The Information Security Office (ISO) at UB has developed the Forensics for Compliance program to comply with federal and state regulations involving University data. Adhering to the process and following all documented steps will assure UB's compliance with all data security regulations.
The program involves the performing of computer forensics on hosts that potentially contain regulated private data (social security numbers, driver's license or other identification numbers, financial account numbers) and have become compromised through infection or other means. In the event that it is determined that regulated private data has been copied without authorization, UB is required to report it.
When a computer becomes compromised, if it’s known or believed that the computer may have be used to handle regulated private data, the Information Security Office (ISO) will obtain the machine (or its drive(s)) and extract an image of the contents of its hard drive(s). This process requires up to three days to complete, depending upon the size of the drive. The machine or drive is then returned to the department. The ISO will then analyze the copy of the contents and determine if regulated private data are present on it, the manner in which the machine was compromised, and the intent of the compromise. The ISO will then advise the CIO on whether or not we reasonably believe that regulated private data was improperly copied. The CIO, in cooperation with University Counsel, will make the decision on whether to report the breach to NYS. Communicating with the public and the press about the breach will be managed by the Office of the AVP for University Communications.
Since a breach of regulated private information is a serious matter, and carries significant penalties, UB has invested in training and tools to enable us to assess the likelihood of unauthorized access. In order for the CIO to have the best information available when making the decision to report, it's important that a rigorously defined process be followed in every instance.
The steps in following diagram should be followed to determine whether or not the Information Security Office should be involved when a host is compromised. If there is any doubt, contact the Information Security Office.
Regulated private data is defined in NYS General Business Law 899-aa as "private information" and contains social security numbers, driver's license number or non-driver identification card number, and account numbers that permit access to an individual's financial account. The law requires that we report when this information has been downloaded or copied without authorization, or when we reasonably believe that it has been.
Reporting consists of notifying all affected individuals (in writing), the consumer credit reporting agencies (if the breach involves more than 5000 people), the Attorney General's office, the NYS Department of State's Division of Consumer Protection and the NYS Office of Cyber Security & Critical Infrastructure Coordination. Industry reports estimate that the cost of the associated public relations campaign, inquiries, and audits can average around $200 per individual affected. By law, failure to report can carry a $10 penalty per individual affected (up to $150,000), in addition to any damages awarded to those individuals by the court.
Identity Finder is software licensed by the University at Buffalo that IT support staff can use proactively to detect regulated private data on a host. If regulated private data is found, you can secure or remove it.
Identity Finder is meant to be used prior to indications of infection to detect regulated private data. Please do not use Identity Finder to look for regulated private data once a machine is deemed compromised or potentially compromised.
There is a short 12 minute video available in UBlearns (Handling Data Safely Unit 2: Regulated Private Data) that is intended to raise awareness of the issues surrounding regulated private data. Anyone with a UBITName can self-enroll in the UBLearns course to review the material. Please use this material within your departments to help people understand how to properly handle regulated private data.
We continue to ask for your assistance in limiting the use of regulated private data and bringing awareness to faculty and staff on the risks of storing it on their computers and portable devices. The best way to protect regulated private data is to ensure employees that require it to perform their job are able to work with it in a secure environment.