NYS Security Breach Disclosure Policy
To all faculty, staff, and administrators:
New York State Security Compromise Disclosure Law On December 7, 2005, the “NYS Information Security Breach and Notification Act” went into effect. It was signed August 9 by the governor. This new law requires that “entities conducting business in NY who own or license computerized data which includes private information” disclose any breach of private data to NY residents (and nonresidents) whose personal information was stored on any system that may have been compromised. The law defines personal information as “any information concerning a natural person which, because of name, number, personal mark or other identifier, can be used to identify such natural person.”
What does this mean to me? Identity theft has become a major problem over the last few years. More than 51 million Americans have had their personal information compromised since February 2005 (including more than three million NYS residents —see the CSCIC list at the end). Criminals —and organized crime in particular —have found it to be a very lucrative business. With a few key pieces of personal information—a name, SSN, birth date and address—they can use your identity to open new credit card and financial accounts, take out a mortgage on your house, and generally plunder your financial accounts for huge amounts of money before you even realize it is happening. Repairing the damage to your credit rating takes years, and is difficult if not impossible. On a personal level, we all understand and support this legislation because we all would want to know if our personal information has fallen into the wrong hands.
What does this mean for Purchase College? Purchase College computer systems store data on tens of thousands of current and former students and employees. We have all seen press reports of other schools that have been hacked or lost a laptop containing personal information. New York has now followed California’s lead in implementing a notification law. Prior to this, compromises were often kept quiet. Under the new law, if there is “reason to believe” that a system has been or may have been compromised, we are required to notify all individuals whose information was stored on the compromised system, and to notify the Consumer Protection Board or the press if more than 5,000 records are involved. Obviously, this would have a disastrous effect on the college’s public image and our recruiting and enrollment efforts, not to mention the potential damage to the individuals whose information may have been compromised.
What is the college doing to protect our systems and data? Campus Technology Services (CTS), the central technology and support organization serving the campus, provides centralized administrative systems that serve faculty, staff, and students. CTS also supports and maintains all college-owned faculty and staff workstations. The most common way that systems are compromised is through known exploits on machines that are not properly patched.
What should you do? Review practices regarding use of computer systems within your unit—particularly those systems that are not stored, managed, and maintained by CTS. If you have a local MS Access database on a machine in your office, or any locally stored database of students, clients, constituents, or employees, you should contact CTS to discuss options for securing that data.
Data should never be stored on local workstations—not only is that data not part of any backup and recovery process, but local workstations can be (and are) stolen. The college provides file servers accessible through the network that provide secure storage for all of your data files.
Any stolen or lost computers (desktops or laptops) should be reported to the University Police immediately. You should keep a record of all of your unit’s computer hardware (make, model, serial number and MAC address) in the event that it is stolen or lost.
The proliferation of external USB/Firewire disk drives and USB memory keys is another threat. These portable devices can also store large amounts of data that is easily lost or stolen. Again, data should only be stored on centralized college servers.
If your unit is not already using a centralized file share on a CTS server, chances are your employees are using local or removable storage that is not secure. Please call CTS at x6465 to set up a file share for your office.
It is critical that when an employee leaves your unit, please notify CTS so that their access to college systems can be terminated. Former employees can retain email privileges where necessary, but should not have access to other college systems after they leave.
Take stock of physical security within your unit. Are the offices and cabinets where sensitive paper records are stored secure and accessible to authorized personnel only? Are there alarm systems covering these areas?
Most importantly, you need to raise awareness among everyone within your unit about the seriousness of cybersecurity threats. Understanding the issues and the ramifications of a compromise—personally and institutionally—is the only thing that will make someone think twice about downloading that data file onto their laptop or USB key. Have your people check the contents of their computers and storage devices and eliminate anything that doesn’t need to be there. Remind everyone not to email confidential data files or SSNs.
If a compromise is suspected: If you suspect that a computer system in your unit has been compromised, or if any laptop or college-owned desktop computer is lost or stolen, please notify CTS and the University Police immediately. We will work with you to determine whether or not a compromise has occurred, and what actions need to be taken.
If a compromise occurs: The law requires us to notify three NYS offices:
- NYS Attorney General
- NYS Office of Cyber Security & Critical Infrastructure Coordination (CSCIC)
- Consumer Protection Board (CPB)
The summary and text of the Assembly bill signed August 9 by the governor:
The Privacy Rights Clearinghouse website at http://www.privacyrights.org