Add to collection(s) Add to saved
  1. Social Science
  2. Political Science

Marketing Overview August 27, 2008

advertisement 
Preventing a Security Breach
November 2012
NCASFFA
Diane G. Miller
Associate General Counsel
State Education Assistance Authority
Phone: (919) 248-4669
dmiller@ncseaa.edu
Disclaimers
What Will We Cover In This Session?
• What is the scope of the problem?
• Why is this issue important for the financial
aid office?
• What is a security breach?
• Best practices to prevent a security breach
•
•
•
•
•
Inventory personal information
Limit personal information you collect and keep
Secure personal information
Disposal of personal information
Prepare for a security breach
Security Breaches Are Common
• More than 800 breaches that involved information
about more than 3.3 million North Carolina consumers
have been reported to the Attorney General's Office
since 2005
Experts: SC Hacking Largest vs. State Tax Agency
• Millions of SSNs and business records from tax returns
as far back as 1998 were hacked in South Carolina
• The 3.6 million tax returns included Social Security
numbers and about 387,000 credit and debit card
numbers that were also exposed, 6,000 of those
unencrypted
• Up to 657,000 businesses have also been compromised
• http://www.newsobserver.com/2012/10/31/2452390/expe
rts-sc-hacking-largest-vs.html#storylink=cpy
Computer Glitch Causes State Unemployment
Agency To Disclose Personal Info
• The state’s Division of Employment Security announced
Tuesday that information about thousands of employers and
recipients of unemployment benefits were mistakenly
disclosed in letters the agency mailed during a three-week
period
• The agency said a computer program was implemented
that generated incorrect employer addresses on letters
that included the names of individuals, Social Security
numbers, business names and N.C. State Unemployment Tax
Act employer account numbers
• http://www.newsobserver.com/2012/04/24/2021903/computerglitch-causes-state-unemployment.html#storylink=cpy
UNC Charlotte: 350,000 Social Security Numbers
Exposed During Internet Breach
• The Social Security numbers and bank account data of
approximately 350,000 University of North Carolina Charlotte
students, faculty and staff has been publicly exposed, some
for more than a decade
• Confidential information from "general university systems"
was accidentally made public for approximately three months
before being discovered and reported
• Caused by an IT official who misconfigured a server during
an upgrade
• http://www.msnbc.msn.com/id/47390650/ns/technology_and_
science-security/t/huge-financial-data-breach-hits-unccharlotte/
Mammography Study Hacked
Personal Data At Risk
• Hundreds of thousands of women found out by letter this
week that their personal information, including Social
Security numbers, might have been exposed to identity
theft
• The Carolina Mammography Registry at the University of
North Carolina School of Medicine gathers data from
radiologists across the state and the breach affects
women who did not know the registry existed and did
not give consent to have their information included
• http://www.wral.com/news/local/story/6213633/
Some Relevant Laws And Regulations
• Gramm-Leach-Bliley Act (GLB) and the Safeguards Rule
– requires companies defined as “financial institutions” to ensure the
security and confidentiality of customer information;
– to protect against any anticipated threats or hazards to the security of
such records; and
– to protect against the unauthorized access and use
• Fair and Accurate Credit Transactions Act of 2003 -Red
Flags Rule
• North Carolina Identity Theft Prevention Act
• Higher Education Act of 1965, as amended
• Family Educational Rights and Privacy Act (FERPA)
What Is A “Security Breach”?
• An incident of unauthorized access to and acquisition of
unencrypted and unredacted records or data containing
personal information where illegal use of the personal
information has occurred or is reasonably likely to occur
or that creates a material risk of harm to a consumer.
Any incident of unauthorized access to and acquisition of
encrypted records or data containing personal
information along with the confidential process or key
shall constitute a security breach.
N.C. Gen. Stat. § 75-61
What Is A Security Breach?
• Good faith acquisition of personal information by an
employee or agent of the business for a legitimate
purpose is not a security breach, provided that the
personal information is not used for a purpose other than
a lawful purpose of the business and is not subject to
further unauthorized disclosure
N.C. Gen. Stat. § 75-61
What Is Personal Information?
• Personal information includes: an individual’s Social
Security number (SSN), employer taxpayer identification
number (TIN), driver’s license or state identification
number, passport number, checking/saving account
number, credit/debit card number, PIN, digital signature,
biometric data, fingerprints or any number that can be
used to access his financial resources.
N.C. Gen. Stat. § 75-61
What Is Personal Information?
• Personal information does not include publicly available
directories containing information an individual has
voluntarily consented to have publicly disseminated or
listed, including name, address, and telephone number,
and does not include information made lawfully available
to the general public from federal, state, or local
government records.
