How do you handle "indirect" data breaches from "Have I Been Pwned"

["Jim A. Bole" <jbole () STEVENSON EDU>]

How do you handle third-party data breaches that could have an indirect connection to your institution, such as 
individual using their .edu account for personal cloud service, etc?

We subscribe to haveibeenpwned.com's domain search notification service. We've seen a steady increase in notifications 
around these types of services:


-          Chegg

-          Canva

-          Adobe

And then there are the usual personal services (fitness apps, tickets, etc.)

Should we notify potentially impacted accounts? If so, what guidance should be provided?

Seems there's a balance in being helpful but at the same time not assuming any liability or support burden.

Jim Bole
Director of Information Security
Stevenson University
1525 Greenspring Valley Road
Stevenson, MD, 21153-0641
jbole () stevenson edu | O: 443-334-2696



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

<<attachment: winmail.dat>>