Interesting People mailing list archives
more on Stolen UC Berkeley laptop exposes personal data of nearly 100,000
From: David Farber <dave () farber net>
Date: Tue, 29 Mar 2005 15:17:44 -0500
------ Forwarded Message From: Ross Stapleton-Gray <ross () stapleton-gray com> Date: Mon, 28 Mar 2005 19:31:58 -0800 To: <dave () farber net>, Ari Ollikainen <Ari () OLTECO com> Subject: Re: [IP] Stolen UC Berkeley laptop exposes personal data of nearly 100,000 At 05:03 PM 3/28/2005, David Farber wrote:
From: Ari Ollikainen <Ari () OLTECO com> Date: Mon, 28 Mar 2005 15:57:17 -0800 To: David Farber <dave () farber net> Subject: Stolen UC Berkeley laptop exposes personal data of nearly 100,000 For IP... WHEN will they ever learn? [WHEN THEY CAN BE HELD LIABLE DJF] WHY was personal information other than a name and a NON-SSN ID on a laptop?
I was IT Security Officer in the UC Office of the President for a year (more or less all of 2002); I was hired by a guy who wanted to fill that policy-oriented (not operational) position, and the position was eliminated/merged with a vacant policy position after he left. The guy who hired me was a former 3-star Army general, and I think he was never comfortable in his own position (as CIO) there. I would say that the problems are several, but the chief one is the rather balkanized management of all things IT in the academic setting (and with the added wrinkle here that UC is in fact a ten-campus system, of which Cal is only one, though one of the largest). When I was there (and I suspect it still holds), *written* policy, for administrative computing, flat-out forbade having sensitive personal information on laptops, or any sort of portable device. That was, of course, universally ignored, and we ought to have amended policy in light of the wholesale migration of information away from mainframes and onto portable devices. We ought especially to have done this in light of potential consequences under such things as HIPAA; doctors were of course keeping sensitive Personal Medical Information (PMI) on laptops and PDAs, but there was no guidance as how to secure them, because it oughtn't to have been there. But NB that I said "administrative computing;" we had a series of *Business* policies, but they only applied to UC administrative business. In this particular case, it sounds like what was lost were data held by an academic researcher, doing analysis... they might argue that those policy documents didn't really apply to them. Though that doesn't permit UC to escape the provisions of the State's Information Practices Act requiring notice (as established in 2002 by SB 1386). What UC *ought* to be doing is exposing anyone who handles personal information, whether covered by HIPAA, SB 1386, FERPA, or other privacy-related regulations or statutes, to education as to their responsibilities. In theory, the University should also be aware of any such sensitive collections, but when I was there, that process had all but died (the records management, and less IT security, function was suffering from years of neglect). What one ought to do is require anyone compiling a collection of sensitive personal information to register as such, naming a point of contact (and who would be responsible to receive training re the sensitivity issues) for the collection, and understanding the potential consequences of inappropriate disclosure (e.g., a breach as defined by SB 1386). Beyond that, I'd want to look at how the costs of compliance are met... do we think that the researcher in this case, whose apparent carelessness has exposed a potential 100,000 victims to identity theft, will foot the bill for notification? SB 1386 has a sort of escape provision, where, if some vast number of people's information is leaked, you can do a kind of broadcast mea culpa, I believe, but I don't recall how that was supposed to happen. If notice in this case amounts to personal letters to 100,000 people (many of whom probably aren't identified in the data sufficient to easily crank out a mail merge), that's a big chunk of change. Ross ----- Ross Stapleton-Gray, Ph.D., CISSP Stapleton-Gray & Associates, Inc. http://www.stapleton-gray.com ------ End of Forwarded Message ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on Stolen UC Berkeley laptop exposes personal data of nearly 100,000 David Farber (Mar 29)