Creating Confidentiality Agreements that Protect Data

and Privacy: The Challenge of Keeping up With

Changes in State and Federal Regulations

Elaine S. Reber

California Institute of Technology

2

Agenda• Speaker’s Qualifications

• Background

• Focus/Goal

• Access to Data

• Noteworthy Federal and State Laws

• Policies versus Confidentiality Statements

• What do we need to protect data?

• Summary

• Questions and Answers

3

Speaker’s Qualifications

• Associate Director of Infrastructure for Administrative Applications for Caltech

• Oversees the areas of System Administration, Database Administration, Operations, Applications Security, and Telecommunications

4

Background

• Caltech’s Mission: To expand human knowledge and benefit society by developing creative scientists and engineers

• Students: 900 undergraduates and 1200 graduates

• Faculty: 300 Full Time and 700 post-doctoral fellows

• Staff: 2,000

• Research Funding: Over $200 million

• Total Budget: ~ $500 million

• Caltech administers the JPL (Jet Propulsion Laboratory) budget for NASA.

5

Background (continued)• July 1999 – Caltech upgraded its network and

replaced of its legacy administrative systems with new applications, including:

– Oracle HRMS and Financials on 10.7 Network Computing Architecture (NCA)

– Exeter Student System

– Famis Job Costing System

– CEI Purchasing Card System

• Since 1999, Caltech has upgraded all of its administrative applications multiple times and has added several 3rd party applications and tools.

6

Focus/Goal

• Understand the challenges of protecting

personal data, student information, and

financial and business records that we

maintain for our community (students,

faculty, staff, etc.)

7

Focus/Goal – continued

• Be aware of the laws and regulations that protect

the privacy of data

• Recognize that security and privacy are different,

but security is essential to privacy1

• Make recommendations to create more robust

data security environments on our campuses

1. Dr. Michael Zastrocky, “Higher Education and IT: What’s in the Future, http://www.njedge.net/conference2003/presentations/Gartner.ppt

8

Who gets access to protected data?

• Internally: – Human Resources– Finance– Student Affairs– Development

Offices– Faculty– Health Care

Providers

– Administrative Staff– Software Developers– Database

Administrators– Application Security

Staff– Business Analysts– Internal Auditors– Others

9

Who gets access to protected data? (continued)

• Externally:– External Auditors– 3rd Party Vendors– Gov’t Offices– Law Enforcement Officials– Schools Requesting Transcripts– Organizations Conducting Certain Types of

Studies – Others

10

What is the Process for Internal Staff to get Access to Data?

– Identify Data Needs– Identify Appropriate Responsibilities / Privileges– Submit Access Request Form/s– Obtain Approvals – May receive Training– May sign Confidentiality / Non-disclosure

Agreement or Implied Consent – Receive Logon Credentials from

Application Security Office

11

Is that protocol for getting data access sufficient to protect the privacy, security, and integrity of our Institutions’ data?

12

…in a perfect world, YES!But in this world, we face:

• Hackers• Viruses• Cyber takeovers• S/W with security holes• H/W with security holes• Stolen laptops • Opportunists• Etc.

13

Perhaps, the laws surrounding privacy of data will fill in the gaps

14

Noteworthy Federal and State Laws• FEDERAL:

1974 – Family Education Right To Privacy Act (FERPA) 1996 – Health Insurance Portability and Accountability Act

(HIPAA)

1999 – Financial Services Modernization Act

(Gramm-Leach Bliley Act)

2002 – Sarbanes-Oxley (SOX)

• STATE: 1977 – California Information Practices Act

15

Family Educational Rights And Privacy Act of 1974 - FERPA

(20 U.S.C § 1232g)

• FERPA, also known as the Buckley Amendment, is a federal law that protects the privacy of student education records. It is administered by the Family Policy Compliance Office (FPCO) at the U.S. Education Department.1

• The Act went into law on 19 November 1974 and has been amended several times since its enactment. It applies to all educational agencies and institutions that are the recipients of federal funding.2

• Schools are required to notify parents and eligible students annually of their rights under FERPA.3

1. http://chronicle.com/cgi-bin/printable.cgi?article=http://dhronicle.com/weekly/v50/i06/06a02202.htm2. http://www.ed.gov/print/policy/gen/guid/fpco/ferpa/leg-history.html3. Ibid.

