Protecting Against a Data Breach
Every time I check my Twitter feed, I get a notice of a data breach occurring at a business or school district. That's why it's critical school leaders come up with a Safeguarding Sensitive Data Plan for their district. Below, you'll find some of my efforts along with my colleagues' efforts in developing a District plan. Your feedback is welcome!
Some points to keep in mind:
Some points to keep in mind:
- Avoid using the term "data breach" should your district experience one.
- If you become aware of a potential loss of sensitive confidential data, make sure you notify TASB so they can help you from the get-go (this should be like the first phone call you make after becoming aware of the problem).
- Put a policy in place (there are plenty online to choose from, and I've included one further below that's adapted from other sources). Here's one example.
- Provide professional learning to all staff. Here's one possibe approach.
- Remember, it's not just digital...paper is important to protect, too.
A data security breach occurs any time there is unauthorized access to school district data, including FERPA and/or HIPPA data. Other terms you may encounter when referring to data breaches include a loss of “personally identifiable information,” as well as “personal health information.” Lost laptops and misplaced USB flash drives are the top two main cause of data breaches in schools.
The District is putting this policy in place for the following reasons:
- Ensure that District’s staff and student print and digital information remains confidential and only those who should access that information, can
- Prevent unauthorized individuals from changing staff’s and/or students’ sensitive information.
- Verify that your information is available when you need it (by making encrypted, secure backup copies and, if appropriate, storing those secure, encrypted backup copies off-site)
To accomplish this, you need to secure, not only physical copies of the data (e.g. print-outs in locked file cabinets) but also encrypt digital copies of that data.
Confidential, Sensitive or Personally Identifiable Data
The SCHOOL ISD is committed to protecting confidential, sensitive data. Personal Information means any information relating to an identified or identifiable person (employees and consumers) and includes, for example, a person’s name, physical address, phone number, e-mail address, social security number (SSN), credit card numbers, driver’s license numbers, passport numbers, date of birth, savings account, checking account, insurance policy or other health account or financial account number or information, and health or disability information.
Personal Information includes employee background checks, including credit reports, and any records that are derived from this information. Additionally, Personal Information includes consumer credit reports and any records that are derived from this information that relate to an identified or identifiable consumer.
Family Educational Rights and Privacy Act (FERPA)
K-12 educators and support staff are largely unaware of the threats and vulnerabilities associated with the information systems they use. For example, private student data can be stolen, lost, and/or exposed to the public. This threat is especially pertinent as educators and support staff are obligated to protect sensitive information such as Student Test Numbers under the Family Educational Rights and Privacy Act, or FERPA, which is one of the nation’s strongest privacy protection laws. These individuals need opportunities to learn about the threats and countermeasures associated with information protection. (Source: Purdue University - Data Security in K-12)
Protected Health Information (PHI) and/or HIPPA
The SCHOOL ISD is committed to compliance with the health information privacy and security requirements set forth by federal law and the regulations of the U.S. Department of Health and Human Services. These requirements dictate that the privacy of personal or protected health information (PHI) received by or generated through certain District employee health plans be protected from improper use or disclosure.
Protected health information generally includes personally identifiable health information that is maintained by or on behalf of a HIPAA-covered health plan, including information in writing, electronic medium, and oral communications.
Protected health information does not include health information that is maintained by the district in its role as an employer (e.g., information maintained in relation to FMLA or worker’s compensation). The HIPAA security rule applies to personally identifiable health information that is in electronic form.
Privacy and security safeguards will be implemented to ensure the confidentiality, integrity, and availability of protected health information created, received, maintained, or transmitted by the Plan, including information in electronic form, whether it is being stored or transmitted.
Consequences of NOT Securing Data
Data breaches leave people six times more likely to become victims of identity theft, according to a survey this year by Javelin Research. There can be various consequences to not securing data, such as the following:
- Direct costs are incurred by the school district for having to notify individuals whose confidential data has been compromised, as well as notify credit agencies.
- The cost of paying for credit protection for individuals affected.
