110 likes | 197 Vues
Addressing Unauthorized Release of Personal Information at UC Davis. August 12, 2003. California Civil Code, Section 1798. State’s response to an estimated 160,000 cases of identity theft in 2002
E N D
Addressing Unauthorized Release of Personal Information at UC Davis August 12, 2003
California Civil Code, Section 1798 • State’s response to an estimated 160,000 cases of identity theft in 2002 • Requires organizations, including institutions of higher learning, to notify state residents when unauthorized individuals have obtained personal information via a computer security breach • Effective as of July 1, 2003
UC Guidelines • Electronic Information Security (BFB IS-3) • Defines personal information as first name or first initial and last name in combination with one or more of the following: • Social Security Number • Driver’s license or California ID number • Account or credit card number and security code, access code or password
UC Guidelines (cont.) • Defines security breach as when a California resident’s unencrypted personal information is believed to have been acquired by an unauthorized person. • Calls for system-wide notification procedures and the development of local guidelines.
UC Davis Implementation • Chancellor Vanderhoef • Appointed UC Davis Information Technology Security Coordinator, Bob Ono, as lead in coordinating the campus’ compliance efforts • Via May 28, 2003 memo, notified Vice Chancellors, Vice Provosts and Deans of the need to take a proactive approach by identifying ways in which security risks can be minimized
UC Davis Implementation (cont.) • IT Security Coordinator, Bob Ono • Developed draft implementation plan that identifies key roles, responsibilities and procedures for: • Minimizing risks of security breach • Reporting incidents • Notifying individuals whose personal information may have been obtained by a non-authorized person
Roles and Responsibilities • CODVC Members • Oversee preventative measures to secure data • Communicate with appropriate staff about Section 1798, identity theft, and the campus implementation plan
Roles and Responsibilities (cont.) • Campus Units • Inform users of their responsibilities to secure personal information • Assess risks and implement security safeguards for systems housing personal information • Develop and maintain control records and establish monitoring procedures • Report suspected incidents
Roles and Responsibilities (cont.) • Campus Misuse Committee • Investigate reported incidents • Assess need for and authorize notifications • Authorize case closure
Roles and Responsibilities (cont.) • IT Security Coordinator, Bob Ono • Communicate components of implementation plan to responsible parties • Ensure response process is followed • Ensure system-wide and campus notification procedures are followed • Coordinate incident reporting with department personnel, Campus Misuse Committee, and UCOP
Resources • Identity Theft Prevention Web Site • http://security.ucdavis.edu/identity_theft.cfm • Information Practices Act of 1977 – California Civil Code Section 1798 • http://www.privacy.ca.gov/code/ipa.htm • Information Security Policy, Business and Finance Bulletin IS-3 • http://www.ucop.edu/ucophome/policies/bfb/is3.pdf • Misuse of University Resources, UC Davis Policy and Procedures Manual, Section 330-95 • http://manuals.ucdavis.edu/ppm/330/330-95.htm