COMMUNICATIONS
Electronic Communications
Sec. 800-17: UCI Implementation Guidelines for Notification in Instances of
Security Breaches Involving Personal Information Data
IS-3, Electronic Information Security IS-10, Systems
Development and Maintenance Standards RMP-8,
Legal Requirements on Privacy of and Access to Information
On April 29, 2003, the University of California amended Business and Finance
Bulletin IS-3,
Electronic Information Security, to address new legal requirements of the California
Information Practices Act, California Civil Code 1798.29
and 1798.82.
Civil Code now requires state agencies with computerized data containing personal
information to disclose any breach of security of a system containing such data
to any California resident whose unencrypted personal information was, or is
reasonably believed to have been acquired by an unauthorized person. Consistent
with UCI policy that all campus departments comply with University of California
directives, these guidelines are intended to assist campus departments in implementing
the University requirements.
B. Definitions
Protected data - Personal information governed by these guidelines
which includes an individual's first name or first initial, and last name,
in combination with any one or more of the following:
social security number
driver's license number or California identification card number
financial account or credit card number in combination with any password
that would permit access to the individual's financial account
Computing System - Any server, desktop, laptop computer, PDA, or
other device that contains or provides network access to protected data.
Lead Campus Authority - A person designated by the Chancellor to
investigate and report to the Office of the President instances of campus
security breaches involving protected personal information data.
IS-3 Area Coordinator - A person assigned responsibility for coordinating
electronic security in a UCI division or school. This includes maintaining
an inventory of computing systems containing protected data, participating
in campus-wide electronic security coordination activities, and facilitating
security in the division or school.
Data Proprietor - A person who has responsibility for oversight
of data or computing systems with access to protected data and with primary
responsibility for determining the purpose and function of any data resource;
often the chief administrative official of the Office of Record for the data
resource.
Data Custodian - A technical partner of the Data Proprietor who is
responsible for the implementation of data systems and the technical management
of data resources, as directed by the Data Proprietor.
Third-Party User - A contractor or affiliate outside of UCI who uses
redistributed information containing protected data.
C. Responsibilities
Security Breach Lead Campus Authorities for UCI are the Assistant
Vice Chancellor, Network and Academic Computing Services, and the Assistant
Vice Chancellor, Administrative Computing Services. They are responsible for
ensuring that the campus incident response process and systemwide and campus
notification procedures are followed. They will coordinate campus procedures
with Campus Counsel and others as appropriate.
Data Proprietors are responsible for identifying which computing
systems contain protected data, or have access to protected data. They will
ensure that adequate procedures are developed for access to protected data
and adequate security plans, consistent with IS-3,
are in place for computing systems within their jurisdiction. Data Proprietors
will work with their IS-3 Area Coordinator to maintain an inventory of systems
containing protected data. An up-to-date inventory of the data will usually
include its location and use, its custodian, and type of security protection.
Data Proprietors will inform their Data Custodians, affected staff within
their jurisdiction, and third-party users, of University policy and their
responsibilities regarding any use they may make of protected data.
Data Custodians and Third-Party Users are responsible for protecting
the resources under their control, such as access passwords, computers, and
downloaded data. Contractual arrangements with outside affiliates must include
the third-party user's obligations regarding protected data. Data Custodians
and Third-Party Users will ensure implementation of adequate security measures
for computing systems containing protected data, and appropriate encryption
strategies for both the transmission and storage of protected data. Monitoring
access logs for computing systems housing protected data can disclose unauthorized
access or anomalous activity. Departments may wish to consult with Network
and Academic Computing Services (NACS) and/or Administrative Computing Services
for assistance in determining strategies appropriate to their particular technological
environment.
D. Incident Response Process
If a breach of security is suspected on a computing system that contains
or has network access to unencrypted protected data, the Data Custodian will
immediately:
Remove the computing system from the campus network and notify the Data
Proprietor.
Conduct a local analysis of the breach to determine the number of individuals
whose protected data may have been acquired.
Contact the NACS Response Center at 824-2222 to report that a potential
security breach has occurred and request immediate notification of the
NACS security staff and the Security Breach Lead Campus Authorities. Send
additional information via email to security@uci.edu
with a copy to security-lca@uci.edu.
NACS will examine the evidence of a breach with the Data Custodian to assess
the possibility that unencrypted protected data has been acquired by an unauthorized
source and report their conclusions to the Lead Campus Authorities.
If, after consulting with NACS security staff and the Data Custodian, the
Lead Campus Authorities are reasonably certain that a security breach has
occurred, they will immediately report the breach to the UCI Executive Vice
Chancellor's Office and to the Associate Vice President for Information Resources
and Communications at Office of the President.
If the situation dictates, the Data Custodian or Data Proprietor will file
a police report with UCI Police Department.
The Lead Campus Authorities will consult with the appropriate individuals
to analyze the situation, prepare an incident report, and recommend an appropriate
course of action. The individuals consulted will include representatives from
the Office of Campus Counsel, Administrative & Business Services, Office
of the Executive Vice Chancellor, and University Communications. The incident
report will describe the nature of the security breach, report the number
of individuals affected and the availability of address information, and will
include other pertinent information about the breach.
The incident report will be submitted to the Executive Vice Chancellor's
office which will determine whether criteria for notification under California
Civil Code 1798.29and
1798.82
have been met, and whether the recommended course of action is consistent
with IS-3, Systemwide
Notification Procedures.
With the approval of the Executive Vice Chancellor's office, the Lead Campus
Authorities will work with the Data Proprietor to ensure that the notification
procedure is executed. The Data Proprietor is responsible for carrying out
the actual notification and for covering the costs of any expenses incurred.
E. Reporting Requirements
When the incident is closed, the Lead Campus Authorities will report the incident
response and notification process to the Associate Vice President for Information
Resources and Communications, including the actions taken to prevent further
breaches of security.