New law aids computer security
| 05 June 2003
After an incident last spring in which hackers obtained access to a computer system containing information on 265,000 state employees, Sacramento legislators passed a new law to help protect individuals from misuse of their personal data. Set to go into effect July 1, SB 1386 requires organizations that maintain computerized databases, in the event of a security breach in their computer system, to notify California residents whose personal data may have gotten into the wrong hands as a result. A working group headed by Jacqueline Craig, campus information-technology policy coordinator, has developed guidelines to assist campus units in implementing the law.
Personal information covered by SB 1386 includes a person’s first name (or first initial and last name), plus one or more of the following: social security number; driver’s license number or California ID number; bank account, credit-card, or debit-card number, with any password or code needed to access the account. Information of this nature is stored in many locations in cyberspace, including campus databases and local spreadsheets.
Hackers, go home
The campus’s critical systems tend to be well protected by firewalls and other security mechanisms, says Berkeley’s information-systems security officer, Craig Lant. Of greater concern, he says, are the hundreds of networked departmental or student computers that have not installed adequate security measures and may be vulnerable to hacker attacks.
Unauthorized attempts to enter the Berkeley communications network, with its thousands of interconnected servers, “are pretty much constant,” Lant says. “Hackers have automated programs that scan constantly for vulnerabilities.” Some parties hope merely to annoy users, or to advertise their wares (tens of thousands of spam messages reach campus e-mail accounts each day). But hackers, with more malicious intent, may try to introduce viruses, distribute copyrighted intellectual property, launch attacks on remote sites on or off campus, or steal or destroy information.
As in the past, suspected network break-ins should be reported to Lant’s office (firstname.lastname@example.org), which can work with the local system administrator to determine the nature or severity of the possible security breach. If it appears that personal information may have been taken, designated campus officials will meet to evaluate what happened and determine whether and how the department should notify affected individuals.
Got data? Know where it’s at?
Craig notes that the new law exists both to protect individuals from fraud or identity theft and to provide a safe harbor against legal action for state agencies and institutions that take the legally prescribed steps. She says campus departments need to be able, in the event of a suspected computer-security breach, to immediately assess whether any of the designated personal information may have been compromised. “We are asking the authorities in charge of each department or control unit to understand the distribution of data in their departments,” she says. “They need to know whether or not they have personal data, where it is, and what kind of security precautions are in place. Having this information at our fingertips could be very important to individuals, so that they can act promptly to protect themselves.”
The campus’s plan for implementing the new law will be available online later this month. Look for a link from the Berkeley information-technology policy website, cio.berkeley.edu/policies.html.