Click here to receive your FREE subscription to Campus Technology
News Feature
Once More unto the Breach
4/13/2007
UCSF then set up an information page (inked below) and a hotline for those concerned about the incident. It also contracted with a security firm to audit the university's security practices and notified the FBI of the incident.
According to Corinna Kaarlela, news director for UCSF: "The University is committed to maintaining the privacy of personal information. UCSF and the University of California Office of the President are conducting an investigation of this incident, including what types of information, if any, were compromised and how computer security can be improved. The Federal Bureau of Investigation has been notified and will be involved in the investigation. Also, UCSF is hiring a company that specializes in electronic security to provide a thorough audit of our security practices, and the findings of that audit will be reported as they become available."
Reporting: 'Safe Harbor' in Encryption?
UCSF's response was prompted by provisions in California's SB 1386, which requires the reporting to interested parties any breaches in security that could lead to the unauthorized release of personal information of California residents.
In this respect, analysts seem to agree that UCSF's response to the incident was adequate.
"Basically the responded to the requirements of CA SB 1386, nothing more," said Strategic Technology Group's Thermos. "California SB 1386 mandates public disclosure of computer-security breaches in which confidential information of ANY California resident MAY have been compromised. To comply with California SB 1386, any organization that electronically stores confidential personal information about a California resident must immediately notify that individual upon discovering any breach to the computer system on which this information is stored. The law covers every enterprise, public or private, doing business with California residents. Organizations became bound by the law on July 1, 2003. Companies and organizations that fail to disclose computer-security breaches may become liable for civil damages or face class actions."
"As far as I am aware, UCSF's response was in accordance with CA SB 1386 and other laws with regards to timeliness," said Chris Parkerson, senior manager of the Data Security Group at RSA, the security division at EMC. "In my opinion, they handled the reporting requirement well and in a timely fashion relative to other similar incidents at other organizations."
Some of these analysts are also agreed on how these sorts or incidents--and the mandated reporting of the incidents--could have been avoided.
"The biggest problem we see consistently is that organizations are not taking advantage of the 'safe harbor' provision in CA SB 1386 and other similar state laws that allow for a reporting exemption if all data in the protected classes is encrypted," said RSA's Parkerson.
Recommended Reading
- California Community Colleges Partner with Waterfall Mobile on Statewide Emergency Notification Coverage
The Foundation for California Community Colleges (FCCC) has awarded a statewide emergency alert notification contract to Waterfall Mobile. The contract establishes Waterfall's AlertU as an approved technology through the official non-profit foundation for the California Community College (CCC) system office. Through this partnership, individual colleges may directly implement emergency communication services, eliminating lengthy technology evaluation and RFP processes.
- King's College and ASU Add e2Campus for Improved Emergency Notifications
King's College and Arizona State University have switched to Omnilert's e2Campus for emergency notification. Omnilert also has introduced a new program called the ENS Conversion Service that allows schools to bulk upload data from their previous emergency notification system into e2Campus at no charge.
- Saint Joseph Builds Out Wireless Network in Multi-year Upgrade
Saint Joseph's University has begun deploying a Meru Networks wireless local area network across its Philadelphia campus as part of a multi-year effort to bring wireless coverage to every building on campus.
- Vista Ramp Up Is Happening Now, Study Says
Organizations may have been slow to adopt Microsoft Windows Vista, but expect that to change by late 2008 to 2009, according to a Forrester Research report by Benjamin Gray et al., published last week.
- Talisma Launches New Version of CRM with Built-in Application Management
Talisma Corp. announced version 8.0 of its constituent relationship management (CRM) application for higher education. The new release includes application management, a revamped user interface, two-way text messaging, personalized Web portals, and an ADA-compliant Web client, among other enhancements.
- Bringing Composers into Classrooms Through Skype
Two Pennsylvania teaching colleagues with an interest in music and technology are bringing remote experts into classrooms at almost no cost, using Skype's free videoconferencing technology.