- The school district may suffer damage to reputation.
- Staff may be disciplined or terminated depending on the severity of the data breach.
Laptop theft facts that make encryption of confidential data important:
- Statistics show that as many as one in ten laptops will be stolen or lost from an organization over the lifetime of each computer.
- 86% of security practitioners report that someone in their organization has had a laptop lost or stolen.
- 56% report that it resulted in a data breach.
- Encryption of data stops cyber criminals from stealing data on laptops.
Ninety-seven percent of stolen computers are NEVER recovered. That means that confidential data could be out there indefinitely, waiting like a time-bomb to explode until someone discovers it and then uses it. What could have been done differently in each of these cases (Appendix 4: Case Studies)? Encryption of the data being transmitted via email, or stored on a computer, USB flash drive or web site. Encrypting the confidential data is the single-most important step that could have been taken.
Plan for Implementation
The SCHOOL ISD Plan shall implement and maintain these policies and related procedures to manage the selection, development, implementation, and maintenance of security measures to protect sensitive data (both personally identifiable and health information) and manage the conduct of the District employees in relation to the protection of the protected health information as follows:
- Authorization. Only District employees designated by the Privacy and Security Official as requiring access to protected health information will be given such access.
- Training. District employees, including management, authorized to use and disclose protected health information will receive annual training, including privacy and security awareness. Initial training upon hiring; annual refreshers required trainings.
- Response, Reporting, and Sanctions. Issues of non-compliance with this Policy or the Privacy and Security Rules must be reported promptly upon discovery to the Incident Response Team.
- Breach Notification. The Plans shall comply with the District’s breach notification policy.
- Physical Safeguards. Plan members’ protected health information shall be secured in a locked file cabinet used solely for the purpose of storing this information. Paper documents containing protected health information shall be shredded before being discarded. Electronic files containing protected health information, if any, shall be password protected. Unattended work stations and terminals will prevent unauthorized access to protected health information by closing files when not at the computer. A facsimile machine used to transmit and receive protected health information shall be in a secure location. Physical access to systems containing electronic protected health information shall be limited, as reasonable and appropriate, to individuals authorized to use those systems.
- Technical Safeguards. To the extent protected health information is maintained electronically, access to electronic information systems or software programs will be provided to only those persons who have been granted access rights.
- Minimum Necessary. When using, disclosing, or requesting PHI, the Plans shall take reasonable and appropriate steps to ensure that only the minimum amount of PHI necessary is used, disclosed, or requested, consistent with HIPAA’s minimum-necessary rule.
- Contracts with third party entities for storage of District’s data in the cloud. This has been a hot topic at conferences. There is specific contract language that should exist within contracts including, storage, security, disposal, etc. This is what the Walsh Anderson advertisement was referring to.
Incident Response Team
- Designate someone who will lead the team but train everyone on what to do.
- Gather thorough, extensive documentation of events leading up to and immediately following the discovery of the breach.
- Enable clear and immediate communication with everyone in the District about what happened, and how they should respond to any external inquiries.
- Facilitate immediate notification and activation of the designated response team, especially legal counsel, to determine whether law enforcement and/or other regulatory agencies need to be involved.
- Participate in identification of the cause of the breach and implementation of whatever steps are necessary to fix the problem.
- Manage development of messaging and deployment schedule for notifying those whose data was compromised, based on counsel from lawyers who will review state laws, compliance regulations, and other mandates affecting what the messaging must say and how soon notification must occur, as well as what compensation to affected victims should be provided.
- Notify TASB should be the first step; we have data breach coverage, and they have worked with 3rd party vendors with respect to post-data breach protocol.
- Communicate protocols for handling data to all stakeholders. This needs to include paper form, district owned devices, personal devices, and third-party contracts for data. Challenge will be to identify all stakeholders and what data they currently work with and/or store. Determine appropriate levels and types of training; implement training for new employees; develop refresher trainings annually for all employees.
- Monitor prevention measures on a timely basis.
- Establish an incident response team with clear expectations as to role to play.
