I would think that if any HIPAA protected data might be involved, the
institution should have a business associate agreement signed with you to
protect any of that data that you might encounter. GLBA would seem to want
a privacy addendum with your contract to specifically cover GLBA protected
data (such as credit card info). FERPA just wants to make sure that the
data is not disclosed while the other two acts seem to mandate specific
agreements with all third parties that spell out the required protection of
affected data. These are all items that the institutions should require of
your organization when you enter into a contractual relationship with them.
For our situation, we would have no problem with third party security
testing by reputable firm as long as the appropriate agreements were in
place.
Greg
Gregory A. Seibert, CISM
Director of Security and Compliance
Suite 384 Library
Kent State University
www.security.kent.edu
330-672-0383 (Voice)
330-672-9374 (FAX)
"Keith T. Morgan"
<keith.morgan@terr To: Ann Ymous
<ann.ymous@gmail.com>, Pen Test List <pen-test@securityfocus.com>,
adon.com> Security Mgmt List
<security-management@securityfocus.com>, Unisog
Sent by: <unisog@lists.sans.org>
unisog-bounces@lis cc:
ts.sans.org Subject: [unisog] RE: Outside
Penetration Testing and FERPA
12/01/2004 06:02
PM
Please respond to
UNIversity
Security
Operations Group
IANAL, YMMV, and any other applicable caveat under any applicable
jurisdiction to the extent permitted by law....
If *you* have recovered it, that's one thing. If you've uncovered
evidence that unauthorized parties have accessed the information, that's
another. The organization should treat you as a contractor. When we do
penetration testing on HIPAA covered entities, we word our contracts
such that any PHI we uncover, we immediately notify the customer, and
present corrective actions, destroy any copies we have, don't disclose,
etc... We also have to jump through their authorization hoops prior to
the engagement, as we always assume that eventually, we'll dig up some
PHI.
They should have required language like this from you in your contract.
If they didn't, the courts would likely treat you as a contractor or
employee. Uncovering it's one thing. Posting it on /. is another. As
long as you immediately notify them of the situation, and EXACTLY what
was disclosed and to whom, you should be ok. Also, take reasonable
precautions to protect whatever FERPA covered information you have in
your possession from further unauthorized disclosure.
I wouldn't be surprised if your attorneys are baffled by the whole
situation. Case law on FERPA, HIPAA, SOX et al is all but non-existent
right now.
I guess my point is, that by nature of your contract with the customer,
you may be authorized to see the information (albeit possibly not
by-the-book/letter-of-the-law). You do have a contract, right? This is
an authorized pen-test, isn't it?
These discoveries would appear to be a violation of FERPA and place
the institution in jeopardy of loosing federal funds.
I have discussed this matter with our attorneys and they have not
found an exemption or loophole in FERPA that would allow for
third-party security testing, that may result in the disclosure of
student information.
**************************************************************************************************
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager
or the
sender immediately and do not disclose the contents to anyone or make
copies.
** this message has been scanned for viruses, vandals and malicious content
**
**************************************************************************************************
_______________________________________________
unisog mailing list
unisog@lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog
