University of California, Riverside Security Breaches Involving Personal Information
Friday, July 25, 2008

Definitions Definitions
Incident Response Process
Incident Response Process
Securing Protected Data
Server Side Security
Download Procedures and Guidelines
Links
C&C Home

Security Breaches Involving Personal Information

An introduction from Associate Vice Chancellor Chuck Rowley (7/1/2003):

Senate Bill 1386 and Assembly Bill 700, effective July 1, 2003, added a new provision to the California Information Practices Act - Civil Code 1798.29, 1798.82. This new provision requires any state agency (including the University of California) with computerized data containing personal information to disclose any breach of security of a system containing such data to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

The Civil Code defines "personal information" to be an individual's first and last name in combination with any of the following (click here for other definitions):
  • social security number AND/OR
  • driver's license number AND/OR
  • financial account or credit card number in combination with any password that would permit access to the individual's account
It requires that owners of computerized data must give notice of any security breach to affected persons in the most expedient time possible and without unreasonable delay (click here for Incident Response Procedures). The provision also allows for substitute notice (e.g., via posting on the agency's website and notification to major statewide media) in certain circumstances. The bill specifies that an agency that maintains its own notification procedures as part of an information security policy shall be deemed to be in compliance with the bill's notification requirements, as long as the agency notifies people in accordance with its policies in case of a security breach and as long as the agency is otherwise consistent with the bill's timing requirements for notification.

On April 29, 2003 the University of California Office of the President (UCOP) issued an amendment to Business and Finance Bulletin IS-3 - "Electronic Information Security" to address these new legal requirements. The guidelines and procedures contained on these web pages are provided to campus departments and units for their assistance in implementing the UCOP requirements.
photo


Page Created by Center for Visual Computing Center for Visual Computing