Adam On…

There is an interesting article over at the Hollister Free Lance site about a potential security incident that may have occurred at Gavilan College. It seems that Tim Holliday, a former Student Trustee and Student Body Senator, is making noise about a Student Body laptop he claims contained personal information such as names, Social Security numbers and photos on 3,100 students, faculty and staff that went missing last year. Apparently, after reporting the missing laptop, Holliday is displeased with the lack of action by the college for more then a year and he is urging the college to notify affected students about the potential risk.

However, the college is taking a different view on the incident. According to the article, the college investigated the report and discovered that Kayed Asfour, a Gavilan student, was the last person to see the laptop. Apparently Asford assured the college that he deleted all of the Social Security numbers from the laptop before it went missing.

Satisfied with this the college choose not to report the incident. According to Gavilan President Steven Kinsella the college took the necessary precautions and that the college cannot verify that the laptop contained personal information. In addition, Kinsella points out that the Associated Student Body is independent organization. As Kinsella states in the article, it is not an issue to the college.

Um… what? I do not understand how the possible exposure of 3,100 records containing personal information not be an issue any college or university. If what Holliday claims is true, there are some serious questions that beg to be answered about this incident. Unfortunately, there is little more information online about this story beyond the article over at the Hollister Free Lance site.

I found this to be a very interesting story for a number of reasons. It strikes at the heart of what many organizations deal with when discussing what actions to take in the event of a suspected incident. There are contradicting stories, unclear information exposure and questions about authority and responsibility for notification. I hope that more of this story becomes known since I have so many unanswered questions about this incident

While there is not enough information available to draw any conclusions about this incident, here are some personal ideas about breach reporting.

1. I do not believe that notifying individuals only when personal information loss can be verified is best approach. When there is the possibility that personal information has been lost or exposed the should always strive to notify unless the organization can prove the information was not lost/exposed.

2. The assurances of one individual does not count as adequate proof to stop notifications, especially when these assurances are contradicted by another individual within the organization. ‘Tis better to err on the side of caution in my opinion.

3. Information lost by an independent entity does not absolve an organization of the responsibility to notify affected individuals, especially if the information was given to the independent entity by the organization for official use. After all, when Iron Mountain lost backup tapes belonging to the Louisiana Office of Student Financial Assistance, LOSFA immediately contacted the affected individuals to make them aware of the incident. The same held true when independent third-parties lost information given to them by Waseda University, the University of Akron, Kansas State University, and Berry College.

Update2: Ruth Shuman, Dean for Institutional Advancement at Lasell College, contacted me to let me know that Lasell College has established a call center with First Advantage Corporation where affected individuals can sign up for six months of free credit monitoring.

Update: I was contacted by Lasell College about this incident (see comment below). While I generally do not take kindly to threats, I am always willing to admit a mistake when I make one. It seems that Lasell College is offering free credit monitoring to the individuals affected by this incident. I am waiting to hear back from Lasell College to see if I can link to information about what is being offered to the students.

My apologies to anyone that thought this post was directly aimed at Lasell College’s handling of this incident. The goal was instead to point out to the many educational institutions that do not offer free credit monitoring that they are missing a great opportunity for good PR with the affected individuals.

Original Story: Earlier this month, Lasell College alerted 20,000 current and former students, faculty and staff that an employee illegally gained access to a database containing personal information such as names, Social Security numbers and addresses. In response to this incident, the college contacted law enforcement, sent out letters, and setup a web site and hotline to help answer questions. All of these steps are exactly what colleges and universities should do in the event of a security breach.

However, one move that Lasell, like many educational institutions, did not take was to offer free credit monitoring for the affected individuals. This is a move that continues to amaze me. Given the increasing rates of Identity Theft and the publics awareness of the threats, offering free monitoring just makes sense. (Please note that I don’t necessarily agree with the rise in “Identity Theft” given that to me Credit Card fraud does not equal ID Theft. Nor do I agree that credit monitoring is the ultimate solution, but more on these two topics to come.)

If nothing else, the offer of credit monitoring (opt-in of course) is a good way to gain some valuable PR when announcing a breach. Sure, your students/staff/faculty/alumni/donors might be miffed over the loss of their personal information, but what better way to soften the blow then with a years worth of free monitoring to show the college or university really does care about them?

Question the PR value of this? Think again. In the case of Lasell, IdentityTruth, a credit monitoring service, saw an opportunity for good PR and jumped on it. IdentityTruth decided to reach out to the individuals affected by the Lasell incident and offer them the first month of protection for only $1. For those keeping score, $1 is about a 90% discount. Of course IdentityTruth is most likely banking on the individuals remaining with the service after the discount period ends and the cost goes up to $9.99.

