Berkeley Campus Implementation of UC Requirements
Senate Bill 1386 and Assembly Bill 700, effective July 1, 2003, added a new provision to the California Information Practices Act - Civil Code 1798.29, 1798.82. This new provision requires any state agency (including the University of California) with computerized data containing personal information to disclose any breach of security of a system containing such data to any California resident whose unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorized person.
The Civil Code defines "personal information" to be an individual's first and last name in combination with any of: social security number, driver's license number, or financial account or credit card number in combination with any password that would permit access to the individual's account. It requires that owners of computerized data must give notice of any security breach to affected persons in the most expedient time possible and without unreasonable delay. The provision also allows for substitute notice (e.g., via posting on the agency's website and notification to major statewide media) in certain circumstances. The bill specifies that an agency that maintains its own notification procedures as part of an information security policy shall be deemed to be in compliance with the bill's notification requirements, as long as the agency notifies people in accordance with its policies in case of a security breach and as long as the agency is otherwise consistent with the bill's timing requirements for notification.
On April 29, 2003 the University of California Office of the President issued an amendment to Business and Finance Bulletin IS-3 - "Electronic Information Security" [PDF] (http://www.ucop.edu/ucophome/policies/bfb/is3.pdf) [PDF] to address these new legal requirements. Consistent with Berkeley policy that all campus departments comply with University of California directives, the following UC Berkeley guidelines are provided to campus departments for their assistance in implementing the UCOP requirements.
The purpose of this new provision and University implementing requirements is to enhance the management of personal information that could be used, possibly in conjunction with other information, to impersonate an individual in ways that might cause serious loss of privacy and/or financial damage. In addition to these guidelines, departments are urged to establish best practices to reduce to the least amount necessary the collection, distribution, and retention of personally identifying electronic data if this data is not critical to their business needs. Such practices should embrace the following concepts:
- collect and retain only that data which is essential to the performance of assigned tasks,
- delete personal information when there is no longer a business need for its retention on computing systems,
- provide staff access to sensitive data only as needed to perform assigned duties,
- design database systems so that personal information can be identified,
- when personally identifying information is included in the distribution of data to any downstream users, include notification of that fact, including reference to these guidelines,
- redact personal information not critical to the task when distributing full data sets to downstream users,
- whenever possible, configure electronic applications that check authorizing or authenticating databases to return confirming responses rather than personal information,
review and update agreements with external service providers to ensure vendor compliance with these requirements,
- be prepared in advance in the event of the need for any immediate notification to individuals whose personal data is retained on computing systems,
- never leave sensitive data exposed on computer screens when not in use or leave computer screens unattended without appropriate screen access controls.
Existing campus policies and guidelines identify the obligations of campus officials regarding the privacy and security controls of information.
- Guide to Administrative Responsibilities The Guide to Administrative Responsibilities describes principles and delegation of accountability for administrative officials.
- Campus Information Technology Security Policy (CITSP) The CITSP establishes the requirement that all campus individuals are responsible for the logical and physical security of electronic information resources within their jurisdiction. The CITSP also extends this policy to outsourced activities.
1.1. Notice Triggering Data also called "protected data": The data comprising personal information governed by these guidelines is defined as protected data. This protected data includes an individual's first and last name in combination with any of
- social security number,
- driver's license number or California identification card number,
- financial account or credit card number in combination with any password that would permit access to the individual's financial account,
- medical information or health insurance information.
1.2. computing system: any server, desktop, laptop computer, or PDA that contains or provides network access to protected data.
1.3. administrative official: the UC Berkeley individual who has been delegated responsibility for oversight of data or computing systems with access to data.
1.4. data proprietor: the individual or department that has primary responsibility for determining the purpose and function of an essential data resource. The data proprietor is often the chief administrative official of the Office of Record for the data resource.
1.5. data custodian: an individual or department that functions as the technical partner of the data proprietor. The data custodian, as directed by the data proprietor, is responsible for the implementation of data systems and the technical management of data resources.
1.6. control records: a database, spreadsheet, or any other electronic file that contains a list of computing systems that contain protected data. Control records must contain the following:
- name of computing system data custodian,
- physical location of computing system,
- description of logical access and security controls.
2.1. lead campus authority: The Berkeley Chief Privacy Officer is designated as the lead campus authority who is responsible for:
- ensuring that the campus incident response process is followed,
- ensuring that systemwide and, if applicable, campus notification procedures are followed,
- coordinating campus procedures with campus counsel as appropriate.
