw.pdf

California Civil Code § 1798.85California Civil Code § 1798.85 Require an individual to use his or her SSN to access an Require an individual to use his or her SSN to access an

Internet Web site, unless a password or unique personal Internet Web site, unless a password or unique personal identification number or other authentication device is also identification number or other authentication device is also required to access the Internet Web site. (Effective January 1, required to access the Internet Web site. (Effective January 1, 2005)2005)

Print an individual’s SSN on any materials that are mailed to Print an individual’s SSN on any materials that are mailed to the individual, unless state or federal law requires the SSN to the individual, unless state or federal law requires the SSN to be on the document to be mailed. Notwithstanding this be on the document to be mailed. Notwithstanding this paragraph, SSNs may be included in applications and forms paragraph, SSNs may be included in applications and forms sent by mail, including documents sent as part of an sent by mail, including documents sent as part of an application or enrollment process, or to establish, amend or application or enrollment process, or to establish, amend or terminate an account, contract or policy, or to confirm the terminate an account, contract or policy, or to confirm the accuracy of the SSN. An SSN that is permitted to be mailed accuracy of the SSN. An SSN that is permitted to be mailed under this section may not be printed, in whole or in part, on a under this section may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened. on the envelope or without the envelope having been opened. (Effective January 1, 2005)(Effective January 1, 2005)


California Civil Code § 1798.85California Civil Code § 1798.85

Encode or embed the SSN in or on a card or Encode or embed the SSN in or on a card or document, including, but not limited to, using a document, including, but not limited to, using a bar code, chip, magnetic strip, or other bar code, chip, magnetic strip, or other technology, in place of removing the SSN as an technology, in place of removing the SSN as an effort to comply with these new provisionseffort to comply with these new provisions

Allowable Uses of the SSNAllowable Uses of the SSN As a Requirement of Law or for As a Requirement of Law or for

Administrative PurposesAdministrative Purposes: Social Security : Social Security numbers may be collected, used, or released as numbers may be collected, used, or released as required by state or federal law, or used for required by state or federal law, or used for internal verification or administrative purposes.internal verification or administrative purposes.


California Civil Code § 1798.85California Civil Code § 1798.85 Grandfather ClauseGrandfather Clause: If a state or local agency used an individual’s : If a state or local agency used an individual’s

SSN in the manner prohibited above prior to January 1, 2004, it is SSN in the manner prohibited above prior to January 1, 2004, it is allowed to continue to use that individual’s SSN in the same manner allowed to continue to use that individual’s SSN in the same manner on or after January 1, 2004, if on or after January 1, 2004, if all all of the following conditions are met:of the following conditions are met:

The use of the SSN is continuous. If the use is stopped for any The use of the SSN is continuous. If the use is stopped for any reason, the prohibitions apply.reason, the prohibitions apply.

The individual is provided an annual disclosure that informs the The individual is provided an annual disclosure that informs the individual that he or she has the right to stop the use of his or her SSN individual that he or she has the right to stop the use of his or her SSN in a manner prohibited under the law.in a manner prohibited under the law.

A written request by an individual to stop the use of his or her SSN in A written request by an individual to stop the use of his or her SSN in the manner prohibited by the law is implemented within thirty days of the manner prohibited by the law is implemented within thirty days of the receipt of the request.the receipt of the request.

There may not be a fee or charge for implementing the request.There may not be a fee or charge for implementing the request. The person or entity does not deny services to an individual because The person or entity does not deny services to an individual because

the individual makes a written request to stop the use of his or her the individual makes a written request to stop the use of his or her SSN.SSN.

This grandfather clause concerns the use of an individual’s SSN and This grandfather clause concerns the use of an individual’s SSN and not the practice of using SSNs in general.not the practice of using SSNs in general.


California Civil Code § 1798.85California Civil Code § 1798.85

Guidance about Truncating the Guidance about Truncating the SSNSSN

The law does not prohibit printing a The law does not prohibit printing a truncated SSN on a document to be truncated SSN on a document to be mailed to the individual.mailed to the individual.

If an SSN is truncated, however, only If an SSN is truncated, however, only the last four digits should be the last four digits should be displayed, e.g., XXX-XX-1234displayed, e.g., XXX-XX-1234


Senate Bill 1279 (in progress)Senate Bill 1279 (in progress) SB 1279 seeks to widen the definition of SB 1279 seeks to widen the definition of

breachable data to include all data, rather than breachable data to include all data, rather than only computerized data. Under SB 1279, any only computerized data. Under SB 1279, any personal data maintained on voice systems or personal data maintained on voice systems or on paper would be covered by the same on paper would be covered by the same provisions that currently apply only to provisions that currently apply only to computerized data. computerized data.

The bill would also require companies that suffer The bill would also require companies that suffer a security breach involving personal information a security breach involving personal information to provide two years of credit-monitoring to provide two years of credit-monitoring services, without charge, to each affected services, without charge, to each affected individual. individual.

Source: http://www.computerworld.com/securitytopics/security/story/0,10801,91309,00.html

ConclusionsConclusions

Planning needed to handle crisis Planning needed to handle crisis Preventive law like preventative medicinePreventive law like preventative medicine ISO’s need to understand legal issuesISO’s need to understand legal issues ISO’s need a working relationship with ISO’s need a working relationship with

legal counsellegal counselNeed ISO/CIO/Legal relationshipNeed ISO/CIO/Legal relationship

Getting Legal: Building the ISO/Legal Counsel Relationship through GLB Dr. Dan Manson Cal Poly...

Documents

Transcript of Getting Legal: Building the ISO/Legal Counsel Relationship through GLB Dr. Dan Manson Cal Poly...