Protection of Computerized Personal Information

PLEASE NOTE:
This page is currently under review and is being updated by the Information Security Office. If you have questions contact us at security.berkeley.edu. 

Berkeley Campus Implementation of UC Requirements

Background

Senate Bill 1386 and Assembly Bill 700, effective July 1, 2003, added a new provision to the California Information Practices Act - Civil Code 1798.29, 1798.82. This provision requires any agency (including the University of California) with computerized data containing personal information to disclose any breach of security of a system containing such data to any California resident whose unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorized person.

The Civil Code defines "personal information" as follows:

  1. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
    1. Social security number.
    2. Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.
    3. Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
    4. Medical information.
    5. Health insurance information.
    6. Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.
    7. Information or data collected through the use or operation of an automated license plate recognition system, as defined in Section 1798.90.5.
  2. A username or email address, in combination with a password or security question and answer that would permit access to an online account.

It requires that owners and licensees of computerized data must give notice of any security breach to affected persons in the most expedient time possible and without unreasonable delay. The provision also allows for substitute notice (e.g., via posting on the agency's website and notification to major statewide media) in certain circumstances. The bill specifies that an agency that maintains its own notification procedures as part of an information security policy shall be deemed to be in compliance with the bill's notification requirements, as long as the agency notifies people in accordance with its policies in case of a security breach and as long as the agency is otherwise consistent with the bill's timing requirements for notification.

The University of California Business and Finance Bulletin IS-3 - "Electronic Information Security" addresses these legal requirements. Consistent with Berkeley policy that all campus departments comply with the University of California directives, the following UC Berkeley guidelines are provided to campus departments for their assistance in implementing the UCOP requirements.

Purpose and Best Practices

The purpose of this State provision and University implementing requirements is to enhance the management of personal information that could be used, possibly in conjunction with other information, to impersonate an individual in ways that might cause serious loss of privacy and/or financial damage. 

In addition to these guidelines, departments are urged to establish procedures to reduce to the least amount necessary the collection, distribution, and retention of personally identifying electronic data if this data is not critical to their business needs. Such practices should embrace the following concepts:

  • collect and retain only that data which is essential to the performance of assigned tasks,

  • securely delete personal information when there is no longer a business need for its retention on computing systems,

  • provide staff access to sensitive data only as needed to perform assigned duties,

  • design database systems so that personal information can be identified,

  • when personally identifying information is included in the distribution of data to any downstream users, include notification of that fact, including reference to these guidelines,

  • redact personal information not critical to the task when distributing full data sets to downstream users,

  • whenever possible, configure electronic applications that check authorizing or authenticating databases to return confirming responses rather than personal information,

  • review and update agreements with external service providers to ensure vendor compliance with these requirements; also ensure that UC’s “Appendix - Data Security” contract language is included in agreements with vendors that have access to personal information,

  • be prepared in advance in the event of the need for immediate notification to individuals whose personal data is retained on computing systems,

  • never leave sensitive data exposed on computer screens when not in use or leave computer screens unattended without appropriate screen access controls.

Related campus policies and guidelines

Existing campus policies and guidelines identify the obligations of campus officials regarding the privacy and security controls of information.

  • Guide to Administrative Responsibilities: The Guide to Administrative Responsibilities describes principles and delegation of accountability for administrative officials.

  • Campus Information Technology Security Policy (CITSP): The CITSP establishes the requirement that all campus individuals are responsible for the logical and physical security of electronic information resources within their jurisdiction. The CITSP also extends this policy to outsourced activities.

Berkeley Campus Guidelines

I. Definitions:

  1. Administrative official: The UC Berkeley individual who has been delegated responsibility for oversight of data or computing systems with access to data
  2. Computing system: Any server, desktop computer, laptop computer, or personal device, including associated software and electronic storage.
  3. Control records: A database, spreadsheet, or any other electronic file that contains a list of computing systems that contain Notice Triggering Data.Control records must contain the following:
  4. name of computing system data custodian,
  5. physical location of computing system,
  6. description of logical access and security controls.
  7. Data custodian: An individual or department that functions as the technical partner of the data proprietor. The data custodian, as directed by the data proprietor, is responsible for the implementation of data systems and the technical management of data resources.
  8. Data proprietor: The individual or department that has primary responsibility for determining the purpose and function of an essential data resource. The data proprietor is often the chief administrative official of the Office of Record for the data resource.
  9. Notice Triggering Data: The data comprising personal information governed by these guidelines is defined as Notice Triggering Data. Notice Triggering Data is defined in Berkeley’s Information Security Policy Glossary and is synonymous with “personal information” as defined in the “Background” section above. 

