Chronicle of Higher Ed: California Colleges Prepare to Disclose Computer Intrusions

["H. Morrow Long" <morrow.long () YALE EDU>]

[Ced Bennett from Stanford is quoted in this Chronicle 6/6/03 article.
 Note that the article implies that even colleges outside California
 might also need to comply with the new law.                 - Morrow ]

This article is available online at this address:
http://chronicle.com/weekly/v49/i39/39a03101.htm

              - The text of the article is below -
_________________________________________________________________

Finding it hard to keep up with all that's happening in academe?
The Chronicle's e-mailed Daily Report keeps you up-to-date in a
matter of minutes by quickly summarizing current events in higher
education while providing links to complete coverage on our
subscriber-only Web site. The Daily Report and Web access come
with your Chronicle subscription at no extra cost. Order your
subscription now at http://chronicle.com/4free?es
_________________________________________________________________


  From the issue dated June 6, 2003

  California Colleges Prepare to Disclose Computer Intrusions

  By ANDREA L. FOSTER

   A new California law is pushing colleges in the state to
  re-evaluate how theycollect, store, retrieve, and guard
  private data on their computers. The act, set to take effect
  on July 1, requires colleges and many other kinds of
  organizations to warn people if their personal information has
  fallen into the hands of hackers. Some lawyers say colleges
  outside California may also have to heed the law if any of
  their students are Californians.

  The idea behind the law is to give consumers the chance to
  protect their finances -- by stopping payments on credit cards
  or contacting the Social Security Administration -- as soon as
  they find out that computers on which their personal data are
  stored have been attacked. The law was prompted by an April
  2002 incident in which a computer system housing financial
  information on 260,000 California employees was hacked into.
  About four weeks went by before employees were told that their
  private information was no longer private. During that time,
  someone in Germany tried to gain access to an employee's bank
  account, and someone else tried to get the mailing address
  changed for an employee's credit-card account.

  The disclosure law requires businesses, state agencies, and
  public and private higher-education institutions to notify
  consumers promptly if computers that contain their personal
  data have been compromised.

  For colleges in California -- many of which are hacked
  regularly, to various degrees -- that could mean notifying
  students, professors, staff members, and administrators.
  Failing to comply with the law could make colleges liable for
  civil damages and class-action lawsuits.

  The new law could force colleges to find ways to guard
  electronically stored personal data more closely, to purge
  such information from databases periodically, and to stop
  using Social Security numbers to identify students.

  "I'll follow the law. But I'll be damned if I know how," says
  Ced Bennett, director of information systems and security at
  Stanford University. The challenge, he explains, is
  identifying what private information has been compromised in a
  hacking incident.

  Many security experts predict that the law could increase the
  use of data encryption. Institutions that encrypt personal
  information are excused from the act's notification
  requirements.

  The law defines such information as an individual's first name
  or first initial, and last name in combination with a Social
  Security number, driver's-license number, California
  Identification Card number, or financial-account number that
  is password-protected.

  While some college officials, like those at Stanford and in
  the University of California system, are delving into the
  details of the law and figuring out what they need to do to
  prepare for meeting its requirements, other college
  administrators in the state have only a vague notion of what
  it means. Some have never heard of it at all. Those who were
  unaware of the law when asked about it recently include
  Jonathan A. Brown, president of the Association of Independent
  California Colleges and Universities, and Christine Helwick,
  general counsel of the California State University System.

  The law's impact on higher education, however, could reach far
  beyond California. Some lawyers say it could affect every
  college in the country that enrolls students from California.
  Other lawyers disagree.

  Tracking the Data

  On the University of California's campuses at Berkeley, Los
  Angeles, and Santa Cruz, administrators are griping about yet
  another "unfunded mandate" -- bureaucratic lingo for laws that
  cost money and require more work from staff members to carry
  out, but which aren't accompanied by increased appropriations.
  Those officials also note, with bemusement, that the law
  attempts to protect only personal data stored online, not
  equivalent information on paper in file cabinets or notebooks.

  Joseph Simitian, a Democratic legislator who supported the
  law, says online security is at greater risk. "When you're
  talking about the ability to move vast amounts of data
  instantaneously, there's a qualitative difference between a
  security breach of that magnitude and someone who's rifling
  through a file cabinet in the dean's office at 2 o'clock in
  the morning."

  The administrators acknowledge that the law is useful because
  it forces them to take stock of the personal data collected
  and maintained at their institutions, and to determine which
  data are encrypted and which are not. That's no small feat on
  the decentralized University of California campuses.

  "We have to think through what data are out there, who has
  access to it, and for what purpose," says Kent J. Wada,
  information-technology security coordinator at UCLA. If a
  professor wants to keep track of student payments for
  conferences or books and creates a database that includes
  credit-card numbers, for example, that information would
  immediately fall under the provisions of the disclosure law,
  even though the professor may not even be aware of the law,
  much less know how to comply with it.

  The university system's office has stepped in to help
  officials on individual campuses figure out what they have to
  do. The office demands that each campus inventory the personal
  data that it stores online, draw up a process to determine
  whether a security breach has occurred, and assign someone
  responsibility for ensuring that people are notified of such a
  breach. Campus officials also must immediately report hacking
  incidents to the system.

  Santa Cruz administrators were to hold a workshop last week to
  help their colleagues understand those responsibilities. In
  preparation, Larry Merkley, vice provost for information
  technology, has asked all department heads to complete an
  online form that describes the personal information they have
  and how they maintain it, and to update contact information
  for everyone whose personal information is in their computers.

  In a letter to department heads, he says Santa Cruz is
  preparing an "implementation plan" for the law. The
  university's Web site cites examples of how, apart from a
  hacking incident, the security of a computer system might
  breached: A colleague might open a file or e-mail message in
  which personal information is stored. A laptop or personal
  digital assistant containing such data might get lost.