N.C. Gen. Stat. § 75-61
Dunn Tops National List For Fraud,
ID Theft Complaints
• The Federal Trade Commission released its latest report
in February on consumer fraud-related complaints in the
U.S.
• The Dunn metropolitan area ranked No. 4 in the country
for consumer fraud complaints per capita and No. 5
nationwide for identity theft complaints
• From North Carolina’s Attorney General to local law
enforcement, no one can explain for certain why Dunn
consistently makes the list
• http://www.wral.com/news/local/story/11045172/
Step One - Take Stock
• What PII do you have?
• Where is your PII stored?
• Who has access to your PII?
Step Two - Scale Down
• Are you collecting unnecessary PII?
• Are you keeping PII too long?
• Be familiar with your record retention requirements
Step Three - Lock It
•
•
•
•
Protect the PII that you keep
Physical security
Electronic security
Training
Police: Mom Leaves Baby
On Top Of Car, Drives Off
• A 19-year-old mother is under arrest on child abuse and
aggravated DUI charges after police say she left her fiveweek-old baby strapped in a car seat on top of her car and
drove off
• She realized the baby was missing when she reached home
• That's when XXX called her friends and asked them to trace
the route she had taken
• The friends ran into the officers who had already found the
baby
• XXX arrived shortly thereafter and was arrested
• http://usatoday30.usatoday.com/news/nation/story/2012-0602/baby-left-on-roof-of-car/55349990/1
Step Four - Pitch It
• Properly dispose of PII that you no longer need
• Paper
• Electronic storage devices
Destruction Of Personal Information Records
• Any business that conducts business in North Carolina
and any business that maintains or otherwise possesses
personal information of a resident of North Carolina must
take reasonable measures to protect against
unauthorized access to or use of the information in
connection with or after its disposal.
N.C. Gen. Stat. § 75-64
Destruction Of Personal Information Records
• "Disposal" includes the following:
a. The discarding or abandonment of records
containing personal information.
b. The sale, donation, discarding, or transfer of any
medium, including computer equipment or computer
media, containing records of personal information, or
other nonpaper media upon which records of personal
information are stored, or other equipment for nonpaper
storage of information.
N.C. Gen. Stat. § 75-61
Cabinet Was Surplus, Files Inside Were Personal
• XXX drilled open a filing cabinet that was locked when
he bought it
• Inside were files that were records of former UNC grad
students and applicants: names, addresses, grade point
averages and Social Security numbers
• XXX contacted the surplus store, and a staff member
drove to XXX’s home the next day, gathered the files,
and thanked XXX for calling
• To reward his good deed, UNC sent XXX a thank you
letter and a T-shirt
• http://www.wral.com/news/local/story/1203863/
McCain-Palin Team Sells Info-rich
Blackberrys To TV Station
• An investigative reporter for WTTG bought two
BlackBerry devices for $20 a piece containing
confidential information from the McCain-Palin campaign
at a "gone out of business" sale at the campaign's
headquarters in Arlington, Va.
• One contained 50 phone numbers for people connected
to the campaign, as well as hundreds of e-mails from
early September until a few days after the election.
• The second device contained 300 'contacts,' including
the former Virginia governor
• http://www.foxnews.com/story/0,2933,465985,00.html
Step Five - Plan Ahead
• Plan ahead for a security breach
• Be prepared to act with reasonable speed
• Review your institutional policy and procedures for
responding to a security breach
• Consider your obligations under all privacy laws and
regulations
More Information
• http://business.ftc.gov/documents/bus69-protectingpersonal-information-guide-business
• http://www.ftc.gov/opa/reporter/privacy/privacypromises.
shtml
• http://business.ftc.gov/privacy-and-security
• http://www.ncdoj.gov/getdoc/6633be99-552d-4e62-ae06c15accad4142/Protect-Your-Business.aspx
Questions? Comments?
Thank you!
Related documents
UNIVERSITY OF SOUTH CAROLINA DEPARTMENT OF
UNIVERSITY OF SOUTH CAROLINA DEPARTMENT OF
High Court case Citation Court Procedural History Facts Issue
High Court case Citation Court Procedural History Facts Issue
The legal obligations for leaders - Marta Tomlinson
The legal obligations for leaders - Marta Tomlinson
Interested Industry Participant Registration Form
Interested Industry Participant Registration Form
Word - Salt Lake County
Word - Salt Lake County
DISCHARGE OF CONTRACT
DISCHARGE OF CONTRACT
Form 2 - Cost estimate
Form 2 - Cost estimate
Download
advertisement