Skip Navigation

• The President
• The Regents
• Academic Senate
• OP Divisions
• UC Locations
• About UC
• News
• OP Home

CFO Division

• Areas of Responsibility
• Organization Chart
• Strategic Planning

Departments

• Capital Markets Finance
• Financial Accounting
• Financial Services & Controls
• Procurement Services
• Risk Services
  • Be Smart About Safety
  • Construction Insurance
  • Emergency Management
  • Enterprise Risk Management
  • Environment, Health & Safety
  • Field OperationalPlan
  • General, Employment & Auto Liability
  • Professional Medical & Hospital Liability
  • Property
  • Workers' Compensation
  • Other Programs
  • Partners

CFO Division
University of California
Office of the President
1111 Franklin St., 10th Floor
Oakland, CA 94607-5201

Cyber and Privacy Risk

The University of California, much like other institutions of higher education, is subject to a variety of unique exposures related to electronic information security and privacy.  With 10 campuses and 5 medical centers, the University is faced with managing a multitude of systems and endless records of information for students, faculty, staff and patients.

The Office of Risk Services in collaboration with Information Technology Services, has developed a program that has allowed the University to obtain an insurance product that helps promote best practices in the area of information security while providing insurance coverage for privacy, confidentiality and security breaches.  This approach has been termed as “Reverse Underwriting” as it allows the insurance market to underwrite to standards as opposed to existing conditions and has created a new concept for the insurance industry.

The Office of Risk Services oversees various programs which are available to assist in the event of a loss involving Information Technology Hardware and Data.  These programs involve purchased insurance policies with various retentions (deductibles).

Contact Gary Leonard by phone at: (510) 987-9824 or Email Gary

Cyber Security and Privacy Liability Policy

Covers damages and claims expenses that the University is obligated to pay because of an actual or alleged privacy breach, confidentiality breach, security breach or online media activity.

Privacy and Confidentiality Breach Liability Coverage
All damages and claims expenses that the University becomes obliged to pay as a result of any claim made against the University (including a lawsuit or regulatory action) for an alleged:

• privacy breach; or
• confidentiality breach.

Security Breach Liability Coverage
All damages and claims expenses that the University becomes obliged to pay as a result of any claim made against the University (including a lawsuit or regulatory action) for an alleged security breach resulting in any covered loss.

Breach Notice Response Services Coverage
This may include expenses associated with any of the following:

• breach notice legal and forensic expenses;
• breach notice fulfillment services;
• credit monitoring services;
• identity restoration services; and/or
• call center services.
  Breach notice legal and forensic expenses may include:
  • fees incurred for the services of a third party computer forensics professional to conduct an investigation to identify whether notification-triggering data containing personally identifiable information was accessed by an unauthorized person as a result of a covered privacy breach; and,
  • attorney fees for outside counsel to determine whether any breach notice laws apply and the obligations of such applicable laws, and assist you to comply with such laws, including but not limited to drafting notice letters to impacted individuals.

Online Media Liability Coverage
Any claim made against the university for an alleged online media activity resulting in a media hazard may be covered.

Conditions of Coverage
Coverage is dependent upon the existence and adherence to security protocols outlined in BFB IS-3 or any local procedures not in conflict with BFB IS-3 that have been implemented for critical systems.  At a minimum, the following conditions must be in place for coverage to apply:

1. maintain anti-virus and malware prevention solutions, including for student/ dormitory settings on any computer that is part of  your1 computer system and update the protection at regular intervals but no less than at least once every 30 days;
2. maintain firewalls on any computer that is part of your1 computer system and connected to the internet;