16

FERPA - continued (20 U.S.C § 1232g)

• Schools may not furnish or release identifiable personal information without written consent specifying the records to be released, the reasons for release, and parties to whom they are being released.1 The same rules apply to third parties acting on behalf of the schools.2

• The act also provides the “eligible student” (18 years or older or attending post-secondary school) and parents the right to inspect and review education records, to seek to amend those records, and to limit disclosure of information from those records.3

1. http://www.ed.gov/print/policy/gen/guid/fpco/ferpa/leg-history.html2. http://nces.ed.gov/pubs97/web/97859.asp3. http://www.ed.gov/print/policy/gen/guid/fpco/ferpa/index.html

17

FERPA - continued (20 U.S.C § 1232g)

• Any data collected by authorized officials must be protected from unauthorized access. It is the requester’s responsibility to destroy the data after it is no longer needed.1

• Each school is required to keep a record of every request for student education information. Only the parents, the “eligible student”, and school officials responsible for the custody of records and auditing the system may see this information.2

1. http://www.epic.org/privacy/education/ferpa.html2. http://www.ed.gov/print/policy/gen/guid/fpco/ferpa/leg-history.html

18

FERPA - continued (20 U.S.C § 1232g)

• Growing demands for institutional accountability, greater transparency, and national security have increased the challenge of protecting student data.1

• Various State Freedom-of-Information Acts, The 2001 USA Patriot Act, and the 2001 No Child Left Behind Act also require schools to provide student information under certain circumstances.

1. http://chronicle.com/prm/weekly/v50/i42/42b00401.htm

2. http://chronicle.com/prm/weekly/v50/i42/42b00401.htm

3. http://www.ed.gov/print/policy/gen/guid/fpco/ferpa/leg-history.html

19

FERPA - continued (20 U.S.C § 1232g)

• The National Center for Education Statistics (NCES) is studying the feasibility of requiring colleges to provide “unit record (individually identifiable)” data rather than “aggregate” data for reporting.1

• Officials at the Department of Education claim that “unit record” data would make it easier to measure a college’s retention and graduation rates and the net cost of tuition after financial aid is taken into account.2

• FERPA would need to be amended to allow the release of student records without permission from the parents or student.3

1. CLHE, The Campus Privacy Letter, Volume 1, No.1, December 2004; http://www.clhe.org/campusprivacy/cplv1n1.pdf

2. Ibid.3. http://chronicle.com/weekly/v5/i14/14a2201.htm

20

Health Insurance Portability and Accountability Act

(HIPAA)• HIPAA was implemented in 1996. The final HIPAA

Security Rule establishing health data security standards was published in 2003.

• The main goals of HIPAA are to:

1. Make the health care system more efficient, especially through increased use of electronic resources, and

2. Make health insurance more portable (“portability”) when persons change employers. 1,

1. http://privacy.med.miami.edu/glossary/xd_hipaa.htm

21

HIPAA (continued)

• HIPAA protects private health information. Health plans, health care clearinghouses, health providers, and other organizations that process, transmit, and/or store Protected Health Information (PHI) in electronic form are covered by the Act.1

• PHI is any individually identifiable health information.

• HIPAA is administered by the federal Department of Health and Human Services.

1. Marne Gordon, HIPAA Security Standards Cybertrust Implementation and Strategy and Management , 2005, http://www.trusecure.com/cgi-bin/download.cgi?ESCD=W0188&file=wp_HIPAA_Cybertrust.pdf

22

HIPAA (continued)

• In general, covered entities are required to:

– Ensure the confidentiality, integrity, and availability of all electronic PHI they create, receive, maintain, or transmit

– Protect against threats or hazards to the security and integrity of the PHI

– Protect against unauthorized disclosures of PHI

– Ensure compliance by employees of the covered organization1

1. Marne Gordon, HIPAA Security Standards Cybertrust Implementation and Strategy and Management , 2005, http://www.trusecure.com/cgi-bin/download.cgi?ESCD=W0188&file=wp_HIPAA_Cybertrust.pdf

23

HIPAA, FERPA, and State Laws

• The definition of protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA), specifically excludes identifiable health information in "education records" subject to the Family Education Rights and Privacy Act (FERPA, 20 USC 1232g).1

• FERPA provides privacy protections for student health records held by federally funded educational institutions.2

• If State laws are more stringent than HIPAA, then HIPAA gives way to State law.3

1. http://privacy.med.miami.edu/glossary/xd_education_records.htm2. Ibid.3. http://www.bowditch.com/PDF/HIPPA.pdf

24

Financial Services Modernization Act of 1999 – Gramm-Leach Bliley Act (GLB)

• The GLB establishes federal requirements for safeguarding non-public personal information collected by financial institutions. There are three principal parts to the GLB privacy requirements:

• The Financial Privacy Rule governs the collection and disclosure of customers’ personal financial information.

• The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information.

• The Pretexting Provision of the GLB Act protects consumers from individuals and companies that obtain their personal financial information under false pretenses, a practice known as “pretexting.”

1. http://www.ftc.gov/privacy/glbact/

25

Gramm-Leach Bliley Act (GLB) - continued

• The GLB requires financial institutions to establish an information security program that will:

• Insure the security and confidentiality of customer information;

• Protect against any anticipated threats or hazards to the security or integrity of such information; and

• Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.1

1. Federal Register / Vol. 67, No. 100 / Thursday, May 23, 2002 / Rules and Regulations

26

Gramm-Leach Bliley Act (GLB) - continued

• The GLB preempts only “inconsistent” state laws. It sets a minimum standard beyond which states may pass stricter laws.1

1. http://www.the-dma.org/government/grammleachblileyact.shtml

27

Sarbanes-Oxley Act of 2002 (SOX)

• SOX sets new financial accountability standards for publicly held companies and their audit firms.

• SOX does not apply to nonprofits, but companies that rate bonds for universities advise them to follow its guidelines. Investors are asking for “more disclosure and transparency of information.”1

• Officials in several States (California, Maryland, and New York) have proposed legislation to require nonprofits to follow the same rules as publicly traded companies.2

1. http://chronicle.com/weekly/v50/i23/23a02602.htm

2. http://chronicle.com/weekly/v50/i18/18a03201.htm

28

SOX - continued

• Some universities have already adopted reforms in response to SOX, such as:

– Clarifying procedures for preparation and certification of financial statements

– Establishing policies for disclosure of transactions not usually included in main budget reports

– Creating standards for audit committees of governing boards

– Modifying code of ethics for senior financial officers– Increasing protection for whistle-blowers1

1. http://chronicle.com/weekly/v50/i18/18a03201.htm

29

Privacy Coverage Compared1

FERPAProtects personally identifiable educational records such as:

– Individual Grades – GPA– SSN – Date of Birth– Gender– Class Schedule – Hours earned– Work Study records– Etc.

GLBProtects personally identifiable financial information in any format including:

– Financial aid applications– Credit data– Tax returns of parents– Student loan information– Student financial

information on athletic compliance forms

– Etc.

HIPAAProtects personally identifiable health information including:

– Medical records– Lab reports– Provider notes– Billing and Payment

records– Immunization

Records– Mental health notes– Etc.

1. http://www.usmd.edu/Leadership/USMOffice/AdminFinance/itcc/day/regissues.ppt

30

Security Requirements Compared1

FERPA

• No set, specific requirements

• No clear consensus in higher ed on what is needed

• No court decisions on third party breach

GLB

• Develop comprehensive security program:

–Risk Assessment–Risk Mitigation–Assess employee

training needs

• Require affiliates to share responsibility for protecting information

HIPAA

• Administrative Safeguards:

– Processes, procedures, training

– Risk Analysis

• Physical Safeguards:

– Facility, workstations, etc.

• Technical Safeguards:

– Access, audit control, data integrity, etc.

1. http://www.usmd.edu/Leadership/USMOffice/AdminFinance/itcc/day/regissues.ppt

31

California Information Practices Act(California Civil Code §§1798)

• Applies to California state agencies, including state-funded educational institutions.

• Does not apply to student records, but does apply to records of potential students before enrollment, i.e., records of applicants for admission.1

• Establishes requirements for the collection, maintenance, and dissemination of any information that identifies or describes an individual.2

1. http://www.ucop.edu/ucophome/policies/bfb/rmp8.html 2. Ibid.

