- Temporarily locking a user's account, to limit damage to their personal information and resources
- Locking multiple accounts to prevent damage from spreading to new accounts or devices
- Taking one or more devices physically (or virtually, via software) off the network, to prevent intrusion
- Removing unauthorized software ("malware")
- Reimaging/rebuilding affected machines, resetting them to a "known good" state
- Requesting that a user, or set of similar users, update software, in order to secure a device they are responsible for
- See also PII disclosure response procedure below
When sensitive PII is involved, Carleton's response, once we have discovered a breach, is necessarily more formal. ITS will:
- Remove or isolate the affected system(s) from the network
- Notify the Chief Technical Officer, or, if unavailable, the Director of Technology Support
- Notify senior Carleton College executives, at minimum the President and Treasurer, and provide ongoing impact assessments to their offices
- Notify local law enforcement and, if local law enforcement or we ourselves deem it necessary, contact the local office of the FBI or the U.S. Secret Service
- Assemble an initial internal forensics team; start the process of engaging external forensics experts, if needed
- Determine whether the system(s) should be shut down (doing this can wipe out evidence and should be avoided initially)
- Attempt to preserve all evidence, including SIEM and firewall logs, backups, snapshots, and other internal (OS) and external monitoring logs, without altering the system itself (root/admin logins should be avoided)
- Document everything we do, including dates, times, and individuals involved
With respect to notification, a number of laws will guide our response.
At the Minnesota state level, Minnesota Statute 325E.61 requires entities that conduct business in Minnesota, and that own or license personal information, to notify residents of Minnesota without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their unencrypted personal information. Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes. If more than 500 individuals have to be notified of a breach, we must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p), within 48 hours.
At the US federal level, insofar as we maintain health data subject to HIPAA, we must notify affected parties of breaches. Federal laws are evolving in this area and changing.
At the international level, the GDPR article 33 mandates that, “in the case of a personal data breach, data controllers shall without undue delay” notify the appropriate regulator of the breach. Article 33 goes on to state that, where feasible, this notification should take place no later than 72 hours after the breached party has become aware of the incident.
Persuant to these and other emerging regulations, Carleton will, in the event of a PII breach,
- Set up a website relating to the incident
- Send a notification email to affected parties outlining the breach, their risk, and next steps, as well as linking to the website, within 72 hours of the incident, if feasible
- Send followup paper notifications to the same, where possible
- In general, provide any information, mitigation, or remedies mandated by law and/or by senior officers of the college