resource guide incident final

7/30/2019 Resource Guide Incident Final

1/22

Incident Findings and Recommendations

for Data Exposure through the Resource Guide for the 63rd

Legislative Assem

Dick Jacobson, IT Security Officer, North Dakota University System

4/18/2013

Incident Summary

Student data, including some potentially identifiable information, was exposed through an

informational document prepared for the ND Legislature. The Resource Guide for the 6

Assembly (http://www.ndus.edu/uploads/reports/114/2013-resource-guide.pdf), in whic

exposed, was compiled over a period of months during the fall of 2012 and the PDF was c

made available the second week of January for the Legislative session.

Background Information

The data that was exposed was used to create several charts in the Resource Guide and

the guide as underlying data on those charts. The specific charts where the data was ex

Section 5 on pages 10.1 through 10.4 and included as Attachment E on this document.

The application used to create these charts was from Tableau Software. The evaluation o

application was begun on October 23, 2012 with Linda Baeza Porter, the NDUS Reporting

and the report creator for this section of the Resource Guide, evaluating Tableau Deskto

Cameron Battagler, an IT Specialist for NDUS SITS, evaluating Tableau Server. Two Tablea

licenses were purchased on November 15, 2012 in order to develop the information for th

Guide. In addition, 10 Tableau Server licenses were purchased for an unrelated project in

Chancellors Office. Linda Baeza Porter, as the report creator, did not discuss the method

publish the materials in Tableau Desktop, for the Resource Guide, prior to publishing the

materials were eventually published to the Tableau Public service, using Tableau Desktop

report creator being aware that the underlying materials were being made publicly avai

for the software (http://www.tableausoftware.com/public/faq) states that the data is mad

published, but Linda Baeza Porter stated that when publishing the report, no warnings ab

were noticed by her. There is a Tableau service (Public Premium) that can be licensed tha

the report creator to keep the underlying data confidential; but Linda Baeza Porter said sh
http://www.tableausoftware.com/public/faqhttp://www.tableausoftware.com/public/faqhttp://www.tableausoftware.com/public/faqhttp://www.tableausoftware.com/public/faq


2/22

On Tuesday, March 19, 2013, Rosi Kloberdanz, the Assistant CIO for External Relations, an

Jacobson, the NDUS IT Security Officer, were advised by the NDUS CIO, Randall Thursby, t

the background data that was used to create portions of the document were being expos

had been alerted to this by the NDUS Director of Internal Audit and Risk Assessment, Bill E

Jacobson, Rosi Kloberdanz and Cameron Battagler began to determine what data was exp

to remove the exposure. This was complicated somewhat because a portion of the Table

infrastructure was experiencing problems and unavailable at the time. Cameron Battagle

copy of the data he was able to find, in order to document which data was exposed, but d

the necessary permissions to delete the data. The same morning, about 10:00 am, Rick An

Director of Infrastructure and Operations, had been made aware of the issue by Linda Bae

had been earlier contacted by Michael Kubisak, an Institutional Research Analyst from Bis

College. Rick Anderson contacted Rosi Kloberdanz and Dick Jacobson around 12:30 pm. A

conversation to merge our knowledge at that time, we determined who would take what

the problem data unavailable. Dick Jacobson contacted Tableau Software to have them b

could and Cameron Battagler assisted Linda Baeza Porter in removing data, finishing abou

the end of the workday on March 19, all public access to the data had been removed. On

22, Linda Baeza Porter submitted an After Action report to Josh Riedy and Rick Anderson

advised of the report on March 28, Dick Jacobson asked for and received a copy of the rep

Anderson. That report is included as Attachment D

Subsequent scans/searches have not turned up any additional data exposed in the Resou

Nor have we found any data cached on the Internet by search engines.

The NDUS CIO convened a meeting on the afternoon of March 26 to begin the discussions

happened and what is needed to avoid this in the future. On that date Dick Jacobson requ

datasets exposed in order to determine the scope of the exposure and what follow up act

necessary. What began as a single dataset on March 26 expanded, by the evening of Apri

datasets that were exposed either in their entirety or in part. Because we cannot say for

much of the data was exposed, we must assume these were exposed in their entirety and

accordingly.

Data Elements Exposed

The data elements exposed are listed in Attachment A, grouped by dataset; definitions fo

elements are listed in Attachment B; and the NDUS Directory Information definitions requ

Family Education Rights and Privacy Act, and listed in NDUS Procedure 1912.2, are include

Attachment C


3/22

Datasets 2 and 3 each contain Emplid and Institution among their data fields, but no other

identifiable information. Again, while much of the data is not Directory information, it pro

be put together to identify an individual.

Dataset 4 contains Emplid but no other information specific enough to an individual to be

uniquely identify a person.

