Re: Dept of Edu Letters DOE sending letters about nonpublic info disclosures from Rasputin SQLi attack

["Aube, Jane M." <jaube () MIDDLEBURY EDU>]

Hi all,

Passing along the below information from NASFAA regarding unsolicited PII received via unencrypted email being a 
reportable breach discussion:

From: NASFAA Today's News [mailto:news () nasfaa org]
Sent: Thursday, January 4, 2018 8:03 AM
Subject: Today's News for January 4, 2018

NEWS FROM NASFAA
Schools Not Required to Report Unsolicited Personally Identifiable Information-For 
Now<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fnasfaa.informz.net%2Fz%2FcjUucD9taT03MjQxMDk5JnA9MSZ1PTEwNzE4NTI0NDYmbGk9NTA1OTg4ODI%2Findex.html&data=02%7C01%7Cjaube%40middlebury.edu%7Cd69f58d212614798f2b808d55373d211%7Ca1bb0a191576421dbe93b3a7d4b6dcaa%7C1%7C0%7C636506679273477120&sdata=EkNy7kLCgagmQaoyROoYWpP1p4DdmPLM7ILRx%2Bqr1lg%3D&reserved=0>

The Department of Education (ED) has confirmed verbally that schools that receive unsolicited personally identifiable 
information (PII) from a student or parent through an unsecured manner, do not currently have to report it as a data 
breach to ED. Discussions on this topic are continuing at ED.


Best regards,

Jane Aube

Loan Programs and Compliance Specialist | Student Financial Services | Middlebury College | 802.443.5790

_____________________________
From: Jarret Cummings <jcummings () educause edu<mailto:jcummings () educause edu>>
Sent: Thursday, December 7, 2017 3:39 PM
Subject: Re: [SECURITY] Dept of Edu Letters
To: <security () listserv educause edu<mailto:security () listserv educause edu>>

Hi, Ed - EDUCAUSE has initiated direct discussions with the Federal Student Aid senior advisor for cybersecurity about 
problems with the guidance that FSA both has and hasn't provided on this topic, and how to expand the dialogue with our 
members to address both the way compliance obligations are being defined and interpreted as well as the lack of 
documented principles and processes for meeting them.

That, of course, is going to take some time to pull together. Given the need for institutional response in the near 
term, I would recommend asking university counsel to take a look at the single provision in the FSA Program 
Participation Agreement that speaks to the GLBA Safeguards Rule, as well as the two provisions in the Student Aid 
Internet Gateway Agreement that address breach issues. It is important that the institution reviewits copy of those 
agreements, since versions of the agreements vary across institutions depending on when they've been signed. What is 
actually inyour version of each bears on your compliance obligations, although you can access generic versions of the 
docs. as well as other docs. I'll mention 
at:https://ifap.ed.gov/eannouncements/Cyber.html<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fifap.ed.gov%2Feannouncements%2FCyber.html&data=02%7C01%7Cjaube%40MIDDLEBURY.EDU%7C9248b05360bd431a3f3108d53db2a71f%7Ca1bb0a191576421dbe93b3a7d4b6dcaa%7C1%7C0%7C636482759885774387&sdata=rNDQ3H40V%2BzlU6c5iGZZfNTYvEjJvbkfspTn92f31pU%3D&reserved=0>.

In addition to the PPA and SAIG Agreement, there are two "Dear Colleague Letters" relevant to FSA's cybersecurity 
guidance:https://ifap.ed.gov/dpcletters/GEN1518.html<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fifap.ed.gov%2Fdpcletters%2FGEN1518.html&data=02%7C01%7Cjaube%40MIDDLEBURY.EDU%7C9248b05360bd431a3f3108d53db2a71f%7Ca1bb0a191576421dbe93b3a7d4b6dcaa%7C1%7C0%7C636482759885774387&sdata=Ym0yjwzJciFPGRldlz5vP68njeVsculW0E3446wKcY8%3D&reserved=0>
 and 
https://ifap.ed.gov/dpcletters/GEN1612.html<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fifap.ed.gov%2Fdpcletters%2FGEN1612.html&data=02%7C01%7Cjaube%40MIDDLEBURY.EDU%7C9248b05360bd431a3f3108d53db2a71f%7Ca1bb0a191576421dbe93b3a7d4b6dcaa%7C1%7C0%7C636482759885774387&sdata=Kj0ri7%2FqUIhgwS76xShqJqkXUZYl2BxHu%2F81NDfBbco%3D&reserved=0>.
 The most important for this discussion is the first one, because it's the letter in which FSA asserts that the SAIG 
Agreement requires institution to report "suspected" breaches. You will want your institutional/system legal counsel to 
compare the statement in GEN 15-18 with what the SAIG Agreement actually says; the provision that talks about 
institutions reporting a breach immediately is distinct from the provision that talks about what ED can do in sharing 
information with other federal agencies if it suspects an institution has had a breach. Thus far, we have yet to see 
formal documentation that connects the two in the way FSA appears to be asserting, or even formal documentation that 
establishes the definition of breach and related processes (i.e., "immediately") that have been raised in presentations 
and the FAQs on the FSA Cybersecurity Compliance page (see link above).