2.2. administrative officials have oversight responsibility to:
- ensure that data proprietors develop adequate security plans for computing systems within their jurisdiction,
- ensure that data proprietors develop adequate procedures for access to protected data,
- ensure that data custodians conduct an inventory of computing systems under their jurisdiction,
- determine which computing systems contain protected data or have access to protected data that are subject to these requirements,
- ensure the collection of email or postal address information for any individuals for whom protected data is retained,
- ensure the collection of control records and the retention of control records in a secure environment for those systems determined to be subject to these requirements,
conduct an annual review of control records and update as necessary,
- establish an immediate notification plan, including boiler plate text, which could be implemented in the event of a breach that would have immediate deleterious impact on individuals whose personal information may have been obtained by a non-authorized source.
2.3. data proprietors must:
- create and maintain control records identifying computing systems containing unencrypted protected data as defined in section 1.6.
- ensure the development of adequate security measures consistent with CITSP and IS-3, i.e., commensurate with risks associated with the sensitivity or confidentiality of data, to reduce risk of threats to protected data in computing systems within their jurisdiction,
- inform any data custodians and users of protected data of their responsibilities regarding any use they may make of the data,
- establish procedures to ensure that all staff within their jurisdiction who have access to or make use of protected data abide by University and campus policy regarding protected data,
- ensure notification to downstream users when protected data is redistributed,
- submit a report of control records by a secure transmission to the delegated administrative official, as determined by the control unit,
- maintain control records in a secure environment.
2.4. data custodians must:
implement adequate security measures for computing systems containing protected data within their jurisdiction,
- implement appropriate encryption strategies for both the transmission and storage of protected data,
- establish adequate procedures to indicate if unauthorized access to or anomalous activity occurs on computing systems. Data custodians may consult System and Network Security for assistance in determining strategies appropriate to their technological environment.
- establish procedures to monitor access to computing systems housing protected data,
- notify any downstream users with reference to these guidelines when protected data is redistributed.
2.5. data users must:
- abide by established procedures on access to and use of protected data,
- protect the resources under their control, such as access passwords, computers, and data they download.
3. Incident Response Process
3.1. If a breach is suspected on a computing system that contains or has network access to unencrypted protected data, the data custodian must immediately:
- remove the computing system from the campus network,
- conduct a local analysis of the breach,
- notify the data proprietor if there is a reasonable belief protected data may have been acquired,
- send email to Information Security and Policy (ISP). The normal address for reporting IT security incidents is firstname.lastname@example.org. However, if you are certain this incident requires immediate attention or involves protected data, escalate your report by sending email to urgent- email@example.com.
3.2. Under advisement from the Chief Privacy Officer, ISP will examine the evidence of a breach with the data custodian to assess the possibility that protected data has been obtained.
3.3. ISP will notify the Chief Privacy Officer if ISP believes there could be a possibility that protected data has been acquired by an unauthorized source.
3.4. The data custodian must file a police report with UCPD if the department suspects criminal activity is responsible for the breach.
3.5. The data custodian must report to the data proprietor the number of individuals whose protected data may have been acquired.
3.6. If, after continued analysis, ISP and the data custodian have sufficient reason to believe that protected data may have been acquired, the data proprietor will submit a report to the the Chief Privacy Officer.
- describing the nature of the security breach and
- reporting the number of individuals affected, including address information.
3.7. The Chief Privacy Officer will convene a breach response team pursuant to requirements of the UC Data Breach Response policy to oversee the breach investigation, response, and remediation requirements and make the determination if notification under California Civil Code 1798.29, 1798.82 is required. The breach response team retains responsibility for all aspects of notification.
4. Notification Procedures (summary only)
4.1. Notification shall include all of the following information:
- The date(s) on which the personal information was (or could have been) acquired.
- A description of the personal information which was (or could have been) acquired.
- The name of the department or unit responsible for the information and the relationship that the affected individual has (had) to the department (in such a way that the person receiving the notification will understand why that department or unit had their information).
- An indication of the likelihood that the personal information was acquired or used.
- A list of resources that affected individuals could use to check for potential misuse of their information. This list should include the flyer, "What to Do If Your Personal Information is Compromised" [PDF] (http://www.privacy.ca.gov/res/docs/pdf/Security_Breach_First_Steps.pdf ) [PDF], produced by the California Office of Privacy Protection (either as a link or a hardcopy attachment).
- An email address and phone number of a suitable departmental representative with sufficient knowledge of the incident to be able to handle questions from affected individuals.
4.2. The cognizant vice chancellor and the data proprietor in consultation with the breach response team will determine whatever additional advice or assistance will be given to the affected individuals.