Legal Issues for Employees 201

1
Legal Issues for Employees 201

• How to Protect Yourself and WL from Improper Use
  / Disclosure of Confidential Information

2
Why Do I Need to Be Here?

• Do you have a social security number? Bank
  account? Credit card? Medical records?
• OR
• Do you work with or around student records?
  Employee records? Credit cards? Donor financial
  information? Alumni information? University
  financial information? Other sensitive or
  proprietary information about University
  operations? Ever hear about any of this?

3
Whats this all about?

• Three separate issues
• What is PRIVATE (personally identifiable
  information protected by law, policy, or common
  civility)
• How to keep PRIVATE information CONFIDENTIAL
  (seen/heard by only those with a legitimate need
  to know) and
• How to keep such information SECURE (so that it
  cannot be improperly altered, removed, or
  destroyed).

4
Whats the problem?

• Identity Theft - - dont think it cant happen to
  you.
• Dumpster divers, shoulder surfers, computer
  hackers, keystroke loggers, etc.
• Its not just people out there who are the
  problem - - we need to be pro-active to safeguard
  information.

5
Give me some examples . . .

• Lets talk about your own personal recordkeeping
  and information security practices first
• Do you have your social security number as your
  drivers license number? Consider changing to a
  random number.
• Dont give out your social security number to
  anyone unless its mandatory and you have
  assurance as to safeguards.

6
Personal practices (contd)

• Dont give out a credit card number over the
  phone unless youve dialed the company and know
  you can trust them.
• Dont give out a credit card over the internet
  unless you see a symbol of encrypted online
  information delivery (lock).
• Dont use just one user name and password for all
  online accounts.

7
Personal practices (contd)

• Dont just throw credit card bills or other
  bills/documents with account numbers or social
  security numbers in the trash - - get a shredder.
• Periodically, get a copy of your credit report
  (e.g., Equifax) to be sure there are no debts
  that you didnt incur.

8
What to do in case of identity theft?

• Call 1-877-ID-THEFT to report to the Federal
  Trade Commission
• Then call local police and FBI
• Also report to Social Security Administration for
  SS theft
• Contact credit card companies and other creditors

9
But enough about you . . .
10
Private information under law

• Student education records (FERPA)
• Financial account/loan records (Gramm Leach
  Bliley) student loans, employee home loans
• Personally identifiable employee information kept
  by covered health plans (HIPAA) health, dental,
  flex, EAP

11
Private information under law

• Records related to employee disability (Americans
  with Disabilities Act) kept separate from rest
  of personnel file
• Medical records related to family and medical
  leave (FMLA)
• Background Check results (disposal) (FACTA)
• Student medical treatment / counseling records
  (private under Virginia law)
• Human Subjects Research (surveys, etc.)

12
Private information under policy

• Social security numbers and credit card numbers
  are included in WLs Information Security
  Program.

13
Other private WL information

• Personally identifiable information re donors,
  alumni and alumnae.
• Proprietary WL information (internal operations,
  financial/investments, research and institutional
  data not intended for public disclosure)

14
Responsibilities of WL employees

• All university faculty and staff are expected to
  comply with university policies and procedures on
  privacy, confidentiality and security.
• New employees (faculty staff) sign
  confidentiality and technology use agreements.

15
How to protect the confidentiality of private
information

• Follow University and department policies,
  procedures, and protocols.
• If you have no legitimate work-related necessity
  or educational reason to hear/see/disclose the
  information, dont.
• Be sure that only those with a legitimate,
  work-related need to know have authority and
  access to private information.

16
How to protect the confidentiality of private
information

• When in doubt, ask / confirm first before
  disclosing private information.
• If you are aware of documents with private
  information being simply thrown away, not
  shredded or otherwise securely disposed of,
  advise department head or Scott Dittman, chair of
  ISP committee.

17
How to protect the confidentiality of private
information

• Dont leave private information in plain view
  when leaving your work area.
• Lock file cabinets containing private
  information.
• Keep your office locked when you, or other
  authorized employees, are not present.
• Avoid multiple copies of private information
  unless needed.

18
How to protect the confidentiality of private
information

• Dont discuss private or sensitive information
  with open doors or in hallways, etc.
• Treat private information as if it were about
  you.
• Taking files home - - handle with care.

19
Protecting electronic information

• Password security
• 8 characters, alphanumeric
• Change it often
• Dont share it with anyone
• Dont write it down and tape it close by
• Give proxy to e-mail or calendar, not password to
  the account

20
Protecting electronic information

• Lock your workstation each time you leave it
  unattended (Ctrl/Alt/Delete)
• Shut down your computer each evening (allows
  patches and updates to apply AND keeps others off
  the computer)
• Keep anti-virus/firewalls, etc. up to date on
  home computers if you work at home
• Have multiple user names/pws

21
Protecting electronic information

• Safe e-mail practices
• Dont open attachments if you arent expecting
  them
• Dont click on links in emails
• Safe internet browsing
• Dont click on it if you didnt ask for it
• Dont allow random downloads
• Safe instant messaging (AOL viruses)
• Only communicate with known buddies

22
Protecting electronic information

• Consider placement of screen / visibility to
  office visitors
• Use screen blockers
• Be careful with flash drives, memory keys,
  diskettes, CDs, etc.

23
What about when traveling?

• Assume NOTHING is secure!!!
• Wired is more secure than wireless
• Always look for the encrypted (lock or
  equivalent) symbol to be sure communication is
  secure
• Wireless off campus - - dont do log ins to other
  sites unless encrypted

24
What about while traveling?

• Never user hotel lobby computers for anything
  sensitive or private - - only map quest type
  inquiries, etc.
• Why? Keystroke loggers . . . Scary
• If you lose a memory key, laptop, etc. report it
  to University Computing immediately

25
Specific private information

• Student educational records (FERPA)
• Know policy / guidance
• http//registrar.wlu.edu/policies/ferpa.htm
• Consent, unless school official with legitimate
  educational interest, subpoena, emergency, few
  other exceptions
• Directory information unless opt out
• Resources Registrar, counsel.wlu.edu

26
Specific private information

• HIPAA
• Records kept by WL health plans on employee
  medicals, claims, etc.
• Group health, Flex, Dental, EAP
• Deborah Stoner and Steven McClure are authorized
  officials (HR)
• http//humanresources.wlu.edu/other/Benefit20Plan
  20Privacy20Practices.htm

27
Specific private information

• Background check information (FACTA)
• Disposal of such information
• ADA/FMLA
• Faculty staff medical information related to
  disability accommodations or family/medical leave
  - - should be kept separate from personnel file
  (HR Office)

28
Specific private information

• Personally identifiable financial information
  (finances, social security number, credit card)
  (GLB WL policy)
• Treasurers office
• HR
• Financial Aid
• Business Office
• Bookstore, Alumni Office, Special Programs,
  Development, etc.

29
Information Security Program

• Campus internal inventory of department
  information security practices to identify and
  address any potential security concerns.
• Will begin with Financial Aid, Treasurers
  Office, Business Office, HR, and other offices
  maintaining social security numbers or credit
  card numbers.

30
What to do in case of improper disclosure or
other security breach

• Notify your department head, Scott Dittman
  (Registrar/Chair of ISP Committee), and/or Ruth
  Floyd (University Computing) as appropriate