Re: External Incident Notification Involving a Constituency

["Boyd, Daniel" <dboyd () BERRY EDU>]

We handle third-party breach notifications two ways. All breaches involving current students, faculty or staff are 
posted to our News and Alerts site where the community can "self-serve" for information. We give the basic information 
about what was exposed and point users toward the correct website or contact information to follow up.

For breaches involving clear-text or weakly encrypted passwords, we send email notifications to all affected 
individuals. The primary reason is the almost certainty of password reuse. This reasoning was confirmed after the Chegg 
breach when we had more compromised accounts in two weeks than we had had for the previous two years.

Again, this is only for current students, faculty, and staff, not alumni or retirees. Our primary goal is to protect 
college assets that only active community members would have access to. Our email is on O365, so we let Microsoft deal 
with all other constituents.

Dan


Daniel H. Boyd (94C)
Director of Information Security
Office for Information Technology
Information Security Advisory Group Chair
Berry College
Phone: 706-236-1750
Fax:     706-238-5824
https://infosec.berry.edu<https://infosec.berry.edu/>

There are two rules to follow with your account passwords:
1. NEVER SHARE YOUR PASSWORDS WITH ANYONE (EVEN OIT!!!!)
2. If unsure, consult rule #1



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Barton, Robert W.
Sent: Wednesday, October 30, 2019 2:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] External Incident Notification Involving a Constituency


CAUTION: This email originated from outside of the Berry College organization. Do not click links or open attachments 
unless you know the content is safe. Email infosec () berry edu<mailto:infosec () berry edu> if in doubt.
Afternoon,

For those that do a notice of breaches of other entities, that involve your constituents, why?  We have a little bit of 
a debate here as to IF, HOW OFTEN, and/or HOW we notify for breaches of third party systems that release information 
pertaining to us.  If you do, why?  If you don't, why not? I have a short list of why or why not, but I would like to 
hear from others.  Has anybody found a best practice on the subject?

Robert W. Barton
Executive Director of Information Security and Policy
Lewis University
One University Parkway
Romeoville, IL  60446-2200
815-836-5663


This message (including any attachments) is intended only for the use of the individual or entity to which it is 
addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from 
disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you 
are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. 
If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 and (i) destroy 
this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community