By Monique Lucey
While many states have individual data disclosure laws that dictate how organizations are to handle privacy breaches, universities are trying to find the commonalities and ensure their network security accounts for them.
One IT executive at a state college said he is hoping for an overarching federal law so that he doesn’t have to dig into the particulars of each state’s mandates. Although his campus is only in one state, he says, to be safe, he follows the guidelines of the numerous states where the college’s students are considered residents.
It’s a best practice that IT executives at other institutions could follow.
The first step is to determine what the states consider to be sensitive data. For instance, Indiana’s state law encompasses social security numbers (beyond the last four digits), driver’s license numbers, state ID card numbers, credit card numbers, debit card numbers, financial account information and any security code, access code, or password of a financial account.
Then study how the states expect you to secure that data. Do they want data encrypted while at rest and during transmission? Do they specifically call for you to use firewalls, network access controls, authentication and other security measures? What types of auditing or reporting should you be able to carry out to prove compliance?
Next, you have to understand when the notice must be given. Some states mandate that notice be given “without unreasonable delay,” but this is too vague. If this is the case, then IT and university leaders should set your own time limit for notifying affected parties and alert users in your public security policy.
Another key factor in following state privacy laws is to be clear on how notice is to be given. Some states require you to contact users in writing, depending on the size of the breach and the cost. If the cost would be too great, states may allow you to disclose the information to the media or post it on your site.
Finally, you should have a good grip on when you must share a breach with the state attorney general’s office. Each state has different thresholds for this escalation.
As you develop baselines for complying with multiple state laws, make sure you fully test your reporting and alerting systems in terms of technology and business procedures. For instance, it doesn’t do any good for you to have great security tools in place that tell you when a breach occurs if you have no process in place for university leaders to respond in a timely and compliant fashion.
For more information, check out your state’s disclosure laws. As an example, here is legislation from Indiana and Massachusetts.
