Data Breach Simulation Exercise

How to Minimize Damage & Maximize Outcomes in the Wake of a Data Breach

May 2018

Link to Slides

http://bit.do/GoldCountryCETPABreachSim

Exploding Data!

Social Media in Schools: What Now?

4

Bite-Sized Tips & Tricks

5

But Wait! There’s More!

6

NOTHING TO HIDE???

7

8

In 1991 for about $3000 on sale…

9

EVOLVING, SOPHISTICATED SCAMS

10

Kids these days…

11

BLUE: phishing attacks �PURPLE: breaches or hacks resulting in the disclosure of personal data �YELLOW: ransomware attacks �GREEN: denial-of-service attacks (green pins); and�RED: other cyber incidents resulting in school disruptions & unauthorized disclosures

12

The K-12 Cyber Incident Map

13

RIPPED FROM THE HEADLINES!

14

TERRIFYING NEW HACKING TREND!

15

IMPORTANCE OF DIGITAL CITIZENSHIP

CHANGING LANDSCAPE OF DATA PRIVACY

16

LEGISLATIVE CHANGES

17

FUTURE READY!

18

http://bit.do/whatsappCUE18

LEGISLATIVE TRENDS

19

GDPR???

20

2018 Ballot Measure?

21

COPPA OVERVIEW

ALL THE COOL KIDS ARE DOING IT…

WHAT IS…EXAMPLE

DO YOU ASK BEFORE YOU APP?

SIMPLE TIPS FOR TEACHERS

SOCIALIZE SAFELY!

28

29

http://www.visualcapitalist.com/happens-internet-minute-2017/

DATA BREACH SIMULATION

• Table top exercise that simulates a data breach within a complex organization.
• Intended to put you in the shoes of critical decision makers who have just experienced a data breach.

​

30

DATA BREACH SIMULATION

• You will be divided into teams to react and respond to the scenario.
• Over time, the scenario will be more fully revealed and you will discover more about what happened.

​

31

Be Prepared for the Unexpected!

32

SUGGESTIONS

• Think about each of the roles needed in your organization (e.g., public information officer, data system leadership, attorney, auditors, etc.).
• The full extent or impact of a data breach is rarely known up front. Do your best to anticipate what might happen, but don’t get ahead of yourself.

​

​

33

DATA BREACH SIMULATION

Each team will develop two key products:

​

1. Public and Internal Communications/ Messaging – Develop the message(s) you will deliver to your staff, stakeholders, the media, and the public.

​

34

​

During the event, you will be asked to participate in press conferences about the scenario. Be prepared to respond to members of the media about what is happening and how your organization is responding.

​

DATA BREACH SIMULATION

​

2. Response Plan – Outline how your organization will approach the scenario and what resources you will mobilize. Describe who will compose your response team. Identify goals and a timeline for your response.

​

35

BACKGROUND

• Your LEA has 1,500 employees.
• 250 employees work at the central office, 1,250 work in the field.
• Your IT department provides centralized services and support for all employees including access to a newly-deployed centrally-managed database that includes student, certificated, and classified staff information.

​

​

36

BACKGROUND (cont.)

• The new database allows users to log in through a browser and upload and modify information.
• The new system has only been deployed in a few sites throughout the county.

37

SCENARIO

• Yesterday, an employee that works at one of the school sites reported that some student data has been changed in the system. Several of the students in one program had their grades changed to reflect higher grades than the teacher recalls them having.

​

​

38

SCENARIO

• Initial investigation shows that someone logged on using the field employee’s login information and manually changed the grades.
• Additionally, the logs indicate that several reports were also downloaded from other systems, including some that contained private information about employees (including SSNs) .

​

​

39

DATA BREACH SCENARIO

1. Gather with your team.
2. Go over the scenario carefully. What do you know? What don’t you know?
3. Begin building your response. Elect a team member to take notes.

​

​

​

40

DATA BREACH SCENARIO (cont.)

4. During the scenario, you will receive additional information about the breach. Read each of these updates as the scenario unfolds.
5. We will occasionally pause to discuss where we are, and eventually give a press statement.

​

41

This exercise works best if approached as a “murder mystery” game. The more you synthesize the information and role play, the more useful the exercise becomes.

Questions?

42

DATA BREACH SCENARIO

43

10 Minutes

• Your LEA has 1,500 employees.
• 250 staff work at the central office , 1,250 work in the field.
• Your IT department provides centralized services and support for all employees including access to a newly-deployed centrally-managed database.
• The new database allows users to log in through a browser and upload/modify information.
• The new system has only been deployed in a few offices throughout the county.
• Yesterday, an employee in the field reported that some student data has been changed.
• Someone logged on using the field employee’s login.
• Logs indicate that several reports were downloaded from other systems, including some that contained private information about employees (including SSNs).

​

​

WHERE ARE WE?

• Have you begun to build a response plan?
• Can you make any concrete conclusions?
• Does the fact that the breach includes SSNs change the way you respond?

​

​

44

SCENARIO UPDATE

• Logs indicate that the login occurred from the Wi-Fi network of your organization’s Central Office after school hours.
• Reports have surfaced about a student intern offering to change additional accounts for money. No names have yet been revealed.

