1 / 29

Preventing a Security Breach

Preventing a Security Breach. November 2012 NCASFFA. Diane G. Miller Associate General Counsel State Education Assistance Authority Phone: (919) 248-4669    dmiller@ncseaa.edu. Disclaimers. What Will We Cover In This Session?. What is the scope of the problem?

makani
Download Presentation

Preventing a Security Breach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Preventing a Security Breach November 2012 NCASFFA

  2. Diane G. Miller Associate General Counsel State Education Assistance Authority Phone: (919) 248-4669    dmiller@ncseaa.edu

  3. Disclaimers

  4. What Will We Cover In This Session? What is the scope of the problem? Why is this issue important for the financial aid office? What is a security breach? Best practices to prevent a security breach Inventory personal information Limit personal information you collect and keep Secure personal information Disposal of personal information Prepare for a security breach

  5. Security Breaches Are Common More than 800 breaches that involved information about more than 3.3 million North Carolina consumers have been reported to the Attorney General's Office since 2005

  6. Experts: SC Hacking Largest vs. State Tax Agency Millions of SSNs and business records from tax returns as far back as 1998 were hacked in South Carolina The 3.6 million tax returns included Social Security numbers and about 387,000 credit and debit card numbers that were also exposed, 6,000 of those unencrypted Up to 657,000 businesses have also been compromised http://www.newsobserver.com/2012/10/31/2452390/experts-sc-hacking-largest-vs.html#storylink=cpy

  7. Computer Glitch Causes State UnemploymentAgency To Disclose Personal Info The state’s Division of Employment Security announced Tuesday that information about thousands of employers and recipients of unemployment benefits were mistakenly disclosed in letters the agency mailed during a three-week period The agency said a computer program was implemented that generated incorrect employer addresses on letters that included the names of individuals, Social Security numbers, business names and N.C. State Unemployment Tax Act employer account numbers http://www.newsobserver.com/2012/04/24/2021903/computer-glitch-causes-state-unemployment.html#storylink=cpy

  8. UNC Charlotte: 350,000 Social Security Numbers Exposed During Internet Breach The Social Security numbers and bank account data of approximately 350,000 University of North Carolina Charlotte students, faculty and staff has been publicly exposed, some for more than a decade Confidential information from "general university systems" was accidentally made public for approximately three months before being discovered and reported Caused by an IT official who misconfigured a server during an upgrade http://www.msnbc.msn.com/id/47390650/ns/technology_and_science-security/t/huge-financial-data-breach-hits-unc-charlotte/

  9. Mammography Study HackedPersonal Data At Risk Hundreds of thousands of women found out by letter this week that their personal information, including Social Security numbers, might have been exposed to identity theft The Carolina Mammography Registry at the University of North Carolina School of Medicine gathers data from radiologists across the state and the breach affects women who did not know the registry existed and did not give consent to have their information included http://www.wral.com/news/local/story/6213633/

  10. Some Relevant Laws And Regulations • Gramm-Leach-Bliley Act (GLB) and the Safeguards Rule • requires companies defined as “financial institutions” to ensure the security and confidentiality of customer information; • to protect against any anticipated threats or hazards to the security of such records; and • to protect against the unauthorized access and use • Fair and Accurate Credit Transactions Act of 2003 -Red Flags Rule • North Carolina Identity Theft Prevention Act • Higher Education Act of 1965, as amended • Family Educational Rights and Privacy Act (FERPA)

  11. What Is A “Security Breach”? An incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer. Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key shall constitute a security breach.N.C. Gen. Stat. § 75-61

  12. What Is A Security Breach? Good faith acquisition of personal information by an employee or agent of the business for a legitimate purpose is not a security breach, provided that the personal information is not used for a purpose other than a lawful purpose of the business and is not subject to further unauthorized disclosure N.C. Gen. Stat. § 75-61

  13. What Is Personal Information? Personal information includes: an individual’s Social Security number (SSN), employer taxpayer identification number (TIN), driver’s license or state identification number, passport number, checking/saving account number, credit/debit card number, PIN, digital signature, biometric data, fingerprints or any number that can be used to access his financial resources.  N.C. Gen. Stat. § 75-61

  14. What Is Personal Information? Personal information does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, including name, address, and telephone number, and does not include information made lawfully available to the general public from federal, state, or local government records.N.C. Gen. Stat. § 75-61

  15. Dunn Tops National List For Fraud,ID Theft Complaints The Federal Trade Commission released its latest report in February on consumer fraud-related complaints in the U.S. The Dunn metropolitan area ranked No. 4 in the country for consumer fraud complaints per capita and No. 5 nationwide for identity theft complaints From North Carolina’s Attorney General to local law enforcement, no one can explain for certain why Dunn consistently makes the list http://www.wral.com/news/local/story/11045172/

  16. Step One - Take Stock What PII do you have? Where is your PII stored? Who has access to your PII?

  17. Step Two - Scale Down Are you collecting unnecessary PII? Are you keeping PII too long? Be familiar with your record retention requirements

  18. Step Three - Lock It Protect the PII that you keep Physical security Electronic security Training

  19. Police: Mom Leaves Baby On Top Of Car, Drives Off A 19-year-old mother is under arrest on child abuse and aggravated DUI charges after police say she left her five-week-old baby strapped in a car seat on top of her car and drove off She realized the baby was missing when she reached home That's when XXX called her friends and asked them to trace the route she had taken The friends ran into the officers who had already found the baby XXX arrived shortly thereafter and was arrested http://usatoday30.usatoday.com/news/nation/story/2012-06-02/baby-left-on-roof-of-car/55349990/1

  20. Step Four - Pitch It Properly dispose of PII that you no longer need Paper Electronic storage devices

  21. Destruction Of Personal Information Records Any business that conducts business in North Carolina and any business that maintains or otherwise possesses personal information of a resident of North Carolina must take reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal.N.C. Gen. Stat. § 75-64

  22. Destruction Of Personal Information Records "Disposal" includes the following:      a. The discarding or abandonment of records containing personal information.      b. The sale, donation, discarding, or transfer of any medium, including computer equipment or computer media, containing records of personal information, or other nonpaper media upon which records of personal information are stored, or other equipment for nonpaper storage of information. N.C. Gen. Stat. § 75-61

  23. Cabinet Was Surplus, Files Inside Were Personal XXX drilled open a filing cabinet that was locked when he bought it Inside were files that were records of former UNC grad students and applicants: names, addresses, grade point averages and Social Security numbers XXX contacted the surplus store, and a staff member drove to XXX’s home the next day, gathered the files, and thanked XXX for calling To reward his good deed, UNC sent XXX a thank you letter and a T-shirt http://www.wral.com/news/local/story/1203863/

  24. McCain-Palin Team Sells Info-richBlackberrys To TV Station An investigative reporter for WTTG bought two BlackBerry devices for $20 a piece containing confidential information from the McCain-Palin campaign at a "gone out of business" sale at the campaign's headquarters in Arlington, Va. One contained 50 phone numbers for people connected to the campaign, as well as hundreds of e-mails from early September until a few days after the election. The second device contained 300 'contacts,' including the former Virginia governor http://www.foxnews.com/story/0,2933,465985,00.html

  25. Step Five - Plan Ahead Plan ahead for a security breach Be prepared to act with reasonable speed Review your institutional policy and procedures for responding to a security breach Consider your obligations under all privacy laws and regulations

  26. More Information http://business.ftc.gov/documents/bus69-protecting-personal-information-guide-business http://www.ftc.gov/opa/reporter/privacy/privacypromises.shtml http://business.ftc.gov/privacy-and-security http://www.ncdoj.gov/getdoc/6633be99-552d-4e62-ae06-c15accad4142/Protect-Your-Business.aspx

  27. Questions? Comments? Thank you!

More Related