While the Name and Addresses of students are listed as Directory Information in NDUS Pr

1912.2, Emplid is not defined as Directory Information. Thus each record exposed is a rele

Directory Information from an individuals Student Record. Questions arose about how m

students had expressed the desire to have their Directory Information also not released, a

under FERPA, and how many of the students were also employees of the University Syste

and therefore possibly subject to privacy laws and policies specific to employees. From ea

datasets those numbers are:

Students requesting Students also

additional protection employees

Dataset 1 29 7919

Dataset 2 0 18

Dataset 3 22 2819

Dataset 4 6 777

Of the 57 total students requesting non-release of their Directory Information there are 3

duplicated records. For those students that are also employees, the 11,533 records repre

individuals.

Note that emplids 0315052 and 0276646 exist in both datasets 3 and 4. We were unable

these students in the current student data we used to extract some of the other informa

report. Upon further examination, 0276646 was last enrolled at UND in Spring of 2005 anwas enrolled at LRSC for Fall of 2010 but dropped before the semester started and was en

MaSU for Summer of 2010. Neither appears to be a current enrolled student and becau

person exists in our search of current data, we have no indication if they have requested a

protection under FERPA or if they are also employees.


4/22

However, in looking at specific policies and procedures for employees, from Procedure 19

employee requested privacy in HRMS, then the address cannot be released, and from Pol

Procedure 1912.3, the employees emplid is not declared exempt so that information may

exposed.

Likewise, for students, the emplid is not defined as Directory information in Procedure 19

cannot be exposed. And according to Policy 1912 and Procedure 1912.2, the students can

desire that the Directory Information not be released, as 32 students have done, meaning

restrictions on some of the information exposed.

Data Exposure and Notification

Exposure of the emplid itself could be interpreted as requiring notification to all those ind

affected. However, FERPA does not mandate notification to the students in this incident.

The Federal Register athttp://www2.ed.gov/legislation/FedRegister/finrule/2008-4/1209

[[Page 74844]]

says:

Finally, if an educational agency or institution has experienced a theft of files or co

equipment, hacking or other intrusion, software or hardware malfunction, inadverte

data to Internet sites, or other unauthorized release or disclosure of education recor

Department suggests consideration of one or more of the following steps:

Report the incident to law enforcement authorities.

Determine exactly what information was compromised, i.e., names, addresses, SS

numbers, credit card numbers, grades, and the like.

Take steps immediately to retrieve data and prevent any further disclosures.

Identify all affected records and students.

Determine how the incident occurred, including which school officials had control

responsibility for the information that was compromised.

Determine whether institutional policies and procedures were breached, including

organizational requirements governing access (user names passwords PINS etc ); st
http://www2.ed.gov/legislation/FedRegister/finrule/2008-4/120908a.htmlhttp://www2.ed.gov/legislation/FedRegister/finrule/2008-4/120908a.htmlhttp://www2.ed.gov/legislation/FedRegister/finrule/2008-4/120908a.html


5/22

Notify students that the Department's Office of Inspector General maintains a We

describing steps students may take if they suspect they are a victim of identity theft a

http://www.ed.gov/about/offices/list/oig/misused/idtheft.html;

andhttp://www.ed.gov/about/offices/list/oig/misused/victim.html.

FERPA does not require an educational agency or institution to notify students that

from their education records was stolen or otherwise subject to an unauthorized rele

it does require the agency or institution to maintain a record of each disclosure. 34 C

(However, student notification may be required in these circumstances for postseconinstitutions under the Federal Trade Commission's Standards for Insuring the Security

Confidentiality, Integrity and Protection of Customer Records and Information (``Safe

in 16 CFR part 314.) In any case, direct student notification may be advisable if the co

data includes student SSNs and other identifying information that could lead to ident

The information exposed in this incident does not appear to require notification under the

Rule mentioned. Even though notification is not required by FERPA, we could choose to n

exposed individuals or we could choose to notify those individuals that have expressed th

protect their Directory Information.

Also, for employees, since the data was derived from the individuals student record, rathe

individuals personnel record, ND Century Code section 44-04-18.1 would seem to indicate

would not be mandated because of an individuals incidental status as an employee.

In any case, any decision to notify individuals of this incident should be made by the NDUS

compliance officers after consultations with the NDUS CIO.

