View
214
Download
1
Category
Preview:
Citation preview
Addressing Unauthorized Release of Personal Information at UC Davis
August 12, 2003
California Civil Code, Section 1798
State’s response to an estimated 160,000 cases of identity theft in 2002
Requires organizations, including institutions of higher learning, to notify state residents when unauthorized individuals have obtained personal information via a computer security breach
Effective as of July 1, 2003
UC Guidelines
Electronic Information Security (BFB IS-3) Defines personal information as first name
or first initial and last name in combination with one or more of the following:
Social Security Number Driver’s license or California ID number Account or credit card number and security
code, access code or password
UC Guidelines (cont.)
Defines security breach as when a California resident’s unencrypted personal information is believed to have been acquired by an unauthorized person.
Calls for system-wide notification procedures and the development of local guidelines.
UC Davis Implementation
Chancellor Vanderhoef Appointed UC Davis Information
Technology Security Coordinator, Bob Ono, as lead in coordinating the campus’ compliance efforts
Via May 28, 2003 memo, notified Vice Chancellors, Vice Provosts and Deans of the need to take a proactive approach by identifying ways in which security risks can be minimized
UC Davis Implementation (cont.)
IT Security Coordinator, Bob Ono Developed draft implementation plan that
identifies key roles, responsibilities and procedures for:
Minimizing risks of security breach Reporting incidents Notifying individuals whose personal
information may have been obtained by a non-authorized person
Roles and Responsibilities
CODVC Members Oversee preventative measures to secure
data Communicate with appropriate staff about
Section 1798, identity theft, and the campus implementation plan
Roles and Responsibilities (cont.)
Campus Units Inform users of their responsibilities to
secure personal information Assess risks and implement security
safeguards for systems housing personal information
Develop and maintain control records and establish monitoring procedures
Report suspected incidents
Roles and Responsibilities (cont.)
Campus Misuse Committee Investigate reported incidents Assess need for and authorize notifications Authorize case closure
Roles and Responsibilities (cont.)
IT Security Coordinator, Bob Ono Communicate components of implementation
plan to responsible parties Ensure response process is followed Ensure system-wide and campus notification
procedures are followed Coordinate incident reporting with
department personnel, Campus Misuse Committee, and UCOP
Resources
Identity Theft Prevention Web Site http://security.ucdavis.edu/identity_theft.cfm
Information Practices Act of 1977 – California Civil Code Section 1798
http://www.privacy.ca.gov/code/ipa.htm
Information Security Policy, Business and Finance Bulletin IS-3
http://www.ucop.edu/ucophome/policies/bfb/is3.pdf
Misuse of University Resources, UC Davis Policy and Procedures Manual, Section 330-95
http://manuals.ucdavis.edu/ppm/330/330-95.htm
Recommended