Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

more on Stolen UC Berkeley laptop exposes personal data of nearly 100,000

From: David Farber <dave () farber net>
Date: Tue, 29 Mar 2005 15:17:44 -0500

------ Forwarded Message
From: Ross Stapleton-Gray <ross () stapleton-gray com>
Date: Mon, 28 Mar 2005 19:31:58 -0800
To: <dave () farber net>, Ari Ollikainen <Ari () OLTECO com>
Subject: Re: [IP] Stolen UC Berkeley laptop exposes personal data of nearly
100,000

At 05:03 PM 3/28/2005, David Farber wrote:

From: Ari Ollikainen <Ari () OLTECO com>
Date: Mon, 28 Mar 2005 15:57:17 -0800
To: David Farber <dave () farber net>
Subject: Stolen UC Berkeley laptop exposes personal data of nearly 100,000

 For IP...

 WHEN will they ever learn? [WHEN THEY CAN BE HELD LIABLE DJF] WHY was
personal information other
 than a name and a NON-SSN ID on a laptop?


I was IT Security Officer in the UC Office of the President for a year
(more or less all of 2002); I was hired by a guy who wanted to fill that
policy-oriented (not operational) position, and the position was
eliminated/merged with a vacant policy position after he left.  The guy who
hired me was a former 3-star Army general, and I think he was never
comfortable in his own position (as CIO) there.

I would say that the problems are several, but the chief one is the rather
balkanized management of all things IT in the academic setting (and with
the added wrinkle here that UC is in fact a ten-campus system, of which Cal
is only one, though one of the largest).

When I was there (and I suspect it still holds), *written* policy, for
administrative computing, flat-out forbade having sensitive personal
information on laptops, or any sort of portable device.  That was, of
course, universally ignored, and we ought to have amended policy in light
of the wholesale migration of information away from mainframes and onto
portable devices.  We ought especially to have done this in light of
potential consequences under such things as HIPAA; doctors were of course
keeping sensitive Personal Medical Information (PMI) on laptops and PDAs,
but there was no guidance as how to secure them, because it oughtn't to
have been there.

But NB that I said "administrative computing;" we had a series of
*Business* policies, but they only applied to UC administrative
business.  In this particular case, it sounds like what was lost were data
held by an academic researcher, doing analysis... they might argue that
those policy documents didn't really apply to them.  Though that doesn't
permit UC to escape the provisions of the State's Information Practices Act
requiring notice (as established in 2002 by SB 1386).

What UC *ought* to be doing is exposing anyone who handles personal
information, whether covered by HIPAA, SB 1386, FERPA, or other
privacy-related regulations or statutes, to education as to their
responsibilities.  In theory, the University should also be aware of any
such sensitive collections, but when I was there, that process had all but
died (the records management, and less IT security, function was suffering
from years of neglect).  What one ought to do is require anyone compiling a
collection of sensitive personal information to register as such, naming a
point of contact (and who would be responsible to receive training re the
sensitivity issues) for the collection, and understanding the potential
consequences of inappropriate disclosure (e.g., a breach as defined by SB
1386).

Beyond that, I'd want to look at how the costs of compliance are met... do
we think that the researcher in this case, whose apparent carelessness has
exposed a potential 100,000 victims to identity theft, will foot the bill
for notification?  SB 1386 has a sort of escape provision, where, if some
vast number of people's information is leaked, you can do a kind of
broadcast mea culpa, I believe, but I don't recall how that was supposed to
happen.  If notice in this case amounts to personal letters to 100,000
people (many of whom probably aren't identified in the data sufficient to
easily crank out a mail merge), that's a big chunk of change.

Ross



-----

Ross Stapleton-Gray, Ph.D., CISSP
Stapleton-Gray & Associates, Inc.
http://www.stapleton-gray.com




------ End of Forwarded Message


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: