Educause Security Discussion mailing list archives
Re: Dept of Edu Letters DOE sending letters about nonpublic info disclosures from Rasputin SQLi attack
From: "Aube, Jane M." <jaube () MIDDLEBURY EDU>
Date: Wed, 10 Jan 2018 11:42:13 +0000
Hi all, Passing along the below information from NASFAA regarding unsolicited PII received via unencrypted email being a reportable breach discussion: From: NASFAA Today's News [mailto:news () nasfaa org] Sent: Thursday, January 4, 2018 8:03 AM Subject: Today's News for January 4, 2018 NEWS FROM NASFAA Schools Not Required to Report Unsolicited Personally Identifiable Information-For Now<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fnasfaa.informz.net%2Fz%2FcjUucD9taT03MjQxMDk5JnA9MSZ1PTEwNzE4NTI0NDYmbGk9NTA1OTg4ODI%2Findex.html&data=02%7C01%7Cjaube%40middlebury.edu%7Cd69f58d212614798f2b808d55373d211%7Ca1bb0a191576421dbe93b3a7d4b6dcaa%7C1%7C0%7C636506679273477120&sdata=EkNy7kLCgagmQaoyROoYWpP1p4DdmPLM7ILRx%2Bqr1lg%3D&reserved=0> The Department of Education (ED) has confirmed verbally that schools that receive unsolicited personally identifiable information (PII) from a student or parent through an unsecured manner, do not currently have to report it as a data breach to ED. Discussions on this topic are continuing at ED. Best regards, Jane Aube Loan Programs and Compliance Specialist | Student Financial Services | Middlebury College | 802.443.5790 _____________________________ From: Jarret Cummings <jcummings () educause edu<mailto:jcummings () educause edu>> Sent: Thursday, December 7, 2017 3:39 PM Subject: Re: [SECURITY] Dept of Edu Letters To: <security () listserv educause edu<mailto:security () listserv educause edu>> Hi, Ed - EDUCAUSE has initiated direct discussions with the Federal Student Aid senior advisor for cybersecurity about problems with the guidance that FSA both has and hasn't provided on this topic, and how to expand the dialogue with our members to address both the way compliance obligations are being defined and interpreted as well as the lack of documented principles and processes for meeting them. That, of course, is going to take some time to pull together. Given the need for institutional response in the near term, I would recommend asking university counsel to take a look at the single provision in the FSA Program Participation Agreement that speaks to the GLBA Safeguards Rule, as well as the two provisions in the Student Aid Internet Gateway Agreement that address breach issues. It is important that the institution reviewits copy of those agreements, since versions of the agreements vary across institutions depending on when they've been signed. What is actually inyour version of each bears on your compliance obligations, although you can access generic versions of the docs. as well as other docs. I'll mention at:https://ifap.ed.gov/eannouncements/Cyber.html<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fifap.ed.gov%2Feannouncements%2FCyber.html&data=02%7C01%7Cjaube%40MIDDLEBURY.EDU%7C9248b05360bd431a3f3108d53db2a71f%7Ca1bb0a191576421dbe93b3a7d4b6dcaa%7C1%7C0%7C636482759885774387&sdata=rNDQ3H40V%2BzlU6c5iGZZfNTYvEjJvbkfspTn92f31pU%3D&reserved=0>. In addition to the PPA and SAIG Agreement, there are two "Dear Colleague Letters" relevant to FSA's cybersecurity guidance:https://ifap.ed.gov/dpcletters/GEN1518.html<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fifap.ed.gov%2Fdpcletters%2FGEN1518.html&data=02%7C01%7Cjaube%40MIDDLEBURY.EDU%7C9248b05360bd431a3f3108d53db2a71f%7Ca1bb0a191576421dbe93b3a7d4b6dcaa%7C1%7C0%7C636482759885774387&sdata=Ym0yjwzJciFPGRldlz5vP68njeVsculW0E3446wKcY8%3D&reserved=0> and https://ifap.ed.gov/dpcletters/GEN1612.html<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fifap.ed.gov%2Fdpcletters%2FGEN1612.html&data=02%7C01%7Cjaube%40MIDDLEBURY.EDU%7C9248b05360bd431a3f3108d53db2a71f%7Ca1bb0a191576421dbe93b3a7d4b6dcaa%7C1%7C0%7C636482759885774387&sdata=Kj0ri7%2FqUIhgwS76xShqJqkXUZYl2BxHu%2F81NDfBbco%3D&reserved=0>. The most important for this discussion is the first one, because it's the letter in which FSA asserts that the SAIG Agreement requires institution to report "suspected" breaches. You will want your institutional/system legal counsel to compare the statement in GEN 15-18 with what the SAIG Agreement actually says; the provision that talks about institutions reporting a breach immediately is distinct from the provision that talks about what ED can do in sharing information with other federal agencies if it suspects an institution has had a breach. Thus far, we have yet to see formal documentation that connects the two in the way FSA appears to be asserting, or even formal documentation that establishes the definition of breach and related processes (i.e., "immediately") that have been raised in presentations and the FAQs on the FSA Cybersecurity Compliance page (see link above). Finally, as relates to the Safeguards Rule audit objective, which we expect will be included in the FY18 federal single audit process although that is not yet officially