Does Your Campus Need a Chief Privacy Officer - PowerPoint PPT Presentation

Loading...

PPT – Does Your Campus Need a Chief Privacy Officer PowerPoint presentation | free to download - id: 148d85-YTRlM



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Does Your Campus Need a Chief Privacy Officer

Description:

Steve will describe information privacy from a legal perspective, with an ... Or: 'Our marketing people, who wrote this, are idiots.' Contract Law. 12. August 14, 2008 ... – PowerPoint PPT presentation

Number of Views:87
Avg rating:3.0/5.0
Slides: 37
Provided by: dennis209
Learn more at: http://net.educause.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Does Your Campus Need a Chief Privacy Officer


1
Does Your Campus Need a Chief Privacy Officer?
  • Dennis Devlin, Chief Information Security
    Officer,
  • Brandeis University
  • Steven J. McDonald, General Counsel,
  • Rhode Island School of Design
  • ICPL 2008

2
Introduction and Plan
  • Steve will describe information privacy from a
    legal perspective, with an overview of privacy
    laws that apply to us (and not too much legalese)
  • Dennis will discuss privacy (and security) from a
    CISOs perspective and some things a university
    can do to begin to prepare for a privacy program
  • Everyone will then participate in a discussion,
    and prove that none of us is as smart as all of
    us when it comes to information privacy

3
Icebreaker
  • A quick quiz to test how well we all know the
    subject http//www.cdt.org/privacy/quiz/
  • What are some of the top information privacy
    concerns for your institution?

4
Perhaps the biggest problem faced by all
concerned is the fact that we live today in a
world of technologically recorded, maintained and
communicated information
  • Statement introduced during the debate on
    FERPA, 120 Cong. Rec. 36,532 (Nov. 19, 1974)

5
What is Privacy (Legally)?
"The right to be let alone the most
comprehensive of rights, and the right most
valued by civilized men." Justice Louis
Brandeis Olmstead v. U.S.
5
6
The Legal Basis for PrivacyA Crazy Quilt
  • U.S. and state constitutions
  • But no explicit reference in U.S. constitution
  • Fourth amendment (and state versions)
  • Statutory privacy
  • FERPA, HIPAA, GLB, and other general and topical
    privacy statutes
  • ECPA, data breach notification, and other
    computer-specific privacy statutes
  • But also federal and state FOIA laws
  • Contract law
  • The common law of privacy

7
Common LawInvasion of Privacy
  • Intrusion
  • "One who intentionally intrudes, physically or
    otherwise, upon the solitude or seclusion of
    another or his private affairs or concerns, is
    subject to liability to the other for invasion of
    his privacy, if the intrusion would be highly
    offensive to a reasonable person."
  • Public Disclosure of Private Facts
  • "One who gives publicity to a matter concerning
    the private life of another is subject to
    liability to the other for invasion of his
    privacy, if the matter publicized is of a kind
    that (a) would be highly offensive to a
    reasonable person, and (b) is not of legitimate
    concern to the public."

8
The Fourth Amendment
"The right of the people to be secure in their
persons, houses, papers, and effects, against
unreasonable searches and seizures, shall not be
violated, and no warrants shall issue, but upon
probable cause, supported by oath or affirmation,
and particularly describing the place to be
searched, and the persons or things to be seized."
9
The Fourth Amendment in Cyberspace
"We are satisfied that the Constitution requires
that the FBI and other police agencies establish
probable cause to enter into a personal and
private computer." U.S. v. Maxwell
10
Publics are Private,Privates are Not
"Although individuals have a right under the
Fourth Amendment of the United States
Constitution to be free from unreasonable
searches and seizures by the Government, private
searches are not subject to constitutional
restrictions." U.S. v. Hall
11
O'Connor v. Ortega
  • "Fourth Amendment rights are implicated
    whenever the conduct of the government
    officials at issue . . . infringes 'an
    expectation of privacy that society is prepared
    to consider reasonable.'"