- Conduct an inventory of sensitive data assets.
- Categorize data so that end-users know how to protect data.
- Implement a communication plan for all stakeholders, including partners.
- Heighten awareness of how critical it is to safeguard data.
- Maintain up to date firewall and content filtering system.
- Require safeguarding sensitive data for all staff in the Responsible Use Agreement.
- Provide web visitors/users with terms and conditions for the use of the school district’s web site, network and systems, prohibiting the collection of information through the use of bots and other types of hacking.
- Incorporate the District’s Vendor Access Policy into the vendor’s contract to lessen the school district’s risk of a data breach.
- All district hard drives and storage media will be wiped (e.g. DBAN) or destroyed as appropriate prior to being made available for auction or released to public and/or community.
- Practice steps--modeled via professional learning--to safeguard sensitive data consistently.
- Learn how to communicate effectively to District Incident Response Team with critical information about what data was lost, the source of the data, the media (e.g. USB, email with attachment, paper), number of individuals affected, etc.
- Establish processes for shredding paper and digital data while maintaining records retention policies when appropriate.
- Practice steps to safeguard sensitive data consistently (refer to list)
- Lock your workstation when you step away from it.
- Encrypt sensitive data that includes staff/student information.
- Lock confidential documents.
- Avoid opening sensitive data on personal mobile devices and/or removing them from a secure campus location.
- Engage in healthy data protection practices.
- Practice encryption of sensitive data, including emails, files.
- Maintain secure passwords and protect passwords using a “password-keeper.”
- Receive a report of an alleged data breach from an individual to District personnel (this could be from an employee or a vendor). Need to establish process and protocols for identifying and reporting different types of data breach.
- Establish chain of command reporting for staff to ISD.
- Establish chain of command for contracted services data breach reported to ISD..
- Conduct a forensic analysis of data breach to determine reportable incident.
- If data is unencrypted, law requires that a data breach be reported to the Incident Response Team, law enforcement, and affected individuals.
- If data is encrypted, no data breach occurred.
- Types of notice to affected individuals: Per a recent session at TASB, third-party vendors are able to assist with this process and the cost is included within the coverage type.
- Written notice to last known home address for the individual.Telephone notice.
- Email notice if a valid email address is available (e.g. staff).
- Substitute Notice. This involves conspicuous posting of data breach notice on the School District web site and notification to major media outlets. Campus
- Practice steps to safeguard sensitive data consistently
- Communicate effectively to District Incident Response Team should a breach occur.
EdTech, How Schools Can Mitigate Data Risk. Available online 07/22/2015 at http://www.edtechmagazine.com/k12/article/2014/10/how-schools-can-mitigate-data-risks
The SCHOOL ISD collects and works to safeguard sensitive data, such as personally identifiable information (PII), as well as data classified as Family Educational Rights Protection Act (FERPA) and/or Health Insurance Portability and Accountability Act (HIPAA) protected data. This can include data such a person’s name, physical address, phone number, e-mail address, social security (SSN), credit card numbers, driver’s license numbers, passport numbers, data of birth, savings account, checking account insurance policy or health account or financial account number or information, and health or disability information. Unauthorized access, use, or disclosure of sensitive data can seriously harm individuals by enabling the opportunity for identity theft, blackmail or embarrassment. The disclosure of sensitive data can also cause the SCHOOL ISD to suffer a reduction in public trust and can create a legal liability.
Sensitive data collected and/or used should be considered protected data and must be protected when in digital format and/or print format. This policy covers students, employees and others on whom the SCHOOL ISD may have such information. The policy applies to all persons exposed to sensitive data, its storage mechanisms (how the information is stored, e.g. paper, electronic, other media) and modes of transmission.
The purpose of this policy is to ensure (a) that employees understand the need to safeguard this information, and (b) that adequate procedures are in place to minimize this risk of improper disclosure of sensitive data. Access to sensitive data may only be granted to authorized individuals on a need to know basis. This policy seeks to ensure the security, confidentiality, and appropriate use of all sensitive data processed, stored, maintained, or transmitted on the SCHOOL ISD’s computer systems and networks. This includes protection from unauthorized modification, destruction, or disclosure, whether intentional or accidental.
