Date:   April 21, 2003

 

To:      Provosts, Deans, Directors, Department Chairs, Academic and Administrative Business Officers, Systems Administrators

 

From:     Executive Vice Chancellor Gene Lucas, Vice Chancellor George Pernsteiner

 

RE:      Management of Electronically Stored Unencrypted "Personal" Information

 

Recognizing that more and more personal [1] identification information is being stored electronically and that protecting access to personal information is critical, California Senate Bill 1386 was passed into law.  In response, the UC policy on Electronic Information Security, IS-3 is being revised.

 

UCSB stores personal information that falls within the scope of SB 1386 and IS-3.  The data is essential to the campus' ability to conduct normal business.  To comply with the law and the policy any UCSB department/individual that maintains a data store containing unencrypted relevant data must: secure the data; be vigilant for intrusions into the data; adopt a process to handle intrusions; and notify appropriate individuals of intrusions.  The key points of the law and the proposed revisions to IS-3 that impact UCSB are attached. 

 

To assist departments and individuals, educational forums that will describe methods for securing data and detecting intrusions are being planned by the campus information technology (IT) community, through the collaborative effort of the Information Technology Planning Group (ITPG).  In addition, the IT community is currently drafting a single guideline that describes processes by which the campus may accomplish 1) reporting compromise incidents and 2) the requirement to create and maintain a campus inventory of databases containing personal identification information.

 

What is needed now

 

Within your areas of responsibility, review databases to determine whether they contain the personal identification information covered by the law and policy.  If the databases contain the relevant personal identification information:

 

Ø      Evaluate the security of the data in relation to IS-3 and best practices.

 

Ø      Determine whether the information continues to be critical for operational purposes. 

 

·        If it is not needed or could be obtained from another data store that can be stored more securely elsewhere, eliminate the personal identification data and cease to collect it.  This reduces the exposure to potential data compromises and reporting by reducing the number of databases that need protection. 

 

·        If it is needed and is needed to be stored within the department's databases, assure security measures (e.g. network firewalls, use of encryption techniques) comport to law and policy.

 

For the near future

 

Ø      Be prepared to include any database containing the prescribed personal identification information in the campus inventory of databases.  (Department data stores, such as spreadsheets and small application databases, are also within the scope of the law and policy.)

 

Ø      Review the draft guideline when it is released and become familiar with the process for notifying appropriate individuals when personal information has been compromised.  Develop your unit's protocol as appropriate. 

 

Ø      Send a department representative to the educational forums that will help identify risks and minimize your department?s exposure.

 

Attachment

SB1386 and IS-3

 

UCSB stores personal information that is essential to the campus' ability to conduct normal business, therefore these key points of the law and policy are applicable.  (Department data stores, such as spreadsheets and small application databases, are also within the scope of the law and policy.)

 

Key points of SB 1386 (Text of the new law is attached)

 

·        Any electronic data store that contains the combination of a person's name and social security number, or driver?s license number, or California state ID number is defined to contain personal information that must be protected under this law.

 

·        If the personal information contained in the data store is obtained by or for other than normal business practices, all the individuals whose personal information may have been compromised must be notified of the potential compromise. 

 

·        To be compliant with the new law, organizations that store personal information must have in place by July 1, 2003 procedures to notify individuals. 

 

Key points of IS-3 Systems Security Standards (online address?)

 

·        IS-3 establishes the process by which a UC campus is to notify the associate vice president, Information Resources and Communications in the Office of the President if an incident involving the compromise of personal information occurs. 

 

·        IS-3 establishes the requirement to create an inventory of databases, which are covered under this law, and describes the responsibility to protect them.

 

·        Campuses that store personal information must designate a responsible official for the notification process.


[1] Any unencrypted electronic data store that contains the combination of a person's name and social security number, or driver?s license number, or California state ID number is defined to contain personal information and must be protected under this law.