Educause Security Discussion mailing list archives
Chronicle of Higher Ed: California Colleges Prepare to Disclose Computer Intrusions
From: "H. Morrow Long" <morrow.long () YALE EDU>
Date: Mon, 2 Jun 2003 16:19:58 -0400
[Ced Bennett from Stanford is quoted in this Chronicle 6/6/03 article. Note that the article implies that even colleges outside California might also need to comply with the new law. - Morrow ] This article is available online at this address: http://chronicle.com/weekly/v49/i39/39a03101.htm - The text of the article is below - _________________________________________________________________ Finding it hard to keep up with all that's happening in academe? The Chronicle's e-mailed Daily Report keeps you up-to-date in a matter of minutes by quickly summarizing current events in higher education while providing links to complete coverage on our subscriber-only Web site. The Daily Report and Web access come with your Chronicle subscription at no extra cost. Order your subscription now at http://chronicle.com/4free?es _________________________________________________________________ From the issue dated June 6, 2003 California Colleges Prepare to Disclose Computer Intrusions By ANDREA L. FOSTER A new California law is pushing colleges in the state to re-evaluate how theycollect, store, retrieve, and guard private data on their computers. The act, set to take effect on July 1, requires colleges and many other kinds of organizations to warn people if their personal information has fallen into the hands of hackers. Some lawyers say colleges outside California may also have to heed the law if any of their students are Californians. The idea behind the law is to give consumers the chance to protect their finances -- by stopping payments on credit cards or contacting the Social Security Administration -- as soon as they find out that computers on which their personal data are stored have been attacked. The law was prompted by an April 2002 incident in which a computer system housing financial information on 260,000 California employees was hacked into. About four weeks went by before employees were told that their private information was no longer private. During that time, someone in Germany tried to gain access to an employee's bank account, and someone else tried to get the mailing address changed for an employee's credit-card account. The disclosure law requires businesses, state agencies, and public and private higher-education institutions to notify consumers promptly if computers that contain their personal data have been compromised. For colleges in California -- many of which are hacked regularly, to various degrees -- that could mean notifying students, professors, staff members, and administrators. Failing to comply with the law could make colleges liable for civil damages and class-action lawsuits. The new law could force colleges to find ways to guard electronically stored personal data more closely, to purge such information from databases periodically, and to stop using Social Security numbers to identify students. "I'll follow the law. But I'll be damned if I know how," says Ced Bennett, director of information systems and security at Stanford University. The challenge, he explains, is identifying what private information has been compromised in a hacking incident. Many security experts predict that the law could increase the use of data encryption. Institutions that encrypt personal information are excused from the act's notification requirements. The law defines such information as an individual's first name or first initial, and last name in combination with a Social Security number, driver's-license number, California Identification Card number, or financial-account number that is password-protected. While some college officials, like those at Stanford and in the University of California system, are delving into the details of the law and figuring out what they need to do to prepare for meeting its requirements, other college administrators in the state have only a vague notion of what it means. Some have never heard of it at all. Those who were unaware of the law when asked about it recently include Jonathan A. Brown, president of the Association of Independent California Colleges and Universities, and Christine Helwick, general counsel of the California State University System. The law's impact on higher education, however, could reach far beyond California. Some lawyers say it could affect every college in the country that enrolls students from California. Other lawyers disagree. Tracking the Data On the University of California's campuses at Berkeley, Los Angeles, and Santa Cruz, administrators are griping about yet another "unfunded mandate" -- bureaucratic lingo for laws that cost money and require more work from staff members to carry out, but which aren't accompanied by increased appropriations. Those officials also note, with bemusement, that the law attempts to protect only personal data stored online, not equivalent information on paper in file cabinets or notebooks. Joseph Simitian, a Democratic legislator who supported the law, says online security is at greater risk. "When you're talking about the ability to move vast amounts of data instantaneously, there's a qualitative difference between a security breach of that magnitude and someone who's rifling through a file cabinet in the dean's office at 2 o'clock in the morning." The administrators acknowledge that the law is useful because it forces them to take stock of the personal data collected and maintained at their institutions, and to determine which data are encrypted and which are not. That's no small feat on the decentralized University of California campuses. "We have to think through what data are out there, who has access to it, and for what purpose," says Kent J. Wada, information-technology security coordinator at UCLA. If a professor wants to keep track of student payments for conferences or books and creates a database that includes credit-card numbers, for example, that information would immediately fall under the provisions of the disclosure law, even though the professor may not even be aware of the law, much less know how to comply with it. The university system's office has stepped in to help officials on individual campuses figure out what they have to do. The office demands that each campus inventory the personal data that it stores online, draw up a process to determine whether a security breach has occurred, and assign someone responsibility for ensuring that people are notified of such a breach. Campus officials also must immediately report hacking incidents to the system. Santa Cruz administrators were to hold a workshop last week to help their colleagues understand those responsibilities. In preparation, Larry Merkley, vice provost for information technology, has asked all department heads to complete an online form that describes the personal information they have and how they maintain it, and to update contact information for everyone whose personal information is in their computers. In a letter to department heads, he says Santa Cruz is preparing an "implementation plan" for the law. The university's Web site cites examples of how, apart from a hacking incident, the security of a computer system might breached: A colleague might open a file or e-mail message in which personal information is stored. A laptop or personal digital assistant containing such data might get lost. In the event of a computer-security breach, the law requires only that colleges notify California residents. But University of California administrators say they would probably notify everyone involved, including students from other states and other countries. It would require too much effort to separate California students from other students, they say. Out of State One uncertainty is whether the law protects California residents who attend college outside the state. Some cybersecurity lawyers say it does, noting that the law requires "any resident of California" to be informed of a computer-security breach. That means the law would follow a California resident to, for example, the University of North Carolina at Charlotte, and would apply even to a resident who enrolls in an online course from the University of Maryland University College, says Faye Jones, a professor at the McGeorge School of Law at University of the Pacific. "The focus of the law is on protecting California residents," says Ms. Jones, who is a member of an American Bar Association committee on cybersecurity and privacy. However, Scott Pink, a Sacramento lawyer who is deputy chairman of the committee, argues that California doesn't have the authority to regulate the affairs of an educational institution in another state. "I have a hard time believing that would stand up as a constitutional matter," he says. Elaine M. LaFlamme, a New York lawyer specializing in intellectual property and technology, who is also a member of the bar association's cybersecurity committee, says it is too soon to tell how courts will interpret the law. Those who must comply with it are -- in the words of the law -- "any person or business that conducts business in California." Whether the University of Texas, for example, "conducts business" in California because it recruits California residents for enrollment is open to dispute, she says. Experts disagree on whether the act will actually end up protecting people's personal information. Some are skeptical because they see loopholes. The law doesn't specify what kind of encryption is acceptable, so colleges could get away with a weak form of encryption for personal data. And colleges don't have to notify people about a breach if law-enforcement officials decide that doing so would impede a criminal investigation. What's more, the law leaves college administrators to judge when people's personal data are "reasonably believed" to have fallen into the wrong hands as a result of a hacking incident. But Consumers Union says the law is beneficial. "We can't protect ourselves unless we know there's been a leak," says Gail K. Hillebrand, a senior lawyer at the consumer-advocacy group. The law will allow people, once notified of a problem, to put security alerts on their credit reports or more carefully check financial records, she says. "With identity theft, the best form of protection is prevention," But critics of the law say focusing attention on computer hacking doesn't adequately address the problem of identity theft. "When you look at the statistics in terms of the kinds of malfeasance that you have going on with network systems, you see it's not cyber-attacks," says Ms. LaFlamme. Computer Breaches Identity theft, she says, often occurs because of human error -- computer systems are poorly configured, software isn't secure, or institutions are lax about guarding their employees' personal financial data. Jim Davis, associate vice chancellor for information technologies at UCLA, says there's been only one breach of a computer system at his university in the past five years in which personal information was left unsecured. "People were contacted right away. So the behavior of the campus was almost as if this law had been in place." Mr. Merkley, of Santa Cruz, says that while administrators there have suspected at times that computers were hacked into and personal information compromised, the evidence wasn't "clear and categorical." Nonetheless, intrusions into computer systems grab lawmakers' attention, particularly when hackers get their hands on personal data from hundreds of thousands of people. In one of the biggest hacking cases affecting a campus network, federal prosecutors in March charged a student at the University of Texas at Austin with stealing 52,500 names and Social Security numbers from a university database. Risky Protection Some experts worry that California's effort to safeguard people's financial data could end up hurting colleges. Peter C. Cassat, a Washington lawyer who specializes in information technology and intellectual property, says the law may provide a basis for students or faculty members to sue colleges, accusing them of inadequately protecting personal information. The law, he notes, does not limit the damages that a college could sustain for not adhering to the law. "This is likely to lead to frivolous lawsuits without solving the real challenges associated with information-security policy," he says. Perhaps the biggest problem with the law, the lawyer says, is that it could lead other states to adopt their own disclosure rules, creating a mishmash of contradictory laws. Would a California college, for example, have to follow California's disclosure law, or those of the states from which its students come? Such confusion, Mr. Cassat says, is best avoided through a federal law that would create a uniform standard for disclosure. As lawyers debate the merits of the California law, college administrators wrestle with how to make it work. The law is vague, for example, on how thorough notification should be, says Chuck Piotrowski, records manager at Santa Cruz. He wonders how to inform students who frequently move, or foreign students who might be out of the country during a hacking incident. "Do we post a notice at the Super Bowl?" ONE RESPONSE TO THE LAW ON HACKING The University of California system says its campuses should take these steps to comply with a new California law that requires colleges to notify people after a hacker or other intruder has viewed their personal data: Data Inventory Campuses must set up a process to identify: Where personal information is used and stored. Who has authority to gain access to and use the data. The custodian of the data. An acceptable level of security protection for the data.Reporting Requirements Campuses must report immediately in writing to the system's associate vice president for information resources and communications: Anytime there has been a security breach. When the incident is closed. The report should provide a description of the incident, the response process, the notification process, and the actions taken to prevent further breaches of security.SOURCE: University of California _________________________________________________________________ You may visit The Chronicle as follows: http://chronicle.com _________________________________________________________________ Copyright 2003 by The Chronicle of Higher Education ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- Chronicle of Higher Ed: California Colleges Prepare to Disclose Computer Intrusions H. Morrow Long (Jun 02)