- The SCHOOL ISD supports the protection of individual privacy. As such, it will comply with all applicable laws that govern the collection, storage, transfer, use of, and access to sensitive data.
- The SCHOOL ISD shall strive to minimize collection of sensitive data to the least amount of information required to complete a particular transaction or to fulfill a particular purpose related to the academic or business needs of the institution. Employees should limit any request for sensitive data to the minimum necessary or appropriate to accomplish the District’s purpose for which it is requested.
- All sensitive data in the possession of the SCHOOL ISD is considered confidential unless:
- The data owner has authorized the release of information designated as “Directory Information” by the District; or
- The data owner has otherwise authorized its disclosure.
- The SCHOOL ISD requires that sensitive data--such as that listed below--must be stored and transferred in encrypted format when digital, and kept secure when in paper form.
- Consistent with applicable law and District policy, custodians of sensitive data shall take reasonable and appropriate steps to:
- limit access to and further use of or transfer of such information
- ensure that the information is maintained in a form and manner that is appropriately secure in light of the nature and sensitivity of the information.
- How to Protect Sensitive Data
- Electronic Storage and Disposal
- Do not store sensitive data on a portable, mobile device (e.g. USB drive, CD, laptop) in decrypted format.
- Do not store sensitive data in public files accessible via the Internet (e.g. Dropbox, non-District GoogleDrive).
- Do not download sensitive data from District databases (e.g. Eduphoria, Data Dashboard) unless legally required or for standard district practice.
- Do not transmit sensitive data to external parties via email or the Internet unless the connection is secure and/or the information encrypted. Refer to http://tinyurl.com/ecbesafe for help on how to encrypt/decrypt information).
- Safely wipe (a.k.a. “digital shredding”) storage media when disposing of equipment.
- Contracts with third party entities for storage of District’s data in the cloud will be signed to ensure protected storage, security and disposal of data in alignment with District policy is assured. The District will require the vendor to detail in the contract how data is securely stored, who has access and use of the data, as well as how data is transferred or shared among users internal to the third party and/or other authorized users. Third party entities will also be expected to detail how data will be destroyed at the end of the contract term and a copy returned to the District.
- Physical Storage and Disposal
- Do not publicly display sensitive data or leave sensitive data unattended, even on your desk or on the desk of a co-worker.
- Do not take sensitive data home.
- Do not discard sensitive data in the trash. Shred sensitive data when it is no longer needed.
- Lock your computer when unattended.
- Lock offices, desks, and files that contain sensitive data when unattended.
- Eliminate the use of forms that ask for sensitive data whenever possible.
- Password-protect all accounts with access to sensitive data.
- Do not share passwords and do not document passwords.
- Legal Disclosure Requirements
- Do not share sensitive data with anyone unless required by law, specific job responsibilities, or business requirements. Be prepared to say “no” when asked to provide that type of information.
- Do not communication sensitive data designated by the Family Educational Rights and Privacy Act (FERPA).
- Notify your supervisor immediately if you suspect sensitive data may have been compromised. The Texas Association of School Boards (TASB) will be notified of any situations in which sensitive data is compromised, and apprised of the details of that situation.
- Laws and Regulations relating to Sensitive Data
- FERPA -- Family Educational Rights and Privacy Act. Limits the disclosure of “education records” defined as those records that are: (a) directly related to a student, and, (b) maintained by or on behalf of the District.
- A record is “directly related” to a student if it is “personally identifiable” to the student.
- A record is “personally identifiable” to a student if it expressly identifies the student by name, address, birth date, social security number, ID number, or other such common identifier.
- Examples of “education records” include registration records, transcripts, papers, exams, individual class schedules, financial aid records, disability accommodation records, individualized education plans, and placement records.
- HIPAA -- Health Insurance Portability and Accountability Act. Imposes privacy and security standards addressing the use, disclosure, storage and transfer of “protected health information.”