  In the event of a computer-security breach, the law requires
  only that colleges notify California residents. But University
  of California administrators say they would probably notify
  everyone involved, including students from other states and
  other countries. It would require too much effort to separate
  California students from other students, they say.

  Out of State

  One uncertainty is whether the law protects California
  residents who attend college outside the state. Some
  cybersecurity lawyers say it does, noting that the law
  requires "any resident of California" to be informed of a
  computer-security breach. That means the law would follow a
  California resident to, for example, the University of North
  Carolina at Charlotte, and would apply even to a resident who
  enrolls in an online course from the University of Maryland
  University College, says Faye Jones, a professor at the
  McGeorge School of Law at University of the Pacific.

  "The focus of the law is on protecting California residents,"
  says Ms. Jones, who is a member of an American Bar Association
  committee on cybersecurity and privacy.

  However, Scott Pink, a Sacramento lawyer who is deputy
  chairman of the committee, argues that California doesn't have
  the authority to regulate the affairs of an educational
  institution in another state. "I have a hard time believing
  that would stand up as a constitutional matter," he says.

  Elaine M. LaFlamme, a New York lawyer specializing in
  intellectual property and technology, who is also a member of
  the bar association's cybersecurity committee, says it is too
  soon to tell how courts will interpret the law. Those who must
  comply with it are -- in the words of the law -- "any person
  or business that conducts business in California." Whether the
  University of Texas, for example, "conducts business" in
  California because it recruits California residents for
  enrollment is open to dispute, she says.

  Experts disagree on whether the act will actually end up
  protecting people's personal information.

  Some are skeptical because they see loopholes. The law doesn't
  specify what kind of encryption is acceptable, so colleges
  could get away with a weak form of encryption for personal
  data. And colleges don't have to notify people about a breach
  if law-enforcement officials decide that doing so would impede
  a criminal investigation. What's more, the law leaves college
  administrators to judge when people's personal data are
  "reasonably believed" to have fallen into the wrong hands as a
  result of a hacking incident.

  But Consumers Union says the law is beneficial. "We can't
  protect ourselves unless we know there's been a leak," says
  Gail K. Hillebrand, a senior lawyer at the consumer-advocacy
  group. The law will allow people, once notified of a problem,
  to put security alerts on their credit reports or more
  carefully check financial records, she says. "With identity
  theft, the best form of protection is prevention,"

  But critics of the law say focusing attention on computer
  hacking doesn't adequately address the problem of identity
  theft. "When you look at the statistics in terms of the kinds
  of malfeasance that you have going on with network systems,
  you see it's not cyber-attacks," says Ms. LaFlamme.

  Computer Breaches

  Identity theft, she says, often occurs because of human error
  -- computer systems are poorly configured, software isn't
  secure, or institutions are lax about guarding their
  employees' personal financial data.

  Jim Davis, associate vice chancellor for information
  technologies at UCLA, says there's been only one breach of a
  computer system at his university in the past five years in
  which personal information was left unsecured. "People were
  contacted right away. So the behavior of the campus was almost
  as if this law had been in place."

  Mr. Merkley, of Santa Cruz, says that while administrators
  there have suspected at times that computers were hacked into
  and personal information compromised, the evidence wasn't
  "clear and categorical."

  Nonetheless, intrusions into computer systems grab lawmakers'
  attention, particularly when hackers get their hands on
  personal data from hundreds of thousands of people.

  In one of the biggest hacking cases affecting a campus
  network, federal prosecutors in March charged a student at the
  University of Texas at Austin with stealing 52,500 names and
  Social Security numbers from a university database.

  Risky Protection

  Some experts worry that California's effort to safeguard
  people's financial data could end up hurting colleges.

  Peter C. Cassat, a Washington lawyer who specializes in
  information technology and intellectual property, says the law
  may provide a basis for students or faculty members to sue
  colleges, accusing them of inadequately protecting personal
  information. The law, he notes, does not limit the damages
  that a college could sustain for not adhering to the law.

  "This is likely to lead to frivolous lawsuits without solving
  the real challenges associated with information-security
  policy," he says.

  Perhaps the biggest problem with the law, the lawyer says, is
  that it could lead other states to adopt their own disclosure
  rules, creating a mishmash of contradictory laws. Would a
  California college, for example, have to follow California's
  disclosure law, or those of the states from which its students
  come?

  Such confusion, Mr. Cassat says, is best avoided through a
  federal law that would create a uniform standard for
  disclosure.

  As lawyers debate the merits of the California law, college
  administrators wrestle with how to make it work. The law is
  vague, for example, on how thorough notification should be,
  says Chuck Piotrowski, records manager at Santa Cruz.

  He wonders how to inform students who frequently move, or
  foreign students who might be out of the country during a
  hacking incident. "Do we post a notice at the Super Bowl?"

  ONE RESPONSE TO THE LAW ON HACKING

  The University of California system says its campuses should
  take these steps to comply with a new California law that
  requires colleges to notify people after a hacker or other
  intruder has viewed their personal data:

  Data Inventory

  Campuses must set up a process to identify:

   Where personal information is used and stored.
   Who has authority to gain access to and use the data.
   The custodian of the data.
   An acceptable level of security protection for the
  data.Reporting Requirements

  Campuses must report immediately in writing to the system's
  associate vice president for information resources and
  communications:
   Anytime there has been a security breach.
   When the incident is closed. The report should provide a
  description of the incident, the response process, the
  notification process, and the actions taken to prevent further
  breaches of security.SOURCE: University of California

_________________________________________________________________

You may visit The Chronicle as follows:

   http://chronicle.com

_________________________________________________________________
Copyright 2003 by The Chronicle of Higher Education

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.