It s Nt Just FERPA Privacy and Security Issues in Higher Educatin Alisa Chestler Washingtn, D.C. Eric Setterlund, CIPP/US Chattanga, Tennessee
Tday s Tpics Our wrld What kind f infrmatin are we cncerned abut? What is privacy and infrmatin security? What is a data breach? What laws impact higher educatin institutins? What shuld yu d? 2
Our Wrld 2013 Baker, Dnelsn, Bearman, Caldwell & Berkwitz, PC 2 3
Sensitive Infrmatin is What We Are Cncerned Abut Educatinal Recrds Emplyee health infrmatin (fr grup health plans) Emplyment files Accunting and financial reprting infrmatin Cmpany trade secrets (prducts, custmers, business strategies, etc.) Legal files: litigatin, patent, M&A, etc. Netwrk user IDs and passwrds Student financial infrmatin Credit card infrmatin/accunt infrmatin 4
What is Privacy and Infrmatin Security, Anyway? Tw sides f the same cin ensuring cnfidentiality f infrmatin Privacy is the bjective, security is means 5
Applicable Regulatry Regimes Family Educatinal Rights and Privacy Act (FERPA) Health Insurance Prtability and Accuntability Act (HIPAA) Payment Card Industry Data Security Standards (PCI-DSS) Family and Medical Leave Act Americans with Disabilities Act 42 C.F.R. Part 2 Privacy Act FCRA/FACTA Genetic Infrmatin Nndiscriminatin Act CAN-SPAM Library Patrns Acts? Applicable destructin laws? 6
Can t frget abut state laws.... 47 states with laws. 7
A Case Study A student is a victim f sexual assault n campus. She is unsatisfied with the university s respnse and decides t sue the university. Shuld the university access the student s psychtherapy recrds frm the student health center? 8
Legal Implicatins Title IX FERPA r HIPAA? Treatment Recrds/Educatinal Recrds http://www2.ed.gv/plicy/gen/guid/fpc/dc/ferpa-hipaaguidance.pdf http://www.hhs.gv/cr/privacy/hipaa/faq/ferpa_and_hipaa/51 8.html Any applicable state laws limiting disclsure f psychtherapy recrds? 9
Legal Implicatins (cntinued) What s in yur ntice f privacy practices? 10
Surveillance 11
What is a Data Breach? A data breach is the unauthrized disclsure r the unauthrized use f infrmatin. 12
The Culprit? 13
EMPLOYEES! 14
Risk Management Cnsideratins: Data Breach High cst f data breach respnse (ptentially astrnmical) frensic cnsultant breach ntificatin call center credit mnitring legal fees PR csts gvernment investigatin csts civil mnetary penalties and fines regulatry fines Reputatinal harm public relatins fiasc Abut $200 per persn per incident 15
Off-Campus Infrmatin Emplyees Remving Infrmatin frm Campus Laptps, iphnes and ipads at hme r sitting arund in airprts, htels, bars and unccupied cars Frgtten thumb drives in sck drawers Persnal email and persnal clud strage accunts (e.g., DrpBx) All f the abve fr frmer emplyees wh didn t return r destry the infrmatin Third Parties Hlding r Accessing Infrmatin under Cntract Physical files stred ffsite Service vendrs Virtual data rms IT cnsultants Sftware-as-a-service (SaaS) vendrs Other * Discarded cmputers Cpiers returned after lease expired * hpefully wiped f data 16
Hw shuld yu address the issue? 17
Essential Elements f Any Cmpliance Prgram Designated respnsible persn/cmmittee (accuntability) Plicies and prcedures (dcumented expectatins) Training and awareness (understanding f expectatins) Open cmmunicatin (channels t reprt cmpliance cncerns) Mnitring (mechanisms t discver nn-cmpliance) Enfrcement (sanctins fr nn-cmpliance) Respnse plan (prcedures t address effects f nn-cmpliance) 18
Sme f the Required Plicies and Prcedures Privacy Dcumented plicies and prcedures Frmal training and security awareness prgram Sanctins fr nn-cmpliance Permitted and prhibited uses and disclsures Minimum necessary use Security Security management prgram Peridic security risk analyses Rle-based access Physical security prtcls Technical security prtcls 19
Fundamentals f Security Risk Management ASSESSMENT and CONTROL 20
Optins fr Dealing with Security Risks Three ptins fr addressing any given risk: Mitigate it implement cntrls t reduce likelihd and/r impact f the threat (i.e., abate the vulnerability) Transfer it put the risk ff t an insurer r cntract party Accept it if likelihd and impact f threat are limited, r if cst t mitigate r transfer is t high Can nly address risks that have been IDENTIFIED and ASSESSED 21
The Risk Assessment Cannt cntrl a risk that is nt identified We can always lck dwn infrmatin s tightly that n ne can use it, but we cannt implement apprpriate cntrls withut understanding the risk t be cntrlled Security risk analysis: Fcus attentin and resurces (i.e., cntrls) n threats representing the GREATEST TOTAL RISK 22
The Risk Assessment Prcess Set Yur Bundary Vulnerabilities Expected Lss Threats Vulnerabilities Expected Lss RISK Implement Apprpriate Cntrls 23
Risk Mitigatin Strategies Internal Cntrls PHYSICAL SAFEGUARDS TECHNICAL SAFEGUARDS ADMINISTRATIVE SAFEGUARDS 24
Risk Mitigatin Strategies Internal Cntrls Physical safeguards Examples f threats: external envirnment (lightning, trnad, fld, rits, pwer utage) internal envirnment (water leaks, fire, excessive heat r humidity) human threats - intentinal (theft, vandalism, espinage) - inadvertent (lss, accidental erasure, unintended change) Examples f cntrls: lcks n drs, file cabinets, etc. ID badges and visitr escrts physical intrusin detectin systems redundant pwer and HVAC systems fire suppressin systems back-ups 25
Risk Mitigatin Strategies Internal Cntrls Technical safeguards Examples f threats: access by unauthrized persns inability t discern imprper access r transmissin unauthrized r unintended changes t r deletin f infrmatin data crruptin Examples f cntrls: strng passwrds firewalls access and activity lgs anti-virus sftware netwrk intrusin detectin systems encryptin, encryptin, encryptin Encryptin (fr data at rest and in transit) cures many ills 26
Risk Mitigatin Strategies Internal Cntrls Administrative safeguards Examples f threats: inadvertent disclsure r lss f infrmatin imprper use f infrmatin unknwn unknwns Examples f cntrls: apprpriate plicies and prcedures are the fundatin key principles f least privilege, minimum necessary, and fail securely security awareness prgram (training, re-training and reminders) mnitring fr vilatins and sanctining vilatrs regularly perfrmed security risk analyses Largely the dmain f the legal/cmpliance functin rather than IT 27
Risk Mitigatin Strategies fr Service Prviders Due diligence what institutins shuld d befre handing ver client inf Questins t ask: Designated privacy and security fficer(s)? When designated? Frmal, written privacy and security plicies and prcedures? Security risk assessment? Perfrmed by qualified third party? When? Any use f dwnstream hsting vendrs r data centers? Any security-related audits r certificatins? Same questin fr any dwnstream service prvider. Ever experienced a data breach invlving persnal infrmatin f individuals? Maintain cyber-liability insurance? What cverage(s)? Examine privacy and security plicies and prcedures Talk with privacy and security fficer(s) 28