The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Sunday, May 01, 2005
Once again, a university has been forced to advise students that they may be at risk of identity theft after Florida International Univeristy techs found that unknown hackers had compromized at least 165 computers. See Florida Uni on brown alert after hack attack | The Register, via Privacy Digest.
The university's notice is below:
::ALERT:::"To: All FIU Faculty and Staff
From: Dr. John P. McGowan, Vice President & CIO
Subject: Critical IT Security Breach Notification - Faculty/Staff
Date: April 27, 2005
THIS IS AN IMPORTANT SECURITY NOTIFICATION. WE ASK THAT MEMBERS OF THE UNIVERSITY COMMUNITY READ THIS MEMORANDUM VERY CAREFULLY.
Last week, it was brought to the attention of the Information Technology Security Office (ITSO) that a file found on a compromised FIU computer indicated that a hacker had access to the username and password for 165 computers at the University. The ITSO, University Technology Services (UTS) and relevant FIU representatives have been working diligently on addressing this security incident.
To address this situation, and reduce the potential for additional computers being compromised (accessed without your consent/knowledge), UTS, working with the IT representatives from various academic and administrative units, and in consultation with the Faculty Senate Chairperson, will visit and check every computer in the University to ensure the appropriate level of security. Please note that this will include Apple (Macintosh) computers as well as Windows-based computers. Given the number of computers that need to be analyzed, we have established a site visit schedule that will allow us to focus our efforts first on those areas that may contain the most critical/sensitive data such as Social Security numbers (SSNs), credit card numbers, birthdates and the like. It should be noted that Panther ID numbers alone are not considered sensitive information. UTS will be in contact with each user/department to schedule these site visits; we respectfully ask for your patience during this process.
PLEASE REVIEW THE FOLLOWING ADDITIONAL INFORMATION RELATED TO THIS INCIDENT:
HOW DOES THIS AFFECT ME?
> While we have a confirmed list of 165 compromised computers, there is a possibility that someone could have connected to numerous other computers remotely and information on these computers could have been compromised.
HAS MY CREDIT CARD INFORMATION OR SOCIAL SECURITY NUMBERS FOR EMPLOYEES OR STUDENTS IN MY DEPARTMENT BEEN STOLEN?
> At this time, we have determined that a few of the compromised computers contained sensitive information (e.g., credit card numbers and SSNs), and are working to determine the extent to which such sensitive information on your computer or network file shares (M, N Drive etc.) has been inappropriately accessed. UTS officials are collecting the necessary information and are in the process of alerting the appropriate authorities to address this situation.
> A team of technical support representatives from UTS or your unit’s IT staff will be assessing each computer on an individualized basis.
WHAT SHOULD I DO?
> Remove sensitive information (birthdates, SSNs, credit card numbers, research information that may contain personally identifiable information, student records containing SSN such as class rosters, or health information, etc.) immediately from your computer; if you need to store this information elsewhere, please move it temporarily to an external storage device (CD, USB drive, floppy etc.) and place in a locked file cabinet in your office or department.
> Do not save Social Security numbers, credit card numbers, birthdates etc. on your computer or other devices such as Blackberries, Palm devices, cellular phones, etc.
> Turn your computer off at the end of the day or when away from your workstation for an extended period of time.
> Contact any of the three major credit bureaus to place a fraud alert on your credit file. The fraud alert advises new and potential creditors that they should contact you before opening any new accounts in your name. Additionally your existing creditors are advised that they should contact you prior to making any changes (e.g., credit limit change) in your account. Once you notify one credit bureau, the fraud alert will be sent automatically to the other two. All three bureaus will send you credit reports free of charge once they receive the fraud alert. The three credit bureaus can be contacted as follows:
Transunion 1-800-680-7289
Equifax 1-800-525-6285
Experian 1-888-397-3742
> Continue to check all your accounts on a regular basis for unusual activity.
> The Federal Trade Commission Identity Theft Hotline gives a good overview of what to do when you think your information may have been stolen but have no evidence that it is being used. The number is 1-877-438-4338. Press #3. The Federal Trade Commission also has a website with extensive information about identity theft at http://www.ftc.gov/idtheft
DO I NEED TO CONTACT SOMEONE WITHIN FIU?
> No. Technical support representatives from UTS or your unit’s IT staff will be visiting each area; as such, it will not make the situation or mitigation efforts easier if the UTS Call Center becomes overwhelmed with calls from users seeking information or calling to schedule a technical site visit; users are encouraged to visit the UTS website at http://uts.fiu.edu for the most up-to-date information. Please note that service requests normally handled by the UTS Call Center and Field Team may be delayed as we re-assign resources toward this effort.
WHAT CAN I EXPECT WHEN A TECHNICAL SUPPORT REPRESENTATIVE VISITS ME TO SECURE MY COMPUTER?
> The technical support representatives from UTS or your unit’s IT staff visiting your offices will be completing a security mitigation checklist which may include: Gathering information on the TYPES of sensitive information (i.e., SSN, credit card numbers) saved on your computer or network file shares (M, N drives etc.), but NOT the actual numbers; updating your operating system; updating your anti-virus software; removing known Windows vulnerabilities; re-configuring your log-in accounts; scanning for applications that allow for unauthorized access; disseminating new information on effective password management and computer user access guidelines. The UTS representatives will NOT be opening your documents or requesting disclosure of personal information or intellectual property. If a UTS representative is granted access to work on your computer in your absence, he or she will turn your computer off once they have completed the steps in the security mitigation checklist - unless otherwise instructed.
> Please note that all UTS technical support representatives will be wearing the standard UTS identification badges with photo and name, or will be a member of your unit’s IT staff.
Thank you for your attention to this notification. We sincerely ask for your patience and cooperation as we address this situation. Once again, be sure to check the UTS website at http://uts.fiu.edu for updated information on this incident. "
Labels: breach notification, health information, identity theft, information breaches, ip address, retention
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.