Electronic Security Protocol
The Special Master has significant concern about the storage and use of the highly sensitive student data that will be produced by CDE to the Plaintiffs. Loss or compromise of the produced data could result in the notification of literally millions of persons under state and Federal breach notification requirements, at a cost of millions of dollars. Such notification could also affect persons who are now resident in other states, and trigger breach notification laws in those states.
As a pre-condition of receiving the data:
1. Plaintiffs’ counsel will carry out a third party risk assessment of their IT infrastructure and protocol for storing, transmitting and using the data in question. Specific areas of concern include the security of Plaintiff’s counsel computer network and devices; the sharing of data between counsel and retained experts; the storage of sensitive data at the business premises of Plaintiffs’ counsel; the transmission and sharing of data among Plaintiffs’ counsel via email, network shares, or other applications.
2. Plaintiffs’ counsel shall meet and confer with the Special Master, and the Special Master shall review and approve the scope of the third party risk assessment, its proposed safeguards, and its implementation (#2 below). Such safeguards may include full disk encryption of all devices used to store or transit sensitive data; logging of access to the sensitive data; and restrictions of access to the data among Plaintiffs’ counsel and contractors.
3. Following the risk assessment, Plaintiffs’ counsel will implement the safeguards identified in the risk assessment, and the Special Master shall review the correct implementation.
4. Irrespective of the risk assessment and its safeguards:
a) Plaintiffs are to maintain a record of all computer devices used to store or access the sensitive data;
b) A record of all persons granted access to some or all of the sensitive data, the extent of such access and the date period of such access;
c) One person at Plaintiffs’ counsel must assume responsibility for ensuring the confidentiality of any personally identifiable information provided in discovery, and for ensuring that all undertakings regarding security are implemented and enforced;
d) Plaintiffs must maintain a current listing of the names and positions of those persons who may have access to personally identifiable information provided in discovery;
e) All sensitive data transmitted by CDE to Plaintiffs shall be on fully encrypted external hard drives of at least 128-bit or 256-bit Advanced Encryption Standard (AES), key with the key stored and transmitted separately from the hard disk;
f) Plaintiffs are to confirm deletion of any extraneous copies of sensitive data (e.g. once data is uploaded from external devices to a fully secure server or computer device). At the conclusion of the litigation, Plaintiffs are to undertake to delete all sensitive data (subject to any legal requirements) or to place such data into secure storage with a third party.