Educause Security Discussion mailing list archives
Re: Procedure Question
From: "Cuocco, Patricia" <Pcuocco () CALSTATE EDU>
Date: Fri, 19 Aug 2005 11:02:12 -0700
Please don't take this as the rule in California. The law is much more stringent and requires notice if the confidential data has "potentially" been compromised, which most of us here have taken to mean that there was data on the compromised system even if there is no indication that it was accessed. That being said, I'll defer to my technical brethren to expound further. Patricia -----Original Message----- From: Penn, Blake [mailto:pennb () UWW EDU] Sent: Friday, August 19, 2005 10:58 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Procedure Question Louisa: If no personal data has been compromised (that is, only the system has been compromised) then you really have no legal obligations to disclose the breach. The state statutes (http://www.perkinscoie.com/content/ren/updates/privacy/081205.htm) and national statute-in-progress (Specter-Leahy Personal Data Privacy And Security Act of 2005) really only cover situations where personal data is compromised. Other statutes such as GLBA, FERPA, and HIPAA all deal with the security of a particular kind of data (financial, student, and medical, respectively). Having worked security in the web-hosting world in the past, I have seen literally hundreds (if not thousands) of web server breaches. In most cases, no notification was made to the customer, and the matter was handled purely operationally. That is, the compromises were analyzed, and the root causes remediated. Handling incidents such as this operationally is fine in an academic environment as well provided that you are fully confident that no personal or organizational data was breached. The most important action to take after these incidents is to identify and fix the underlying problem(s) within your environment, or you just might start seeing systems get compromised that DO contain sensitive information. And that's just not fun for anyone. __________________________________ Blake Penn, CISSP Information Security Officer University of Wisconsin-Whitewater (p) 262-472-5513 (f) 262-472-1285 e-mail: pennb () uww edu *********************************** From: Avitua, Louisa [mailto:lavitua () STMARYTX EDU] Sent: Friday, August 19, 2005 12:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Procedure Question As a new comer to the IT world holding an interim position for a while, I am in need of understanding procedure for the following: What is the requirement or responsibility of an institution when a website has been compromised and analysis show no compromised to personal data? Is notification to students required or recommended? Thank you for your direction. Louisa Martin Coordinator for Information Technology St. Mary's University San Antonio, Texas 78228 (210) 431-5005 - phone e-mail: lavitua () stmarytx edu
Current thread:
- Procedure Question Avitua, Louisa (Aug 19)
- <Possible follow-ups>
- Re: Procedure Question Kay Sommers (Aug 19)
- Re: Procedure Question Penn, Blake (Aug 19)
- Re: Procedure Question Cuocco, Patricia (Aug 19)
- Re: Procedure Question Stephen D. Franklin (Aug 19)
- Re: Procedure Question Sarah Stevens (Aug 21)