​

45

DATA BREACH SCENARIO

46

10 Minutes

• Logs indicate that the login occurred from the Wi-Fi network inside your central office after hours of operation.
• Reports have surfaced about unpaid student interns offering to change additional accounts for money. No names have yet been revealed.

WHERE ARE WE?

• Has the updated information changed your approach to the scenario?
• Think about what controls you could put in place to avoid a scenario like this.

​

​

47

SCENARIO UPDATE

• Two under age student interns are rumored to be the culprits.
• When questioned, they admit that they located a sticky note with the employee’s username and password, which they used to log in to change the accounts.

​

​

​

48

SCENARIO UPDATE

• The interns said that they also accessed the employee payroll systems, including a database of employees that listed names, addresses, SSNs, employee ID numbers, etc.
• Investigation reveals that the students changes grades of student athletes who had been placed on academic probation and made ineligible to play in upcoming games because of low grades.

​

​

​

49

DATA BREACH SCENARIO

50

10 Minutes

• Two student interns are rumored to be the culprits.
• When questioned, they admit that they located a sticky note with the employee’s username and password, which they used to log in to change the accounts.
• The interns said that they also accessed the employee payroll systems, including a database of employees that listed names, addresses, SSNs, employee ID numbers, etc.
• Investigation reveals that the grades of students athletes on academic probation had been changed.

WHERE ARE WE?

• How has the updated information changed your approach to the scenario?
• What other information would be useful?

​

​

51

SCENARIO UPDATE

• The data the student interns accessed contain academic information for 10 students and 175 employees.
• Some of the account information has been published to the interns’ Facebook pages.
• News of the breach has leaked out. You are receiving calls from parents and employees asking if their data/their student’s data were accessed or altered.

​

​

52

DATA BREACH SCENARIO

• The news of the breach is out and you must brief the press, the community, and stakeholders.
• Your spokesperson will give a brief press conference to address the issue and take questions.
• In the audience are reporters from local and national media, as well as parents, employees, privacy advocates, and activists.

​

​

53

10 Minutes

DEVELOP A COMMUNICATION PLAN

• Determine types of communications that need to be developed (both internally and externally).
• Determine methods for disseminating information.
• Assign roles for communication.
• Anticipate questions that are likely to arise and draft/vet responses.

54

DISCUSS UPDATES & DEVELOP A PR PLAN

• Determine types of communications that need to be developed (both internally and externally).
• Determine methods for disseminating information.
• Assign roles for communication.
• Anticipate questions that are likely to arise and draft/vet responses.

​

​

55

15 Minutes

• The data the interns accessed contain financial information for 10 students and 175 employees.
• Some of the account information has been published to the interns’ Facebook pages.
• News of the breach has leaked out. You are receiving calls from clients and parents employees wanting to know what data were accessed/altered.

​

​

PRESS CONFERENCE

• The news of the breach is out and you must brief the press, the community, and shareholders.
• Your spokesperson will give a brief press conference to address the issue and take questions.
• In the audience are reporters from local and national media, as well as employees, parents, clients, privacy advocates, and activists.

​

​

56

Where Are We?

• How did it go?
• Was your message received well?

​

​

57

DEVELOP AN INCIDENT RESPONSE PLAN

• Use your notes from the scenario discussion.
• Identify an incident response team (e.g., CIO, Data Coordinator, IT Manager, legal counsel).
• Outline the steps to identify the source of the breach, catalog the data affected, and identify how it occurred.
• Should you involve law enforcement? When? What legal requirements exist?
• What preventative corrective actions should you implement?

​

​

58

DEVELOP AN INCIDENT RESPONSE PLAN

• Use your notes from the scenario discussion.
• Identify an incident response team (e.g., CIO, Data Coordinator, IT Manager, legal counsel).
• Outline the steps to identify the source of the breach, catalog the data affected, and identify how it occurred.
• Should you involve law enforcement? When? What legal requirements exist?
• What preventative corrective actions should you implement?

​

​

59

10 Minutes

UNVEIL YOUR RESPONSE PLAN

• Take us through your response plan. Include the who, what, when, and how of your activities.
• What were the driving factors in your decision-making process?
• Did your plan evolve as the scenario became more clear? How?
• How should you prepare to enable a prompt reaction to a potential breach?

​

​

​

​

60

WRAP-UP

• Lessons learned from press conference.
• Incident Response Plans – what might work for us?
• What have you learned? Will it affect your behavior?
• How could this exercise be more useful to you?

​

​

​

​

61

RESOURCE EXAMPLES

MORE RESOURCE EXAMPLES

HELPFUL ORGANIZATIONS

SIMPLE TIPS TO PROTECT PRIVACY

65

Student Data Privacy Law References

66

ED TECH DATA PRIVACY RESOURCES

Student Data Privacy Resources

General Data Privacy Resources

Geoff Belleau, Consultant

@EdTech_Cal

California Dept of Education

gbelleau@cde.ca.gov

70

Elizabeth Wisnia, Consultant

@cdeprivacy

California Dept of Education�ewisnia@cde.ca.gov