Finally, as relates to the Safeguards Rule audit objective, which we expect will be included in the FY18 federal single 
audit process although that is not yet officially confirmed, the actual text of the objective 
(https://ifap.ed.gov/eannouncements/attachments/FY18DraftLanguageSecuringStudentInformation.pdf<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fifap.ed.gov%2Feannouncements%2Fattachments%2FFY18DraftLanguageSecuringStudentInformation.pdf&data=02%7C01%7Cjaube%40MIDDLEBURY.EDU%7C9248b05360bd431a3f3108d53db2a71f%7Ca1bb0a191576421dbe93b3a7d4b6dcaa%7C1%7C1%7C636482759885774387&sdata=dJfA3%2FyftDJcEc0CD9mr34UbRs%2BmmkBgKhenlek%2F0jw%3D&reserved=0>)
 limits the auditor to seeing if the institution has a few key elements of the Rule in place (information security 
coordinator, a risk assessment, documented safeguards for identified risks). The auditor is not charged with or 
empowered to evaluate the nature of what the institution has implemented in those areas, just that it has addressed 
them (and documented that).

We will have more to say as the engagement with FSA takes shape. In the meantime, I have also informed the presidential 
and other higher education leadership associations about the problems emerging in this space. As a result of those 
discussions, I have every expectation that we can count on their support in trying to get FSA and ED to work with us 
effectively in this area. - Jarret

_______________________________________________
Jarret S. Cummings
Director of Policy and Government Relations

EDUCAUSE
Uncommon Thinking for the Common Good
direct: 202.331.5372 | main: 202.872.4200 
|educause.edu<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2F&data=02%7C01%7Cjaube%40MIDDLEBURY.EDU%7C9248b05360bd431a3f3108d53db2a71f%7Ca1bb0a191576421dbe93b3a7d4b6dcaa%7C1%7C0%7C636482759885774387&sdata=kpDuEI91FzR5A1JutILRdlsJ%2BDc9z101djtRPrG172k%3D&reserved=0>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Hudson, 
Edward
Sent: Thursday, December 7, 2017 2:33 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Dept of Edu Letters

Interested in institutions response to the DoE taking an increasingly broad interpretation of breach reporting 
obligations aroundany security breach of PII. At a recent conference the DoE lead presentation reportedly includes 
insistence that
1-ALL (broadly defined) "breaches" be reported "immediately" (i.e. within a day )
2- an announcement that GLBA audits of institutions will begin in 2018 with fines consistent with Clery fines (up to 
54,789) for each violation.

A read of those Dear Colleague letters, the obligation (especially under GLBA, which regulates in the financial sector) 
is to ensure the security and confidentiality of student financial aid records/information only, and that the data 
breach notification requirements relate to that subset of information only, not all PII.  But it sounds like the DoE is 
now interpreting their mandate and authority much more broadly. A review of one of their recent letters was, in my 
view, very heavy handed and threatening and stemmed from a random media post, not from an actual incident.
Would like to talk to anyone off line that has had to go through this process with DoE.

Best

Ed Hudson
Interim CISO
[cid:image001.png@01D389DE.253C7320]
401 Golden Shore
Long Beach, CA 90802
Tel 562-951-8431
ehudson () calstate edu<mailto:ehudson () calstate edu>

I subscribe to e-mail classification: i=Information, a=Action, u=Urgent

________________________________
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of randy
Sent: Wednesday, November 29, 2017 1:04 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] DOE sending letters about nonpublic info disclosures from Rasputin SQLi attack

We received a letter recently from the US Dept of Education telling us that information at 
www.recordedfuture.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.recordedfuture.com&data=02%7C01%7Cjaube%40MIDDLEBURY.EDU%7Cbccfb077ecf241ff302a08d5375392c8%7Ca1bb0a191576421dbe93b3a7d4b6dcaa%7C1%7C0%7C636475754440890352&sdata=A4urtAejmAUb5zxNeMje2ItiiPjOKil2d8CqfTCH1FE%3D&reserved=0>
 indicated we had experienced a breach on nonpublic customer information and reminding us that we had to file a report 
with DOE. Of course, the letter had no details on the breach. After some digging, we found the article that referenced 
us. It's at

https://www.recordedfuture.com/recent-rasputin-activity/<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.recordedfuture.com%2Frecent-rasputin-activity%2F&data=02%7C01%7Cjaube%40MIDDLEBURY.EDU%7Cbccfb077ecf241ff302a08d5375392c8%7Ca1bb0a191576421dbe93b3a7d4b6dcaa%7C1%7C0%7C636475754440890352&sdata=uCo31zmYl3g%2FXKTKQWB4sWvySKWWkl%2FL4FfK5djFC3U%3D&reserved=0>

We were included in the list of the US universities affected by this attack. I suspect other EDUs in the last will be 
getting a letter from US-DOE sent your institution's president. So I thought I'd warn you guys about this new wrinkle 
in the Federal cybersecurity world.

AND to let you know, we did NOT experience a nonpublic info breach.  :-)

-Randy Marchany
VA Tech IT Security Office and Lab