Educause Security Discussion mailing list archives

Re: Procedure Question

From: "Penn, Blake" <pennb () UWW EDU>
Date: Fri, 19 Aug 2005 12:58:24 -0500

Louisa:

If no personal data has been compromised (that is, only the system has been
compromised) then you really have no legal obligations to disclose the
breach.  The state statutes
(http://www.perkinscoie.com/content/ren/updates/privacy/081205.htm) and
national statute-in-progress (Specter-Leahy Personal Data Privacy And
Security Act of 2005) really only cover situations where personal data is
compromised.  Other statutes such as GLBA, FERPA, and HIPAA all deal with
the security of a particular kind of data (financial, student, and medical,
respectively).

Having worked security in the web-hosting world in the past, I have seen
literally hundreds (if not thousands) of web server breaches.  In most
cases, no notification was made to the customer, and the matter was handled
purely operationally.  That is, the compromises were analyzed, and the root
causes remediated.

Handling incidents such as this operationally is fine in an academic
environment as well provided that you are fully confident that no personal
or organizational data was breached.  The most important action to take
after these incidents is to identify and fix the underlying problem(s)
within your environment, or you just might start seeing systems get
compromised that DO contain sensitive information.  And that's just not fun
for anyone.

__________________________________
Blake Penn, CISSP
Information Security Officer
University of Wisconsin-Whitewater
(p) 262-472-5513 (f) 262-472-1285
e-mail: pennb () uww edu


***********************************

From: Avitua, Louisa [mailto:lavitua () STMARYTX EDU]
Sent: Friday, August 19, 2005 12:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Procedure Question

As a new comer to the IT world holding an interim position for a while, I am
in need of understanding procedure for the following:

What is the requirement or responsibility of an institution when a website
has been compromised and analysis show no compromised to personal data? Is
notification to students required or recommended?

Thank you for your direction.

Louisa Martin
Coordinator for Information Technology
St. Mary's University
San Antonio, Texas 78228
(210) 431-5005  - phone
e-mail: lavitua () stmarytx edu

Attachment: smime.p7s
Description:

Current thread:

Procedure Question Avitua, Louisa (Aug 19)
- <Possible follow-ups>
- Re: Procedure Question Kay Sommers (Aug 19)
- Re: Procedure Question Penn, Blake (Aug 19)
- Re: Procedure Question Cuocco, Patricia (Aug 19)
- Re: Procedure Question Stephen D. Franklin (Aug 19)
- Re: Procedure Question Sarah Stevens (Aug 21)