Thanks Eric!
From: Eric Bennick <ebennick@weber.edu>
Sent: Friday, June 30, 2023 8:07:14 PM
To: Dustin Udy <d.udy@utah.edu>
Cc: Jim Shakespear <shakespear@suu.edu>; ushe-iso@lists.dixie.edu <ushe-iso@lists.dixie.edu>
Subject: Re: [USHE-ISO] Acknowledgement of NSC breach
 
They weren't breached directly, it was one of their third parties (Pension Benefit Information, LLC) they share our data with. It's like finding a second cousin you didn't know about on you DNA test. There's no specifics yet,  but we're going to send notification to employees as well because we don't want people thinking that we only pay attention to students and not employees. 

I'm not a lawyer so don't take this as legal advise, the Utah State code for breach of student PII is 53B-28-5 and employee PII is 13-44-202. Student breach reporting doesn't have a residency requirement while the code governing employee data does. I don't think we'd use that as a reason not to tell them, but it may be relevant because any breach exposing PII of 500 or more Utah residents requires notification be sent to the new Utah Cyber Center. If we get a list of employees where 480 are local and 20 are remote workers living in other states, you wouldn't be obligated to send the details to cyber center. But, make sure to talk to your legal counsel first because I'm not qualified to provide legal guidance.



On Fri, Jun 30, 2023, 7:31 PM Dustin Udy <d.udy@utah.edu> wrote:
TIAA is new to me. Extra lame sauce.
From: USHE-ISO <ushe-iso-bounces@lists.dixie.edu> on behalf of Eric Bennick via USHE-ISO <ushe-iso@lists.dixie.edu>
Sent: Friday, June 30, 2023 5:14:55 PM
To: Jim Shakespear <shakespear@suu.edu>
Cc: ushe-iso@lists.dixie.edu <ushe-iso@lists.dixie.edu>
Subject: Re: [USHE-ISO] Acknowledgement of NSC breach
 
Thanks Jim! I've sent notices to the all the official TIAA contacts.  It appears that everyone decided to start the holiday early,  I only got messages back from vacation responders. All emails to NSC come back with a generic statement that they don't know anything.  They must have setup an auto response, because even asking unrelated questions comes back with the same response. 

On Fri, Jun 30, 2023, 5:06 PM Jim Shakespear <shakespear@suu.edu> wrote:
Feel free to look at the information we released today https://www.suu.edu/registrar/. Have a good weekend, and good luck!

We also did a similar template for TIAA. It isn't enjoyable not knowing the scope, so we are trying to cover the bases we can.

Jim

On Fri, Jun 30, 2023 at 4:58 PM Eric Bennick via USHE-ISO <ushe-iso@lists.dixie.edu> wrote:
A big topic of debate between our executives has been when to release a statement about the breach of National Student Clearinghouse. I wanted to let everyone that WSU will be sending notice to students today acknowledging the breach of NSC
A big topic of debate between our executives has been when to release a statement about the breach of National Student Clearinghouse. I wanted to let everyone that WSU will be sending notice to students today acknowledging the breach of NSC and assuring that we are seeking a resolution. It will not include any specific information about scope, impact,  types of data, or anything else we don't have definate confirmation of.  If anyone wants to share communication templates or talk about timelines, you're welcome to contact me any time.  I'll be on call and working this weekend.
--
USHE-ISO mailing list
USHE-ISO@lists.dixie.edu
https://urldefense.com/v3/__http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-iso__;!!BSlRHw!_hHy1-SQP7ob2VCKM8fGDM6jvc3iYl8lY_hnrwncYbpiL1qflhSMp1IsRPJFzBJM44F5EZjWNpbpdUNNydU91kFN$


--
suu.edu Jim Shakespear   |   Director of IT Security
INFORMATION TECHNOLOGY, SOUTHERN UTAH UNIVERSITY
ELC 513  |   (435) 865-8202