confirmed, the actual text of the objective (https://ifap.ed.gov/eannouncements/attachments/FY18DraftLanguageSecuringStudentInformation.pdf<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fifap.ed.gov%2Feannouncements%2Fattachments%2FFY18DraftLanguageSecuringStudentInformation.pdf&data=02%7C01%7Cjaube%40MIDDLEBURY.EDU%7C9248b05360bd431a3f3108d53db2a71f%7Ca1bb0a191576421dbe93b3a7d4b6dcaa%7C1%7C1%7C636482759885774387&sdata=dJfA3%2FyftDJcEc0CD9mr34UbRs%2BmmkBgKhenlek%2F0jw%3D&reserved=0>) limits the auditor to seeing if the institution has a few key elements of the Rule in place (information security coordinator, a risk assessment, documented safeguards for identified risks). The auditor is not charged with or empowered to evaluate the nature of what the institution has implemented in those areas, just that it has addressed them (and documented that). We will have more to say as the engagement with FSA takes shape. In the meantime, I have also informed the presidential and other higher education leadership associations about the problems emerging in this space. As a result of those discussions, I have every expectation that we can count on their support in trying to get FSA and ED to work with us effectively in this area. - Jarret _______________________________________________ Jarret S. Cummings Director of Policy and Government Relations EDUCAUSE Uncommon Thinking for the Common Good direct: 202.331.5372 | main: 202.872.4200 |educause.edu<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2F&data=02%7C01%7Cjaube%40MIDDLEBURY.EDU%7C9248b05360bd431a3f3108d53db2a71f%7Ca1bb0a191576421dbe93b3a7d4b6dcaa%7C1%7C0%7C636482759885774387&sdata=kpDuEI91FzR5A1JutILRdlsJ%2BDc9z101djtRPrG172k%3D&reserved=0> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Hudson, Edward Sent: Thursday, December 7, 2017 2:33 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Dept of Edu Letters Interested in institutions response to the DoE taking an increasingly broad interpretation of breach reporting obligations aroundany security breach of PII. At a recent conference the DoE lead presentation reportedly includes insistence that 1-ALL (broadly defined) "breaches" be reported "immediately" (i.e. within a day ) 2- an announcement that GLBA audits of institutions will begin in 2018 with fines consistent with Clery fines (up to 54,789) for each violation. A read of those Dear Colleague letters, the obligation (especially under GLBA, which regulates in the financial sector) is to ensure the security and confidentiality of student financial aid records/information only, and that the data breach notification requirements relate to that subset of information only, not all PII. But it sounds like the DoE is now interpreting their mandate and authority much more broadly. A review of one of their recent letters was, in my view, very heavy handed and threatening and stemmed from a random media post, not from an actual incident. Would like to talk to anyone off line that has had to go through this process with DoE. Best Ed Hudson Interim CISO [cid:image001.png@01D389DE.253C7320] 401 Golden Shore Long Beach, CA 90802 Tel 562-951-8431 ehudson () calstate edu<mailto:ehudson () calstate edu> I subscribe to e-mail classification: i=Information, a=Action, u=Urgent ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of randy Sent: Wednesday, November 29, 2017 1:04 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] DOE sending letters about nonpublic info disclosures from Rasputin SQLi attack We received a letter recently from the US Dept of Education telling us that information at www.recordedfuture.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.recordedfuture.com&data=02%7C01%7Cjaube%40MIDDLEBURY.EDU%7Cbccfb077ecf241ff302a08d5375392c8%7Ca1bb0a191576421dbe93b3a7d4b6dcaa%7C1%7C0%7C636475754440890352&sdata=A4urtAejmAUb5zxNeMje2ItiiPjOKil2d8CqfTCH1FE%3D&reserved=0> indicated we had experienced a breach on nonpublic customer information and reminding us that we had to file a report with DOE. Of course, the letter had no details on the breach. After some digging, we found the article that referenced us. It's at https://www.recordedfuture.com/recent-rasputin-activity/<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.recordedfuture.com%2Frecent-rasputin-activity%2F&data=02%7C01%7Cjaube%40MIDDLEBURY.EDU%7Cbccfb077ecf241ff302a08d5375392c8%7Ca1bb0a191576421dbe93b3a7d4b6dcaa%7C1%7C0%7C636475754440890352&sdata=uCo31zmYl3g%2FXKTKQWB4sWvySKWWkl%2FL4FfK5djFC3U%3D&reserved=0> We were included in the list of the US universities affected by this attack. I suspect other EDUs in the last will be getting a letter from US-DOE sent your institution's president. So I thought I'd warn you guys about this new wrinkle in the Federal cybersecurity world. AND to let you know, we did NOT experience a nonpublic info breach. :-) -Randy Marchany VA Tech IT Security Office and Lab
Current thread:
- Re: Dept of Edu Letters DOE sending letters about nonpublic info disclosures from Rasputin SQLi attack Aube, Jane M. (Jan 10)