32

California Information Practices Act (California Civil Code §§1798) - continued

• Any information that identifies or describes an individual, the disclosure of which would constitute an unwarranted invasion of personal privacy, is considered personal information. Common types of personal information are:

– Birth date– Citizenship– Social Security Number– Income Tax Withholding Information– Performance evaluations– Letter of corrective actions– Names of spouse or other relatives1

1. http://www.ucop.edu/ucophome/policies/bfb/rmp8.html

33

California Information Practices Act (California Civil Code §§1798) - continued

• In recent years, the Act has been amended to require:

– Notification of security breaches involving personal information1

– Greater protection of Social Security Numbers (SSNs) by:

• Reducing collection of SSNs• Explaining the purpose of the collection, the intended use,

whether it is mandatory, and consequences of refusing to provide SSN

• Eliminating public display of SSNs• Controlling access to SSNs• Improving security safeguards• Making the organization accountable for protecting SSNs2

1. http://www.privacy.ca.gov/recommendations/secbreach.pdf2. http://www.privacy.ca.gov/recommendations/ssnrecommendations.pdf

34

Are the laws really sufficient to protect the privacy, security, and integrity of our Institutions’ data?

35

…in a perfect world, YES!But in this world, we face:

• Hackers• Viruses• Cyber takeovers• S/W with security holes• H/W with security holes• Opportunists• Legislation is not enough

36

Maybe policies and confidentiality agreementswill fill in the gaps.

37

What is a Policy?

A policy is “a definite course or method of action selected from among alternatives and in light of given conditions to guide and determine present and future decisions.”1

1. Webster’s Ninth New Collegiate Dictionary

38

What is a Confidentiality Agreement?

A Confidentiality Agreement (or Non-disclosure Agreement) is a document that, when signed, will allow one party to discuss their confidential information (including their work and ideas) with other interested parties.

It legally binds those parties to keep the information confidential and not to disclose it to third parties.

1. King’s College of London: Technology Transfer Group

39

What is a Confidentiality Agreement?(continued)

A Confidentiality Agreement should give the purpose for the disclosure and also state that the receiving party shall not be permitted to use the confidential information for any purpose except the one defined in the agreement (e.g., to evaluate their interest in collaborating/investing in the ideas/work).1

1. King’s College of London: Technology Transfer Group

40

Will policies and confidentiality statements increase the likelihood that we can protect the privacy, security, and integrity of our Institutions’ data?

41

Not really…. Then, what do we Need?

• Commitment from the University Leadership

• IT security group/CSO

• Resources

• Institute Privacy Policies

42

Not really…. Then, what do we Need? (cont)

• Institute Policies for the Acceptable Use of Electronic Information Resources

• Confidentiality/ Non-Disclosure Agreements or Implied Consent

• Active User Awareness Training• Periodic Risk Assessments• Firewalls• SSL

43

Not really…. Then, what do we Need? (cont)

• Strong Authentication / Single Sign On• Authorization• Anti Virus Software• Vigilant Network Monitoring• Incident Reporting• Enforcement

44

Peer Survey - Data Privacy PoliciesOrganization

Electronic Information Policy?

Require users with access to confidential information to sign confidentiality agreements?

Refusal to sign a confidentiality agreement?

Require training before providing access to administrative systems?

Password reset how often?

School 1

Have Acceptable Use Policy No N/A

Yes: apps-specific as needed;no mandatory security awareness training

Every semester

School 2 Yes Yes/Implied Consent

Waiting for guidance from General Counsel Yes: apps-specific as needed 90 days

School 3

Have Acceptable Use Policy

No - Considered part of contract for employment N/A Yes: apps-specific as needed

60 days for network;none for admin systems

School 4 Yes Yes

Refusal results in forfeiture of right to access system

Yes - apps-specific; security training optional  

School 5 Yes

Yes - After approval, a Password Token card is used for 2-factor authentication. Cards are issued by the central IT group.

Noted on the Non-disclosure Agreement; doc filed in emp's department

Yes: apps-specific as needed;training on token done by IT  

School 6 Yes

Implied consent - part of login and password change scripts. Individual departments may have requirements. N/A Yes: apps-specific as needed 90 days

School 7 Yes No N/A Yes: apps-specific as needed Annually

45

Summary

•To protect the privacy of our data; we need

Legislation

Institute commitment

Institute policy statements

Confidentiality statements

User awareness training programs

Develop Best Practices

Pro-Active Network Monitoring

Antivirus Protection

46

Summary

•Authentication/Authorization

•Utilize the expertsLegal Department

Risk Management

Human Resources

Security Department

Local Law Enforcement

Peer Institutions

•Enforcement

47

Questions and Answers

48

Thank you!

Elaine.reber@caltech.edu