12
Contract Law
  • PCI-DSS credit card transaction data
  • Federal grants human subjects research data
  • Privacy policies
  • "Your privacy is our number one priority. We
    will not share your information with any other
    organization."
  • Translation "We're liars!"
  • Or "Our marketing people, who wrote this, are
    idiots."

12
13
Statutes
  • Gramm-Leach-Bliley financial institution
    customer information
  • HIPAA protected health information
  • Electronic Communications Privacy Act electronic
    communications

13
14
ECPA
  • "A fog of inclusions and exclusions" Briggs
    v. American Air Filter Co. (5th Cir. 1980)
  • "A statute . . . which is famous (if not
    infamous) for its lack of clarity" Steve
    Jackson Games, Inc. v. United States Secret
    Service (5th Cir. 1994)
  • "The Fifth Circuit . . . might have put the
    matter too mildly." U.S. v. Smith (9th Cir.
    1998)

15
Data Breach Notification
  • 44 states D.C. to date
  • "'Personal information' means an individual's
    first name or first initial and last name in
    combination with any one or more of the following
    data elements, when either the name or the data
    elements are not encrypted
  • (1) Social security number
  • (2) Driver's license number or Rhode Island
    Identification Card number
  • (3) Account number, credit or debit card number,
    in combination with any required security code,
    access code, or password that would permit access
    to an individual's financial account."

15
16
Fundamental FERPA
  • The Family Educational Rights and Privacy Act of
    1974
  • A.K.A. the Buckley Amendment

17
We Don't Need No "Education"
  • FERPA "education records"
  • Includes transcripts, exams, papers, and the like
  • But it also includes
  • Financial aid and account records
  • Discipline records, including complaints
  • SSNs and campus ID numbers
  • E-mail
  • Photographs
  • "Unofficial" files
  • Records that are publicly available elsewhere
  • Information that the student has publicly
    revealed
  • Virtually everything!

18
Structural Basics
  • Definition/scope what is protected
  • Privacy what rules govern its disclosure
  • Safeguarding/security what must be done to
    protect it from unauthorized access and disclosure

19
It Takes a Village
  • "Given that it is virtually impossible to use
    physical or technological safeguards to prevent
    authorized users from using their access to
    education records for unauthorized purposes, it
    is important that an educational agency or
    institution establish and enforce policies and
    procedures, including appropriate training, to
    help ensure that school officials do not in fact
    misuse education records for their own purposes."

20
And a "Reasonable Person"
  • "When an institution is authorized to disclose
    information from education records . . ., FERPA
    does not specify or restrict the method of
    disclosure. . . . FERPA does not mandate any
    specific method, such as encryption technology,
    for achieving these standards with electronic
    disclosure of information from education records.
    However, reasonable and appropriate steps
    consistent with current technological
    developments should be used to control access to
    and safeguard the integrity of education records
    in electronic data storage and transmission,
    including the use of e-mail, Web sites, and other
    Internet protocols."

21
And a "Reasonable Person"
  • "When an institution is authorized to disclose
    information from education records . . ., FERPA
    does not specify or restrict the method of
    disclosure. . . . FERPA does not mandate any
    specific method, such as encryption technology,
    for achieving these standards with electronic
    disclosure of information from education records.
    However, reasonable and appropriate steps
    consistent with current technological
    developments should be used to control access to
    and safeguard the integrity of education records
    in electronic data storage and transmission,
    including the use of e-mail, Web sites, and other
    Internet protocols."