Recommendations

We need to examine our policies, procedures and processes in order to avoid a recurrenc

moving forward. We need to look closely at all processes and procedures, at the NDUS leinternal to SITS, that address data protection and confidentiality issues. Education of all s

regard to security of information and individual responsibility for the same must be a part

projects and plans. The NDUS should also review policies and guidelines for the preparatio

for publication -- with a special focus on data protection, individual responsibility and proj
http://www2.ed.gov/about/offices/list/oig/misused/idtheft.htmlhttp://www2.ed.gov/about/offices/list/oig/misused/idtheft.htmlhttp://www2.ed.gov/about/offices/list/oig/misused/victim.htmlhttp://www2.ed.gov/about/offices/list/oig/misused/victim.htmlhttp://www2.ed.gov/about/offices/list/oig/misused/victim.htmlhttp://www2.ed.gov/about/offices/list/oig/misused/victim.htmlhttp://www2.ed.gov/about/offices/list/oig/misused/idtheft.html


6/22

Attachment A

Dataset 1

Acad Career

Acad Group

Acad Level

Acad Plan

Acad Program

Address

Admit Term

Admit type

Appl Grad Dt

Appl Last Sch Attend

Appl Number

As of Date

Citizenship

City

Citzn Country

Country

County

Emplid

Ethnic Descr

Inst

Institution

Level Descr

Military Status

NDUS Grad HS

NDUS HS Grad Dt

Name

Number of Records

Plan Descr

Postal

Program Descr

Res Addr County

Res Addr State

Res Addr Type

Res Country

Res State

Residency

State

Term


7/22

Dataset 2

Acad Career

Emplid

CIP Code

CIP Code Category

CIP Code Description

CIP Code Category Description

Completion Term

Degree Nbr

Degree

Degree Level

Institution

Plan description

Program Description

Program New

Program Inactive

Dataset 3

Acad Career

CIP Code

CIP Code Category



Completion Term

Degree Nbr

Degree

Emplid

Institution

Plan Description

Program Inactive

Program New

SOC Code

SOC Code Description

SubPlan Description

Term


8/22

Dataset 4

Acad Career

CIP Code

CIP Code Category



Completion Term

Degree

Degree Class

Degree NBR

Emplid

Institution

Institution Name

Institution Tier

Number of Records

Plan Description

Program Description

Program Inactive

Program New

Term Description


9/22

Attachment B

Field Definitions

Acad Career - A grouping of students by academic level, such as Undergraduate and Gradu

Valid Values

UGRD - undergraduate

GRAD - graduate

PROF = professional

LAW - Law

MED - Medical School

CNED - Continuing Education

Acad Group - Academic Subdivisions of the Institution.

Some examples are:

College of Business

Division of Vocational Education

Department of Health and Wellness

Acad Level - A grouping of students within a career defined by credit hours earned and ins

policy.

Valid Values

10 - Freshman

20 - Sophomore

30 - Junior

40 - Senior

GR - Graduate

P1 - First Year Professional

P2 - Second Year Professional

P3 - Third Year Professional

P4 - Fourth Year Professional

Acad Plan - Academic Plans are majors and minors.

Plans are approved by SBHE and are located in the Academic Plan Table referenced in the


10/22

Acad Program - Designated major/program (area of study) in which a student is working.

Address- The location where the student may be reached. This file uses the address usag

Permanent, Home, Mailing, Dorm, Campus.

Admit Term - The Term associated with the students Application, admission and or matric

institution. The term a student is admitted to a program.

Admit type - Signifies a type of student that applies for admission to an institution.

Values Vary by Institution and Career

COL - Collaborative Student

DC - Dual Credit Student

ERE - Early Entry Student

FYR - First Year Student

NON - Non-Degree Student

RDM - Readmit

TRN - Transfer StudentTRT - Transient

Appl Grad Dt Graduation Date associated with the last school attended on the students

admission.

Appl Last Sch Attend The school the student declared as the last school (high school, co

university, etc.) the student attended prior to applying for admission to the institution.

Appl Number - Automatically generated number assigned in CS to the specific application

individual.

As of Date - The date the data was extracted into the static history tables.

CIP Code - Classification of Instructional Program codes are Federal codes used to support

tracking, assessment, and reporting of post-secondary fields of study and program comple

CIP Code Description - Description of the classification code.

CIP Code Category - Matrix of CIP area of study.

CIP Code Category Description - Description of that Matrix.


11/22

Citzn Country - The student's current citizenship country.

Completion Term - Term degree was awarded.

Country The country associated with the address.

County The county associated with the address.

Degree - An award conferred to a student signifying that requirements have been comple

are grouped within careers.

Degree Class Type of degree. Some examples are:

Associate

Bachelors

Certificate

Degree Nbr - Degree number awarded.

Degree Level - The award level of the degree.

Emplid - This is the unique identification number assigned to any person (student/employ

record in PeopleSoft.

Ethnic Descr - Ethnicity - The race group or groups with which a person identifies or having

identified as valid values for IPEDs reporting.

Gender - The gender code indicates what the sex of the employee or student is.

Valid Values

These are consistent across the University System and State Government.

F = Female

M = Male

U = Unknown

Group Descr The description associated with the Academic Group.

Inst - The campus that is tied to the person and uniquely identifies the enrollment institut

Institution - The campus that is tied to the person and uniquely identifies the enrollment


12/22

Two year campus

Research campus

Level Descr - The description for Academic Level.

Military Status - Military status is current. Status relates to the Federal Veterans Services

Reporting requirements.

NDUS Grad HS The high school the student attended and graduated from as determined

school pick created in Campus Solutions. The selection order includes: 1. GED completion

graduation data; 3. External education page data; 4. NDUS High School application data; 5attended on the application for admission; 6. Last school attended on prospect data in Ca

Solutions; 7. The high school declared on the previous PeopleSoft online application.

NDUS HS Grad Dt The date recorded in Campus Solutions as the day the student gradua

school. The selection order includes: 1. GED completion; 2. K-12 graduation data; 3. Exter

page data; 4. NDUS High School application data; 5. Last School attended on the applicatio

admission; 6. Last school attended on prospect data in Campus Solutions; 7. The high scho

the previous PeopleSoft online application.

Name - Consists of Last-name, first-name middle-name (if applicable).

Number of Records Number of records in this dataset for this emplid.

Plan Descr The description of the Academic Plan.

Plan description - description of the students plan.

Postal The zip code associated with the address.

Program Descr - The description of the Academic Program.

Program Description - Description of the students program.

Program New - Is the program New Y/N.

Program Inactive - is the program inactive Y/N.

Res Addr Country The country associated with the students address type chosen in the f

address usage order: 1. PE permanent; PA Parent; MA Mailing; HO Home.


13/22

Res Country The country associated with the address reported on the Official Residency

Campus Solutions. The data from the row associated with the reported term is used.

Res State The state associated with the address reported on the Official Residency recor

Solutions. The data from the row associated with the reported term is used.

Residency - The official residency for tuition purposes. This is determined by State and Ins

SOC Code Standard Occupational Classification code as supplied by the U.S. Bureau of La

SOC Code Description The occupations in the SOC are classified at four levels of aggrega

the needs of various data users: major group, minor group, broad occupation, and detaile

occupation. Each lower level of detail identifies a more specific group of occupations.

SubPlan Description (Academic Subplan) - A group of courses within an approved acade

which is identified in an institutional catalog.

State The state associated with the address.

Term - The post-secondary academic year and term the data is tied to. The first two-digits

academic year while the last two-digits identify a specified term.

Term Description More readable term. Example: Fall 2011.

Total Credits - Displays the total number of units taken for progress. This total is used in St

Records to determine academic load. This field excludes audits.

Type - type of address field in Address. Address type used in the priority of Permanent, H

Dorm, Campus


14/22

Attachment C

Directory Information defined from Procedure 1912.2

1.Name (all names on record)2.Address (all addresses on record)3.E-mail address (all electronic addresses on record4.Phone number (all phone numbers on record)5.Height, weight and photos of athletic team members6.Date of birth7.Place of birth8.

Major field of study (all declared majors)9.Minor field of study (all declared minors)

10. Class level11. Dates of attendance12. Enrollment status13. Names of previous institutions attended14. Participation in officially recognized activities and sports15. Honors/awards received16.

Degree earned (all degrees earned)17. Date degree earned (dates of all degrees earned)

Photographic, video or electronic images of students taken and maintained by the institut


15/22

Attachment D

Linda Baeza Porter After Action Report

After Action

On TuesdayMarch 19, 2013 I received an IM from Michael Kubisak at Bisma

telling me that there was student information to include emplids connect to

interative graphs in the Legislative Report published at the beginning of the

This document and it linked interactive charts through the tableau softwaretested the charts prior to release but missed a link that Mr. Kubisak found.

I took the following actions

Notified both Josh Riedy and Aimee Copas. Called Deanna Daily and Asked her to remove the document contain

links to the website. Contacted Tableau to ask for assistance. Then with the help of Rick Anderson began to trouble shoot and ens

of the information was taken down. Mitigating as much as possible.

At this time the risk of student information actually being compromilow. This report had very specific audience, Legislators. The level

down that needed to happen to get to the information was significanonly report of this information in my purview was from Mike Kubisa

Subsequent conversations revealed that Randall Thursby CIO was wfrom a different angle but has not provided me with any information

The information was still in many ways directory but did include unenrolled.

The only outlying information would be that if someone down loadeactual student breakout into a paper or electronic spreadsheet on th

computer.


16/22

SLOW DOWN,.Please find attached the screen shots of the process of publishing


17/22


18/22


19/22


20/22


21/22


22/22

resource guide incident final

Documents