Educause Security Discussion mailing list archives
Dept of Edu Letters
From: "Hudson, Edward" <ehudson () CALSTATE EDU>
Date: Thu, 7 Dec 2017 19:33:19 +0000
Interested in institutions response to the DoE taking an increasingly broad interpretation of breach reporting obligations around any security breach of PII. At a recent conference the DoE lead presentation reportedly includes insistence that 1-ALL (broadly defined) “breaches” be reported “immediately” (i.e. within a day ) 2- an announcement that GLBA audits of institutions will begin in 2018 with fines consistent with Clery fines (up to 54,789) for each violation. A read of those Dear Colleague letters, the obligation (especially under GLBA, which regulates in the financial sector) is to ensure the security and confidentiality of student financial aid records/information only, and that the data breach notification requirements relate to that subset of information only, not all PII. But it sounds like the DoE is now interpreting their mandate and authority much more broadly. A review of one of their recent letters was, in my view, very heavy handed and threatening and stemmed from a random media post, not from an actual incident. Would like to talk to anyone off line that has had to go through this process with DoE. Best Ed Hudson Interim CISO 401 Golden Shore Long Beach, CA 90802 Tel 562-951-8431 ehudson () calstate edu I subscribe to e-mail classification: i=Information, a=Action, u=Urgent
Attachment:
smime.p7s
Description:
Current thread:
- Dept of Edu Letters Hudson, Edward (Dec 07)
- Re: Dept of Edu Letters David Escalante (Dec 07)
- Re: Dept of Edu Letters Greg Jackson (Dec 07)
- Re: Dept of Edu Letters Jarret Cummings (Dec 07)
- Re: Dept of Edu Letters Aube, Jane M. (Dec 09)
- Re: Dept of Edu Letters David Escalante (Dec 07)