3. take reasonable security precautions when processing, storing, or transmitting credit card payment data or personally identifiable information;
4. maintain, update and enforce written policies for information security, privacy, business continuity/disaster recovery and third party vendors;
5. employ qualified information technology and network security representatives at each campus who will implement and maintain campus information technology, physical and network security policy;
6. ensure scan testing is performed on at least a quarterly basis and performed against all  internet facing servers of each campus. Such testing should be provided by NetDiligence or some other provider to be agreed by the University and insuring party;
7. perform testing for SQL Based Web Applications for the ability to deflect SQL injection exploit issues through secure coding review and/or application-level scanning with AppScan or WebInspect products;
8. nsure encryption is in place for ‘data at rest’ for at least student personally identifiable information (within production databases, file servers and backup tapes);
9. ensure laptops are encrypted: any employee laptop with sensitive non-public data has whole disc encryption in place;
10. mandate encryption and/or enforced prohibition of storage of sensitive PII (personally identifiable information) or PHI (protected health information) on mobile USB devices;
11. maintain and implement ongoing patch management process  to ensure timely patching of existing network systems and servers, as well as hardening of any new servers that are deployed;
12. deploy an intrusion detection platform along with the implementation and maintenance of a process to receive real time alerts of suspected intrusions and ensure a process exists to manually review the applicability of the warnings and act upon any warnings in a timely manner;
13. ensure a change management process is place that periodically reviews access rights and credentials for anyone who is able to logon to campus servers and will terminate rights when needed;
14. ensure segregation and isolation of PII/PHI servers holding or transmitting personally identifiable information via additional firewalling from the rest of the campus production and student networks;
15. maintain user account provisioning with strong role-based assignments, password composition and change rules, effective termination procedures and periodic stale account reviews;
16. maintain an  incident reporting and response program that enables prompt escalation and management response for events reported by students, faculty and staff;
17. ensure that a computer asset map is maintained that details network operations and assets owned, and underscores which servers house sensitive private data or personally identifiable information for students & alumni.
    
    An independent third party assessor (e.g., NetDiligence) will review the circumstances surrounding the event and provide:
    • Certification (at inception) of whether the security processes of the campus/department have been adequately implemented, and/or
    • Confirmation (in the event of a loss) that the security processes were still in place and were adequately maintained at the time when the loss occurred.
    
    
    In the event that the relevant campus/department/agent fails these assessments, insurance cover will either not incept or will be declined or materially reduced.

CLAIMS:  Duties in the Event of an Occurrence, Claim or Suit

In the event of a privacy breach that may trigger a claim, campuses must follow their established local breach or incident response process or the UC Privacy and Data Security Incident Response Plan.

Campus risk management and/or the UCOP Office of Risk Services must be notified as soon as possible.  If the privacy breach triggers an obligation for the University to comply with breach notice laws, the University has resources available to assist with breach notice response services and incident response and loss control information.

Campus Risk Management and/or UCOP Risk Services will notify the University’s insurance broker or the respective insurance company’s Claims Representative as soon as possible. Documentation of the incident, including log files, is essential.  Be sure to follow the procedures in the established local breach or incident response process or the UC Privacy and Data Security Incident Response Plan.

Physical loss or damage to University hardware, software or data would be covered under the University’s Property Program, subject to the standard terms and conditions of the current Property Insurance Policy. 

Resources, Publications and Presentations

• Article from ComputerWorld: Hospital turns away patients after "virus" disrupts network
• The Information Technology Services web site contains information pertaining to the University’s policies, programs, resources and tools pertaining to IT Security.
• UC & Alliant Insurance Services partner to develop a website for the cyber program.
• National Cyber Security Alliance
• Homeland Security
• Multi State Information Sharing & Analysis Center

Breaches

The below link provides a summary of the number of healthcare data breaches, causes of breaches and remedial actions as identified by Health and Human Services (HHS) in its 1st Annual HITECH report to Congress.  The time period under review is September 23, 2009 to December 31, 2010.  Theft is still the number one cause for loss followed by intentional unauthorized access, human error and loss of electronic media or paper records.

http://www.dataprivacymonitor.com/hipaahitech/annual-hitech-report-to-congress/#.Tm9h0kgkmng.email

› Send us your feedback
© UC Regents | Updated: March 20, 2012e -->