I am not saying that people should run to a credit monitoring service like IdentityTruth. Also, I am not saying that I believe services like IdentityTruth have value. Personally, I know nothing about IdentityTruth and thus am in no place to judge the quality or value of the service.

What I am saying is that IdentityTruth gained valuable PR (hey I’m talking about them aren’t I) while Lasell College now, at least to me, is in a position where it looks like a company not even connected with the college cares more about the protection of these individuals’ identities then the college does. Alright, that might be pushing it a little, but the point remains. If your institution is affected by a breach who would you rather see offering to protect you through credit monitoring your institution or some third-party company?

At the very least Lasell College could have gained some good PR by contacting a credit monitoring company and working out a deal where the college is charged a reduced rate based on the potential of signing up 20,000 accounts. The press release could then have at least read “IdentityTheft and Lasell College Reach Out To Alumni, Students and Faculty” instead of “IdentityTheft Reaches Out to Lasell College Alumni, Students and Faculty”.

Amazing how much can change just by moving a few simple words.

Today is another travel day for me. As I get ready to leave the civilization of New York state and head back to the cornfields of Illinois I just wanted to point this article by Bruce Schneier.  Here I thought I was unique in that I constantly think about how I could shoplift from stores as soon as I enter and that I immediately look at see where the  video cameras are located. I guess I am not a beautiful and unique snowflake after all.

If you are involved with information security at a college or university and have not already, I strongly recommend that you head over to the EDUCAUSE site and sign up for the Security Discussion Group. This discussion group is an excellent source of information and provides an easy way to interact with fellow colleagues from other academic institutions.

A recent discussion on the Security list involves data classifications. There are several different approaches being used are here are a few of them. Northwestern follows a three-container system containing Public, Internal, Legally/Contractually Restricted classifications. The University of Massachusetts recently collapsed a five-container system into a three-container system containing Unclassified, Operational Use Only and Confidential. The University of Massachusetts also takes the stance that all PII falls within the Confidential container.

Gary Dobbins over at Notre Dame warns about the dangers of a “catch-all” middle-of-the-road classification. Instead, he moved Notre Dame from a three-container system to a four-container system containing a “Super-Top-Secret” class, an “Internal” class, a “Sensitive” class and a “Public” class. Gary further warns about staying away from “regulated” class due to differences in regulatory requirements.

Dr. Kees Leune is taking a different approach. Instead of relying upon a classification determined by content, he argues that there is a need to define discrete “chunks” of information and then address the needs of these chunks based upon the data owners needs and uses of the information. Each chunk is then given a rating based upon its required level of Confidentiality, Integrity and Availability.

Out of all of these approaches, my personal preference is closer to that of Gary Dobbins except that I still tend to lean toward a three-container system. I agree with everyone that overly complex classification systems are doomed to failure and a simple, pragmatic approach is best. I also like the approach of Dr. Leune in that there is a need to not only define these classification levels, but to also go out and talk with the data owners about the exact protections their data requires.

There are many more great discussion over on the Security Discussion Group, so head on over and register to become part of the solution.

So I spent a large part of Easter Sunday as well as over 4 hours this morning helping my father build a swing set for my nephew’s upcoming birthday. While I was happy to help, I am still miffed about how long it took us. Sure the temperature did not help (it was in the low to mid 20’s for most of the build) and we didn’t prepare as well as we should have. However, this is not what I am upset over.

The truly aggravating aspect of building the swing set (complete with monkey bars, a fort, a climbing wall, rope ladder and slide) was that nothing was labeled. Thats right, a 19 foot long, 7 foot wide wood structure with hundreds and hundreds of bolts, screws, nuts and washers and not one label to be found. While we (eventually) got through everything, there is no excuse for not having things properly labeled. Apparently the company thought that by providing only the bare essentials (the parts and a few pages of pictures) customers should have no problem getting everything going smoothly.

How absurd! Isn’t it? While I was truly annoyed by the lack of assistance through proper labeling, it stuck me as very similar to information security directives at many colleges and universities. Too often directives are delivered from “on-high” with no clear direction of how to implement or even the purpose behind them. The result is that just like my father and I, many departments are left struggling out in the cold for hours with little to no real progress.

The move away from Social Security numbers at most colleges and universities is a great example. Move away from SSNs to an internal student ID is a great move and one that I strongly support and recommend to any college or university. However, generally the only thing that is communicated to the campus is “No more Social Security numbers”. On the surface this is good, but looking deeper there are serious problems.