22
Resources
  • General
  • http//counsel.cua.edu/fedlaw
  • http//www.educause.edu/security/16030
  • GLB
  • http//counsel.cua.edu/glb
  • PCI-DSS
  • http//counsel.cua.edu/fedlaw//PCI .cfm
  • HIPAA
  • http//counsel.cua.edu/HIPAA
  • Data breach notification
  • http//www.ncsl.org/programs/lis/cip/priv/breachla
    ws.htm
  • Privacy policy example
  • http//privacy.ahc.umn.edu/pub_pri_info.html

23
Some Disclaimers
  • If you steal from one author, it's plagiarism
    if you steal from many, it's research. ?
  • Wilson Mizner, US screenwriter (1876 - 1933)
  • Many people (some in this room) contributed to
    the ideas used in this part of the presentation
  • If during the next 15 minutes you feel like Noah
    attending a talk about floods please be patient
  • We just want to level set everyone in the room
    for the lively discussion which will immediately
    follow

24
Risks to Managing Information
  • Fortune 500
  • Regulations
  • Reputation
  • Revenues
  • Are risks in Higher Education different?
  • Risks are mitigated by reducing vulnerabilities
  • Vulnerabilities can be exploited accidentally or
    intentionally to a victim it really doesnt
    matter

25
What are Vulnerabilities?
Reality (What the system actually does)
Specification (What the system should do)
Systems can be People, Process or Technology
Vulnerabilities (What the system shouldnt do
that it does)
Deficiencies (What the system doesnt do that it
should)
Adapted from Testing for Software Security,
www.ddj.com, November 2002
26
Information Security
  • Ensuring information integrity and availability
    and restricting access only to authorized users
    (confidentiality)
  • Focus areas
  • People, Process, Technology
  • Control objectives
  • Protection, Detection, Response
  • Emphasis on protecting enterprise information

27
How Much is Enough?
Cost of Security Investments
Optimum ROSI
Cost ()
Impact of Security Incidents
Security Capability
100
0
28
Information Privacy
  • Providing individuals with general control over
    disclosure and the subsequent use of their
    personal information
  • Notice - what is being collected, how it will be
    used
  • Choice - right to opt in or opt out
  • Access - right to see information and correct
    errors
  • Security - expectation steward will ensure C, I,
    A
  • Focus on empowering individual control
  • Security is a major enabler to achieving privacy

29
Some Moments of Truth
  • Your institution is already making privacy
    decisions
  • Websites
  • http//www.upenn.edu/about/privacy_policy.php
  • Libraries
  • http//lts.brandeis.edu/research/borrowing/privacy
    .html
  • Learning Management Systems
  • http//latte.brandeis.edu/help/latte-best/latte-se
    curity.html
  • Registrar Notices
  • http//www.brandeis.edu/registrar/catalog/introAnn
    ualNotice.htm
  • Appropriate Use Policies
  • http//lts.brandeis.edu/about/policies/computingpo
    licies.html

30
Laying the Foundation
  • Build security and privacy awareness and resolve
  • Spend your time outside your comfort zone
    educating and evangelizing, not with converted
    colleagues
  • Form an Information Security/Privacy Advisory
    Council
  • Be a change agent and champion of institutional
    character expression (as well as regulatory
    compliance) via policies
  • Engage, educate, and be patient
  • Unconscious incompetence
  • Conscious incompetence
  • Conscious competence
  • Unconscious competence

31
A PP Maturity Model
32
Formulating Management Intent
33
When Is The Right Time?
  • It is a bad idea to criminalize the middle
    class.
  • Dennis Devlins Criminology Professor, c. 1968
  • Unfunded mandates are also a very bad idea.
  • Dennis Devlin c. 2000
  • Policies can be effective immediately or can be
    aspirational with a full compliance must be
    achieved by statement
  • Begin with an end in mind.
  • Stephen Covey
  • CPOs, like CISOs, are often appear at tipping
    points

34
Emerging Challenges
  • The goalposts are moving - How to deal with
    student and faculty privacy as we employ new
    technologies for learning, teaching and
    scholarship
  • Learning management systems
  • Social networks
  • Wikis
  • Blogs
  • Folksonomies
  • Virtual worlds
  • Can FERPA and Web 2.0 coexist?

35
Lively Discussion
36
Wrap Up
  • Another Helpful Resource
  • http//connect.educause.edu
  • Our Contact Information
  • Dennis Devlin
  • ddevlin_at_brandeis.edu
  • Steven McDonald
  • smcdonal_at_risd.edu
About PowerShow.com