In 2002, a new consumer protection law amending Section 1798 of the California Civil Code was passed.  This new law requires organizations, including institutions of higher education, to notify California state residents when a computer security breach has permitted the release of personal identity information to unauthorized recipients.  This kind of security breach is often the result of intentional criminal attempts at identity theft. In such cases, thieves break into computers maintaining personal information (such as name, Social Security numbers, date of birth, driver's license number, credit card numbers, ATM card numbers, telephone calling card numbers) and use this information to create new credit accounts and/or make purchases using the stolen identities.  

Previous Issues IT Times Index: Security UC Davis Computer and Network Security Web Site Identity Theft Prevention Web site

Identity theft is a serious and growing crime.  In the United States, an estimated 160,000 persons fell victim to identity theft in 2002, oftentimes with devastating consequences. When your electronic identity is stolen, you could be forced to spend months or years to clear up your credit record. You could be refused bank loans, denied rental housing, or arrested for crimes you did not commit.

Due to the fact that personal information is stored on many computing systems on UC campuses, the University of California Office of the President (UCOP) has recently issued guidelines to implement the provisions of this new law. These guidelines require each campus to:

• Delegate authority to a person or group to take responsibility for campus compliance to the new provisions of the California Civil Code.
• Identify computer systems where personal information is maintained. Personal information is defined as a first and last name, in combination with
• Social security number,
• California driver’s license number or identification number, or
• Financial account number, in combination with any particular access code.
• Develop a process for identifying and investigating a security breach that causes unauthorized release of personal information. 
• Report computer security breaches involving personal information and related remedial measures to UCOP. In addition, the campus must notify California state residents of the personal information loss.
• Summarize the above four provisions into an implementation plan and submit the plan to UCOP.

A large part of the campus compliance program for the Civil Code amendments will focus on communicating the new requirements for system inventory, security provisions and notification mandates to deans, vice chancellors, vice provosts, senior management, and technical staff.  To prepare UC Davis for the new requirement, Chancellor Vanderhoef recently asked Robert Ono, IT Security Coordinator, to coordinate the campus’ compliance efforts. Ono will work closely with all deans, vice chancellors, and vice provosts to develop an implementation plan and notification procedures for the campus which will be submitted to the UCOP.The IT Security Coordinator will collect the required information and report to UCOP (by July 1, 2003) on campus compliance to the new identity protection law.

This new law serves as an important reminder for all of us to take every possible measure to reduce the potential for identity theft. Protecting personal information and securing access to systems and databases in which sensitive information is stored are two important steps that can help minimize risks of security breaches. Taking steps to protect your own personal information is equally important (see the sidebar for practical tips).

SECURITY CHECKLIST:

How can you reduce your susceptibility to identity theft?  The following practices are suggested:

• Make Web purchases only from known and reputable stores – stores that are likely to take protection of your electronic identity seriously
• When entering your personal information into a Web-based form, check to see if the browser transmission is encrypted – look for a lock icon on the browser border
• When prompted to enter a credit card number from  a public telephone, shield the dial-pad from casual view
• When asked to provide your personal identity information, ask if the request is optional, how the information will be protected, and whether it will be shared with another company
• Look for and read the privacy statement provided by a company seeking personal information via the Web
• Periodically request a copy of your credit report from one of the major credit reporting agencies, such as Equifax, TransUnion and Experian.  Use this information to confirm the accounts and account balances.