One of the first problems is what about situations where Social Security numbers are needed such as with Federal aid or employment? The organization needs to address how the departments should accept, store and transmit SSNs properly given the new edict. Also, the organization needs to make sure that is has addressed all SSN-required functions. After all, failing to address all functions leaves the organization in the dangerous position of having the perception of being SSN free not match reality.

Another, much larger problem is that often the cry of “No More Social Security numbers” is rarely followed by instructions on what to do with legacy data and systems. Yet, failing to address this legacy data is a serious oversight. The data contained in filing cabinets, legacy computer systems and workstation/laptop hard drives will most likely include SSNs since this was the student identification number used on campus. This data doesn’t know about the No SSN policy, so unless it is actually addressed, it will stay where it is waiting for a breach before it becomes known.

Reducing the use Social Security numbers is an excellent move and one I encourage all educational to make. Just make sure that you are actually addressing all instances of Social Security number use on the campus or else a No SSN policy will do little more then trick the institution into a false sense of security.

I’ve been traveling a bit recently and now visiting family over the Eastern weekend. I plan to get back to posting by Monday so keep an eye on the RSS feed.

If you are interested, head on over here and take a look a the Poster Session I recently presented at the EDUCAUSE Midwest Regional Conference. The presentation is available in both PDF and MOV format. (Special thanks to Christy Kilgore-Hadley for making this presentation look amazing!)

For the record, please allow to me to introduce this concept to those that are not familiar with it: Breach notification letters are completely different from press releases about an incident. Therefore, each needs to be crafted differently.

Breach notifications are intended to alert an individual that their personal information is now in the hands of an unauthorized individual. These notifications tend to follow a similar format: Greet the individual. Introduce the problem. Explain the issues/data lost. Apologize for the event. Offer/Don’t offer credit monitoring for one year. Include phone numbers/web sites/e-mail address with more information. Apologize again. Wash. Rise. Repeat.

Press releases are a different beast and are a way for an organization to give input to the news reports about the incident. Breach press releases generally tend to go into greater detail then a notification. Explaining what happened, with or without quotes from the organization. Information on completed or ongoing investigations are included. The obligatory high level apology is included as well as a promise that “changes are being taken to prevent such an event in the future”.

However, some organizations intermix these two formulas with mixed results. Adding breach notification information, such where to get more information, with press releases? It can work. Adding press release information to breach notifications? This is where I have a problem.

Why? Generally, most organizations want to include the “we are making changes to prevent breaches in the future” tag line to breach notifications. For example, it seems that Duke university’s physics department took this approach in letter to students over a recent incident. (Note: Duke is not alone in this and is only included as a recent example.) My question to anyone that agrees with this approach is this: What exactly is the point?

How does it help me to learn that the organization taking steps to protect against future breaches? My data has already been lost. It is out there regardless of whether or not a future breach occurs. Not to be self-centered but upon first learning that my personal information has been lost, the furthest thing from my mind is the protection of other individuals in the future. So please, please, please stop including this information in the breach notification, I just don’t care. Oh, and as I’ve talked about in the past, don’t tell me there is no evidence of misuse three days after the breach.

I agree that it is a good step for organizations to talk about the changes being made to prevent future breaches. After all, its shows that the breach is a learning opportunity for the organization. Just keep it out of the breach notification, OK?

Back in mid-February, Harvard University suffered a computer breach. Nothing earth shattering in this. After all, over 25 incidents had already occurred at colleges and universities in 2008 before the Harvard incident. Sure “kaboom73″ uploaded the files stolen from the Harvard server to a torrent on Pirate Bay. Then, a month later, Harvard announces that the stolen data contained information on 10,000 applicants.

All of this makes for a juicy story, I’ll admit. You’ve got a big name school, compromised site, mocking messages, p2p, Pirate Bay, thousands of individuals. However, is it “hundreds of news articles in the past week” juicy? Seriously, this story is showing up all over the place: Major news outlets. Local news outlets. Even international news outlets.

I’m still scratching my head over the reason for all the attention. After all, it isn’t the only or even first web site compromise of 2008. Nor is the Harvard incident the largest of 2008. There have been other internationally-known schools involved in breaches this year. Yet none of these other stories have garnered the news interest that the Harvard story has sparked. I guess the only thing I can say is that Harvard story has got legs.

I’ll be at the EDUCAUSE Midwest Regional Conference up in Chicago from Monday through Wednesday morning. I’m presenting a Poster Session on Tuesday from 1:30 - 2:30 on the Seventh Floor of the hotel. If any of you are going to be there, stop on by my table.

Just a quick note. ESI is back up and working again, no more blank page!