< Back to Main Site

EDUCAUSE review onlineEDUCAUSE review online

Out of the Breach and into the Fire

0 Comments

Policy@edu

© 2008 Heidi Wachs, Kent Wada, and Timothy Lance. The text of this article is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License (http://creativecommons.org/licenses/by-nc-sa/3.0/).

EDUCAUSE Review, vol. 43, no. 5 (September/October 2008)

Out of the Breach and into the Fire

Heidi Wachs, Kent Wada, and Timothy Lance

Heidi Wachs is Director of IT Policy and Privacy Officer at Georgetown University. Kent Wada is Director, IT Strategic Policy, at the University of California, Los Angeles (UCLA). Timothy Lance, President and Chair of NYSERNet (New York State Education and Research Network) and Distinguished Service Professor at the University at Albany, is Editor of the EDUCAUSE Review Policy@edu department.

Comments on this article can be sent to the authors at hlw9@georgetown.edu, kent@ucla.edu, and tl@nysernet.org and/or can be posted to the web via the link at the bottom of this page.

Two of the entries on the long list of data breaches in higher education are Georgetown University and UCLA. Timothy Lance recently talked with the IT policy officers at these two institutions to identify some of the policy implications of handling data breaches.

Timothy Lance: The incidents at Georgetown and at UCLA were quite different.

Heidi Wachs: Yes: Georgetown’s breach involved approximately 38,000 individuals and was due to the theft of an external hard drive. UCLA’s breach involved just over 800,000 individuals and was caused by a malicious intruder hacking into its systems.1 Yet there are many core activities in breach response that are the same and many parallels in the lessons learned.

Kent Wada: The size of our breach held implications for our response. Making a decision about notifying would affect a lot of people. In terms of logistics, we faced several challenges, such as how to send out hundreds of thousands of e-mails without being blocked by major ISPs because we looked like spammers and how to handle the 1,000 calls per hour that initially came into our call center.

Lance: How does handling a data breach differ from handling a standard security incident?

Wada: State data-breach notification laws add a separate dimension to what most standard security incident-response teams already do. Forensics may have to be more formal. Decisions will often require executive authority, legal counsel, and a public relations interface. Execution of notification may require an entirely separate administrative team.

Wachs: Many typical security events are detected by technology or IT department personnel. However, some data breaches will arise differently. For example, if a laptop is stolen, the theft will likely be reported by the device’s owner; or if PII [personally identifiable information] is inadvertently exposed on the network, the news media may call to say that a data leak was found through Google’s indexing and caching.

Wada: Something to keep in mind even in the midst of a crisis is internal communications in light of possible litigation after the fact. We all depend on the asynchronous convenience of e-mail for work; but we also all know that e-mail communication is very informal, especially in a crisis. Everyone needs to understand when it is appropriate to invoke attorney-client privilege and how to do so. And public institutions need to be mindful of state public records laws that are designed to ensure transparency and accountability, so that they do not inadvertently compromise security-sensitive information that could be used as a blueprint to attack institutional systems (e.g., the exact configuration of an intrusion-detection system).

Lance: Let’s focus for a moment on how you decide to notify.

Wada: Notification must be thought through before a crisis hits. In a situation where a laptop with PII is stolen, the notification process is straightforward: the data is in unauthorized hands, and notification is necessary.

Wachs: That’s assuming you know what data was actually on the laptop. Accurate inventories of PII must be conducted before a crisis strikes. Georgetown recently approved an “Interim Policy on the Use, Collection, and Retention of Social Security Numbers,” just one of the tools we are now using to conduct a thorough inventory of where our PII is used, stored, accessed, and transferred.

Wada: Unfortunately, the stolen laptop scenario is the easy one. It’s not uncommon to be in a situation where the forensics provide only a best/educated-guess scenario, which was the case with the UCLA breach. This moves beyond legal requirements and into the realm of an institution’s policy and cultural expectations—that is, which way to err? If an institution chooses not to notify, and later people who weren’t notified were among those whose data was exposed, there would be, at the least, reputational consequences. But notifying when doing so is not required can cause unnecessary alarm. UCLA chose broader notification than was strictly legally required.

The University of California uses three sets of factors to make such decisions.2 The primary criteria speak to the “simple” situations. For example, is it known that the data is in the physical possession of an unauthorized party? The secondary criteria are used when the facts aren’t so straightforward. For how long was the data exposed? Has any data, whether PII or not, been copied? Finally, the third set of criteria apply in the most complicated situations. Would it do more harm to notify incorrectly or to not notify incorrectly? What is the likelihood of fraud or identity theft? In general, the more ambiguous the situation, the greater is the need to notify.

Wachs: The best thing you can do is uncover the facts to the extent possible, decide what you are going to do based on those facts, and document your line of reasoning; in other words, do due diligence. And use good log-management practices,3 which will maximize the chance that forensics will result in conclusive facts should a breach occur.

Lance: Once you’ve decided to notify, then what?

Wachs: Notifying affected individuals requires many potential ancillary activities, such as creating a website, setting up a call center, and developing comprehensive messaging both for the internal campus community and for the media. The logistics of notification can be daunting: for example, coordinating with the U.S. Post Office to send out thousands or hundreds of thousands of pieces of mail. A small breach may require only a toll-free phone number staffed in-house, but a larger breach means finding and contracting with a call center vendor with thousands of operators who require precise scripting and the on-the-spot ability to revise based on calls. Georgetown used a call center and also a hotline at the Office of Advancement. In addition, we offered credit-monitoring services for one year, a choice that institutions must consider. The EDUCAUSE/Internet2 Computer and Network Security Task Force’s data incident notification toolkit is a good place to start.4

Wada: There’s an important timing issue here. You want to notify as quickly as possible once you have the facts. Often, you won’t yet have all of the facts, but waiting too long can give the perception that the institution is trying to hide something. On the other hand, notifying too quickly means that new information may require further notifications. In addition, if law enforcement is involved, they may request a delay in making a public announcement until their investigation has reached a certain point. Finally, the response package consisting of the call center, a website, and readiness for inquiries must be in place before notification; not having these items prepared is certain to increase confusion and anger.

Wachs: At least forty-three states have separate state data-breach notification laws. Many of them have similar requirements; however, it’s best to work with your counsel to determine how to comply.

Lance: There’s always an aftermath . . .

Wachs: A Data Security Task Force was formed at the request of Georgetown University President John J. DeGioia. Co-chaired by the university’s Senior Vice President and the university’s Vice President for Information Services and Chief Information Officer, the Steering Committee is composed of key data stakeholders throughout the university including CFOs, vice presidents, and a representative from the Office of University Counsel. The Data Security Task Force is charged with taking a comprehensive look at the university’s critical business, academic, and research functions that utilize confidential and protected data and implementing practical changes to more securely conduct this work. In addition, the Task Force has the authority to approve interim policies in this area. Currently, all members of the university community using SSNs are undergoing an evaluation by me, in the capacity of University Information Services Privacy Officer, in collaboration with the University Information Security Officer and the Office of University Counsel.

Wada: UCLA has an Advisory Board on Privacy and Data Protection, composed of senior faculty and administrators and reporting to the Executive Vice Chancellor, and a Data Council, composed of representatives of the major data stewards and data consumers on campus. The Advisory Board considers broad principles and the application of these principles to new situations in research, education, and administration, whereas the Data Council looks at institutional data-stewardship issues.

After our breach, we had discussions with the California attorney general and members of the state legislature. A College and University Social Security Number Task Force has been created to examine the use of and practices around SSNs and to make recommendations for enhancements. After doing some extensive analysis, we confirmed that we are required to keep most of the SSNs we have now because they are required by external agencies, notably the IRS but also the National Student Clearinghouse, among others.

Wachs: In the meantime, Congress continues to consider several efforts to legislate uniform notification requirements for data breaches.

Wada: And on January 1, 2008, California amended its notification law so that the law is triggered by unauthorized exposure not just of SSNs, driver’s license numbers, and financial account information but also of medical information and health insurance information. Overlap with HIPAA requirements must now be considered as well. But doing so is worth the price, considering the potentially devastating effects of medical identity theft. It’s no longer just your credit rating at stake—it’s your life.

Notes
  1. The UCLA breach is detailed in testimony given at a hearing in March 2007 on identity theft: see Jim Davis, “Lessons Learned from Notification of a Large Breach,” testimony before the Subcommittee on Terrorism, Technology and Homeland Security, Committee on the Judiciary, U.S. Senate, March 21, 2007, http://judiciary.senate.gov/pdf/3-21-07DavisTestimony.pdf.
  2. University of California Office of the President, Information Resources and Communications, “Determining Notification in the Event of a Security Breach,” February 6, 2008, http://www.ucop.edu/irc/itsec/documents/determining_notification.pdf. The document is based on the criteria of the California Office of Privacy Protection.
  3. See “Log Management for the University of California: Issues and Recommendations,” May 1, 2006, http://www.ucop.edu/irc/itsec/uc/documents/LogManagementGuidelines-2006-05-01.pdf.
  4. EDUCAUSE/Internet2 Computer and Network Security Task Force, Data Incident Notification Toolkit, https://wiki.internet2.edu/confluence/display/secguide/Data+Incident+Notification+Toolkit.

Heidi L. Wachs

Heidi L. Wachs is the Director of IT Policy and Privacy Officer for Georgetown University. She combines her professional background in technology policy and public relations to develop and implement sound policy to preserve the privacy and integrity of those who use Georgetown University information systems and their data. She has written and presented on issues of law, technology, and best practices for data privacy and breach response.

Prior to Georgetown University, Heidi worked as a Government Relations Officer for EDUCAUSE, a non-profit association whose mission is to promote the intelligent use of information technology in higher education. In that capacity, she advocated on behalf of EDUCAUSE members, and provided them with insight on a diverse range of legal and policy issues including patent reform, copyright and file sharing, and e-discovery. Heidi was also staff liaison for the EDUCAUSE Network Policy Council.

Before joining the higher education community, Heidi worked as a Public Interest Legal Fellow for Public Knowledge. She also represented divisions of IBM as a public relations executive before attending law school.

Heidi graduated cum laude with a BA in Journalism from Lehigh University and earned her JD with a concentration in Intellectual Property from the Benjamin N. Cardozo School of Law. She is admitted to the bars of the District of Columbia and the United States Supreme Court and is a Certified Information Privacy Professional.

 

Kent Wada

Kent provides leadership in shaping institutional policy and in participating in the national discourse on IT and privacy issues of strategic concern to the academy. Recognized as an expert in illegal file sharing, data breach incident response and related topics, he has been frequently invited to share his experiences at conferences and in publications. He works in close coordination with the campus IT governance committees and broadly across the institution; and collaborates with colleagues at other institutions, participates in national associations such as EDUCAUSE and sits on various advisory and policy committees.

Kent has held a number of different positions at UCLA since 1990. He was UCLA’s first IT security officer, focusing on the development of a campus security program and of security policies for the University of California. He has been involved with the development of the campus’s strategy for curbing illegal file sharing since its inception. His primary interest continues to be in the application of emergent technologies to people’s lives and in the protection of civil liberties in cyberspace.

 

Timothy Lance

Since 1998, Tim Lance has served as President and Chairman of NYSERNet, the New York State Education and Research Network. During his tenure, NYSERNet deployed a statewide research network backbone, connecting initially to vBNS, and then to Abilene in New York City and Buffalo. That research backbone was a crucial tool in the rapid restoration of commodity Internet service in the hours and days after 9/11. Under his leadership, over the last fourteen years NYSERNet moved from dependence on carrier circuits to control of transport, beginning with a still expanding fiber deployment for the R&E, medical, and cultural communities in New York City, and then a statewide DWDM optical infrastructure. NYSERNet created a carrier-neutral collocation facility at 32 Avenue of the Americas in Manhattan, home of MANLAN and peering point for CA*net, GÉANT, SURFNET and other national and international networks, as well as home to nodes for ESNET, NOAA, USLHCnet, and NLR. Four years ago NYSERNet created a business continuity center in Syracuse where institutions house critical IT equipment that can function in lieu of primary equipment on campus, and is now developing new uses for this space beyond the originally intended business continuity.

Dr. Lance is an active participant in the Quilt, StateNets, and the EDUCAUSE Network Policy Council, which he chaired from its creation in 2005 until the reconfiguration this year. Since October, 2007 Dr. Lance has also been a member of the then newly formed Internet2 External Relations Advisory Council, and has served as that Council’s chair and on the Internet2 Board of Governors. Other Internet2 activities have included participation on writing the Strategic Plan and on search committees for the CTO, Member Relations and Communications position, the CEO search committee, and other searches.

Dr. Lance recently retired as a Distinguished Service Professor of Mathematics at the University at Albany with affiliate research positions in the departments the School of Education and the College of Computing and Information. At the University he was chair of the Department of Mathematics and Statistics for fourteen years and served as the campus CIO. In New York State he has been an active member of the State’s Universal Broadband Council. These interests combine work with NYSERNet member institutions along with research work by IBM, GE, Corning and other corporate research facilities in New York to explore collaboration and cooperation on major research problems like energy, environment, and health care.

Tim Lance lives in Albany with his wife Anne. Their older son Peter a doctorate in economics from Chapel Hill and younger son Tim has a doctorate in math at Albany.

 

Most Popular

Stay Up-to-Date

RSS Email Twitter

Share Your Work and Ideas

Issues coming up will focus on digital scholarship, administrative computing, the value of IT, and building the profession. Share your work and ideas with EDUCAUSE Review Online.

E-mail us >

Purchase

EDUCAUSE Members: $5.00
Non-Members: $5.00
Close
Close


EDUCAUSE Connect
View dates and locations

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

EDUCAUSE Institute
Leadership/Management Programs
Explore More

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.