II. Responsibilities:

  1.  Administrative officials have oversight responsibility to:
    1. ensure that data proprietors develop adequate security plans for computing systems within their jurisdiction,
    2. ensure that data proprietors develop adequate procedures for access to Notice Triggering Data,
    3. ensure that data custodians conduct an inventory of computing systems under their jurisdiction,
    4. determine which computing systems contain Notice Triggering Data or have access to Notice Triggering Data that are subject to these requirements,
    5. ensure the collection of email or postal address information for any individuals for whom Notice Triggering Data is retained,
    6. ensure the collection of control records and the retention of control records in a secure environment for those systems determined to be subject to these requirements,
    7. conduct an annual review of control records and update as necessary,
    8. establish an immediate notification plan, including boiler plate text, which could be implemented in the event of a breach that would have immediate deleterious impact on individuals whose personal information may have been obtained by a non-authorized source.
  2. Data custodians must:
    1. implement adequate security measures for computing systems containing Notice Triggering Data within their jurisdiction,
    2. implement appropriate encryption strategies for both the transmission and storage of Notice Triggering Data,
    3. establish adequate procedures to indicate if unauthorized access to or anomalous activity occurs on computing systems. Data custodians may consult System and Network Security for assistance in determining strategies appropriate to their technological environment.
    4. establish procedures to monitor access to computing systems housing Notice Triggering Data,
    5. notify any downstream users with reference to these guidelines when Notice Triggering Data is redistributed.
  3. Data proprietors must:
    1. create and maintain control records identifying computing systems containing unencrypted Notice Triggering Data as defined in section 1.6
    2. ensure the development of adequate security measures consistent with CITSP and IS-3, i.e., commensurate with risks associated with the sensitivity or confidentiality of data, to reduce risk of threats to Notice Triggering Data in computing systems within their jurisdiction,
    3. inform any data custodians and users of Notice Triggering Data of their responsibilities regarding any use they may make of the data,
    4. establish procedures to ensure that all staff within their jurisdiction who have access to or make use of Notice Triggering Data abide by University and campus policy regarding Notice Triggering Data,
    5. ensure notification to downstream users when Notice Triggering Data is redistributed,
    6. submit a report of control records by a secure transmission to the delegated administrative official, as determined by the control unit,
    7. maintain control records in a secure environment.
  4. Data users must:
    1. abide by established procedures on access to and use of Notice Triggering Data,
    2. protect the resources under their control, such as access passwords, computers, and data they download.
  5.  Lead campus authority: The Berkeley Chief Privacy Officer is designated as the lead campus authority who is responsible for:
    1. ensuring that the campus incident response process is followed,
    2. ensuring that systemwide and, if applicable, campus notification procedures are followed,
    3. coordinating campus procedures with campus counsel as appropriate.

III. Incident Response Process

  1. If a breach is suspected on a computing system that contains or has network access to unencrypted Notice Triggering Data, the data custodian must immediately:
    1. remove the computing system from the campus network,
    2. conduct a local analysis of the breach,
    3. notify the data proprietor if there is a reasonable belief Notice Triggering Data may have been acquired,
    4. send an email to the Information Security Office (ISO).  The normal address for reporting IT security incidents is security@berkeley.edu. However, if you are certain this incident requires immediate attention or involves Notice Triggering Data, escalate your report by sending email to urgent- security@berkeley.edu.
  2. Under advisement from the Chief Privacy Officer, ISO will examine the evidence of a breach with the data custodian to assess the possibility that Notice Triggering Data has been obtained.
  3. ISO will notify the Chief Privacy Officer if ISO believes there could be a possibility that Notice Triggering Data has been acquired by an unauthorized source.
  4. The data custodian must file a police report with UCPD if the department suspects criminal activity is responsible for the breach.
  5. The data custodian must report to the data proprietor the number of individuals whose Notice Triggering Data may have been acquired.
  6. If, after continued analysis, ISO and the data custodian have sufficient reason to believe that Notice Triggering Data may have been acquired, the data proprietor will submit a report to the Chief Privacy Officer.
    1. describing the nature of the security breach and
    2. reporting the number of individuals affected, including address information.
  7. The Chief Privacy Officer will convene a breach response team pursuant to requirements of the UC Data Breach Response policy to oversee the breach investigation, response, and remediation requirements and make the determination if notification under California Civil Code 1798.29, 1798.82 is required.  The breach response team retains responsibility for all aspects of notification.

IV. Notification Procedures (summary only)

  1. Notification shall include all of the following information:
    1. The date(s) on which the personal information was (or could have been) acquired.
    2. A description of the personal information which was (or could have been) acquired.
    3. The name of the department or unit responsible for the information and the relationship that the affected individual has (had) to the department (in such a way that the person receiving the notification will understand why that department or unit had their information).
    4. An indication of the likelihood that personal information was acquired or used.
    5. A list of resources that affected individuals could use to check for potential misuse of their information. This list should include the flyer, "Identity Theft Victim Checklist
    6. Breach Help: Consumer Tips from theCalifornia Attorney General [PDF], produced by the California Office of Privacy Protection (either as a link or a hardcopy attachment). https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/cis-17-breach-help.pdf?
    7. An email address and phone number of a suitable departmental representative with sufficient knowledge of the incident to be able to handle questions from affected individuals.
  2. The cognizant vice chancellor and the data proprietor in consultation with the breach response team will determine whatever additional advice or assistance will be given to the affected individuals.

Information Practices Act of 1977- California Civil Code

https://leginfo.legislature.ca.gov/faces/codes_displayexpandedbranch.xht...