The University at Buffalo’s Information Security Office (ISO) has developed and implemented the Forensics for Compliance program. The objective of this program is to comply with applicable federal, state, SUNY, and university regulations involving University data. Adhering to the Forensics for Compliance process and following all documented steps ensures UB’s compliance with all data security regulations.
The program involves the performing of computer forensics on hosts that potentially contain Category 1 - Restricted Data and have become compromised through infection or other means. In the event that it is determined that Category 1 - Restricted Data has been copied without authorization, UB is required to report it. Category 1- Restricted Data includes, but is not limited to: Social Security Numbers, driver license numbers, state-issued non-driver ID number, bank or financial account numbers, HIPAA-regulated protected health information, passport numbers, and UBIT authentication credentials. Refer to the Data Risk Classification Policy for more information about data classifications used at UB.
When a computer becomes compromised, if it is known or suspected to have been used to access or handle Category 1- Restricted Data, the following process is completed by the ISO:
This process requires up to three business days to complete, depending on the size of the drive(s).
After this, the ISO:
Next, the VPCIO, in cooperation with University Counsel, determines whether to report the breach to New York State. The VP for University Communication manages communication with the public and press about the breach.
A breach of Category 1- Restricted Data is a serious matter, and carries significant penalties. As such, UB invests in training and tools that enable the ISO to assess the likelihood of unauthorized access.
In order for the VPCIO to have the best information available when making the decision to report, it is important that a rigorously defined process is followed in every instance.
The steps in following diagram should be followed to determine whether or not the Information Security Office should be involved when a host is compromised. If there is any doubt, contact the Information Security Office.
Category 1- Restricted Data is defined in the NYS General Business Law 899 as "private information" and contains Social Security Numbers, driver's license number or non-driver identification card number, and account numbers that permit access to an individual's financial account. The law requires that the University reports when this information has been downloaded or copied without authorization, or when the University reasonably believes that this information has been downloaded or copied without authorization.
Reporting consists of notifying the following individuals/organizations:
Industry reports estimate that the cost of the associated public relations campaign, inquiries, and audits can average around $148 per lost or stolen record.
The New York State Information Security Breach and Notification Act stipulates that knowingly or recklessly failing to report a breach can carry a $10 penalty per individual affected (up to $150,000), in addition to any damages awarded to those individuals by the court.
Spirion is a managed software licensed by the University at Buffalo that IT support staff can use proactively to detect Category 1- Restricted Data on a host. If Category 1- Restricted Data is found, you can secure or remove it.
Spirion is meant to be used prior to indications of infection to detect Category 1- Restricted Data. Do not use Spririon to look for Category 1- Restricted Data once a machine is deemed compromised or potentially compromised.
The Handling Data Safely course is available as a self-paced, online training though UB Edge. The Handling Restricted Data section is intended to raise awareness of the issues surrounding restricted data. Anyone with a UBITName can self-enroll in the UB Edge course. The ISO recommends using this training material within your department to help employees understand how to properly handle restricted data.
We continue to ask for your assistance in limiting the use of Category 1- Restricted Data and heightening faculty, staff, and student awareness of the risks associated with storing such data on computers and portable devices. The best way to protect Category 1- Restricted Data is to ensure employees that require it to perform their job are able to work with it in a secure environment.