- “Protected health information (PHI)” means “individually identifiable health information,” which is any information that identifies an individual and relates to the individual’s past, present, or future physical or mental health or condition.
- Examples of information that should be treated as “protected health information” at the District include employee benefit information, worker’s compensation claim information, student health services information, and student counseling information.
- GLB -- Gramm-Leach-Bliley Act. Requires implementation of a written information security program for “customer information.”
- “Customer information” means any record containing “nonpublic personal information” handled or maintained by or on behalf of the institution about a customer of that institution.
- Examples of “customer information” at the District include financial records of employees, students and/or their parents (such as cashier’s accounts, or information related to financial aid), and donors.
- PCI-DSS -- Payment Card Industry Data Security Standards. Requires implementation of security standards surrounding the authorization, processing, storage, and transmission of credit card data. The security standards apply to electronic and paper credit card data. Credit card data is defined as the first six and/or the last four digits of any credit card provided by a customer to conduct business. If all digits of credit card are used, then name, card expiration date, and source code are considered credit card data and must be protected.
- Texas Identity Theft Enforcement and Protection Act. Requires implementation and maintenance of reasonable procedures to protect information collected or maintained in the regular course of business from unlawful use or disclosure, including personal identifying information and sensitive personal information.
Violation of this policy may result in disciplinary action, up to and including termination of employment pursuant to the District’s Employee Handbook and Responsible Use Agreement.
Responsible Party: Assistant Superintendent of Finance
Review: Every 2 years, on or before September 1
Superintendent of Schools
Effective DateAdapted from the Texas Southern University Personally Identifiable Information Policy 04.06.28. Available online at http://tinyurl.com/qyb3xww 10/15/2015
9 Simple Steps for Safeguarding Sensitive Data
As SCHOOL ISD employees, we are all afforded access to a variety of confidential or sensitive data. This data, which may include personally identifiable information, pertains to students, parents, and/or employees. Below, please find a list of steps you can take to model responsible data practices in line with our Responsible Use Agreement and District Policy.
1. Avoid discussing sensitive data in the presence of unauthorized personnel. If they are not authorized to view sensitive data, then they are not authorized to hear about it either.
2. Avoid sharing sensitive documents with unauthorized individuals. This includes allowing others to view documents as well as giving them copies of documents.
3. Store sensitive documents in a lockable file cabinet or drawer.
4. Shred documents before disposal.
5. Don’t allow others to view your computer programs unless you are present to monitor activity and operate the technology. Also, be sensitive to prevent unauthorized viewing of confidential data or misuse of data while another is viewing content, even when you are present.
6. When away from your desk area, lock your computer. This will keep unauthorized personnel from accessing and using your computer.
7. Avoid saving sensitive data in unencrypted format directly to your computer. This includes places such as your Desktop, MyDocuments, or your hard drive. If your computer/laptop/tablet is stolen, any sensitive data stored there will be accessible by the thief and anyone else who touches that device. Also, do not save sensitive data in unencrypted format to external storage devices such as thumb drives, CDs, and “cloud storage.”
Get encryption software appropriate for Your Device
- File Encryption?
- Mac/Windows/Linux computer?
- Chromebook or use Google Chrome?
- Try Minilock for individual file encryption
- Android device?
- Get Secret Space Encryptor (SSE) for Android from Google Play store.
- Text/Email Encryption?
- iOS/iPhone/iPad device?
- Any device?
- Text Encryption (save then open in your web browser)
You may also want to get a copy of File Shredder for Windows to securely delete information from your Windows computer.
8. Avoid sharing your passwords. In fact, it is a direct violation of district policy to share your password with other staff. If an issue arises, contact the EC Technology Operations Office for assistance at 210-649-2343.
9. Avoid storing your passwords in an unencrypted text file or cloud storage (e.g. GoogleDoc). Instead, take advantage of a “password locker” type program. More information on developing and securely storing your passwords is available online at http://tinyurl.com/safeguardpasswords
Everything posted on Miguel Guhlin's blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure