Data Privacy and Security:Data Privacy and Security:Overview and UpdateOverview and Update

Beth CateBeth Cate

Associate University CounselAssociate University Counsel

Old laws and newOld laws and new Numerous laws have been passed in recent years to protect Numerous laws have been passed in recent years to protect

privacy and security of certain types of data that are privacy and security of certain types of data that are obtained, created, maintained, used and shared by IUobtained, created, maintained, used and shared by IU E.g., FERPA (Family Educational Rights and Privacy Act), E.g., FERPA (Family Educational Rights and Privacy Act),

protects privacy of student education recordsprotects privacy of student education records E.g., HIPAA (Health Insurance Portability and Accountability E.g., HIPAA (Health Insurance Portability and Accountability

Act), protects privacy and security of personal health Act), protects privacy and security of personal health informationinformation

Want to alert you to three new state laws taking effect Want to alert you to three new state laws taking effect 7/1/06 that affect data privacy and security at IU7/1/06 that affect data privacy and security at IU Prohibiting unauthorized disclosures of Social Security Prohibiting unauthorized disclosures of Social Security

NumbersNumbers Requiring secure disposal of records with certain personal Requiring secure disposal of records with certain personal

information information Requiring notice of security breaches that expose personal Requiring notice of security breaches that expose personal

information to unauthorized accessinformation to unauthorized access Want to also say a word about payment card industry Want to also say a word about payment card industry

security standards for credit card informationsecurity standards for credit card information

Multi-level approach at IU to Multi-level approach at IU to data privacy and securitydata privacy and security

Identify and implement overall “best practices” Identify and implement overall “best practices” for handling institutional datafor handling institutional data

Identify certain types of sensitive data for Identify certain types of sensitive data for heightened privacy and security rules—either heightened privacy and security rules—either because law requires it or we think it’s a good because law requires it or we think it’s a good idea as a policy matteridea as a policy matter

Work with units who have sensitive data to Work with units who have sensitive data to ensure compliance with applicable laws and ensure compliance with applicable laws and policies (Registrars/FERPA, Health Center/HIPAA, policies (Registrars/FERPA, Health Center/HIPAA, Student Financial Assistance/GLB, etc.)Student Financial Assistance/GLB, etc.)

Educate University community on best practices Educate University community on best practices and particular obligations concerning data privacy and particular obligations concerning data privacy and securityand security

Each law is somewhat different, but general Each law is somewhat different, but general

principles seem to be emergingprinciples seem to be emerging Three categories of data security measures:Three categories of data security measures:

Administrative (policies and procedures and sanctions for Administrative (policies and procedures and sanctions for violations)violations)

Physical (locks, keycards, physical barriers to data) Physical (locks, keycards, physical barriers to data) Technical (passwords, encryption, etc.)Technical (passwords, encryption, etc.)

Continuing assessment and adjustment of security Continuing assessment and adjustment of security measures in light of own, and similar others’, measures in light of own, and similar others’, experienceexperience

Periodic monitoring and testing of security measuresPeriodic monitoring and testing of security measures Education of people handling sensitive data on their Education of people handling sensitive data on their

roles and obligationsroles and obligations Appropriate security and confidentiality obligations Appropriate security and confidentiality obligations

imposed on third parties with whom we share dataimposed on third parties with whom we share data

And these principles may also begin to And these principles may also begin to set standards for tort claimsset standards for tort claims

• Tort law includes things like negligence claims – Tort law includes things like negligence claims – the claim that the University has breached a duty the claim that the University has breached a duty of reasonable care and that the breach of reasonable care and that the breach proximately caused harm. proximately caused harm. • Plaintiffs’ lawyers have begun bringing negligence Plaintiffs’ lawyers have begun bringing negligence

claims in response to systems breaches that expose claims in response to systems breaches that expose personal data to unauthorized accesspersonal data to unauthorized access

• May be difficult to prove that breach caused harm, May be difficult to prove that breach caused harm, unless courts define harm to include fear of identity unless courts define harm to include fear of identity theft and extra time/resources spent taking steps to theft and extra time/resources spent taking steps to protect oneself against it protect oneself against it

• Tort law also includes “invasion of privacy” claimsTort law also includes “invasion of privacy” claims• Intrusion upon seclusionIntrusion upon seclusion• MisappropriationMisappropriation• False light publicityFalse light publicity• Public disclosure of private factsPublic disclosure of private facts

Three new Indiana laws Three new Indiana laws on data privacy on data privacy

and securityand security

#1--Social Security Number #1--Social Security Number Disclosure LawDisclosure Law

Effective July 1, 2006, it is a Effective July 1, 2006, it is a crimecrime to to disclose an individual’s Social disclose an individual’s Social Security Number to a party outside of Security Number to a party outside of IU unless the disclosure is authorized IU unless the disclosure is authorized under Indiana state lawunder Indiana state law

Types of disclosures coveredTypes of disclosures covered

ElectronicElectronic PaperPaper OralOral

Whose Social Security Numbers Whose Social Security Numbers does this apply to?does this apply to?

Any individual’s SSN that IU Any individual’s SSN that IU maintains in its records -- not limited maintains in its records -- not limited to just personnel and studentsto just personnel and students

What SSN disclosures are authorized?What SSN disclosures are authorized? Except where prohibited by state or federal law or a Except where prohibited by state or federal law or a

court order:court order: Disclosures to a local, state, or federal agencyDisclosures to a local, state, or federal agency Disclosures by IUPD to an individual, entity, or local, state Disclosures by IUPD to an individual, entity, or local, state

or federal agency, for the purpose of furthering an or federal agency, for the purpose of furthering an investigationinvestigation

Disclosures that are expressly Disclosures that are expressly requiredrequired (not just (not just permitted) by state or federal law or a court orderpermitted) by state or federal law or a court order

Disclosures for which we have the individual’s Disclosures for which we have the individual’s express written consentexpress written consent

Disclosures of only the last four (4) digits of the SSNDisclosures of only the last four (4) digits of the SSN Disclosures for the purpose of administering health Disclosures for the purpose of administering health

benefits of an employee or the employee’s benefits of an employee or the employee’s dependent(s)dependent(s)

Disclosures made in the context of certain Disclosures made in the context of certain counterterrorism investigationscounterterrorism investigations

Disclosures to commercial entities for use in certain Disclosures to commercial entities for use in certain activities authorized under 3 federal lawsactivities authorized under 3 federal laws

Examples of disclosures that would Examples of disclosures that would fall within these exemptions fall within these exemptions

Disclosures by FMS personnel to Disclosures by FMS personnel to state and federal tax agencies for tax state and federal tax agencies for tax reporting purposesreporting purposes

Disclosure in response to valid Disclosure in response to valid subpoena demanding employee or subpoena demanding employee or student recordsstudent records

Disclosure to health care plan Disclosure to health care plan vendors for the purpose of enrolling vendors for the purpose of enrolling employees in health care plansemployees in health care plans

Penalties for unauthorized Penalties for unauthorized disclosures -- IUdisclosures -- IU

IU must notify individual(s) affected IU must notify individual(s) affected under new notice lawunder new notice law Costs in terms of constituent trust, time Costs in terms of constituent trust, time

and other resources to notifyand other resources to notify Possibility of civil suit filed by Possibility of civil suit filed by

affected individual(s) affected individual(s)

Penalties for unauthorized Penalties for unauthorized disclosures -- Employeesdisclosures -- Employees

Knowing, intentional, or reckless Knowing, intentional, or reckless violations are violations are feloniesfelonies: :

Up to 3 years’ jail timeUp to 3 years’ jail time Up to $10,000 finesUp to $10,000 fines

Negligent violations are “infractions” Negligent violations are “infractions” are are misdemeanorsmisdemeanors::

Up to 1 year jail timeUp to 1 year jail time Up to $5,000 finesUp to $5,000 fines

Possibility of civil suit filed by Possibility of civil suit filed by affected individual(s)affected individual(s)

NOTENOTE: it is not clear whether : it is not clear whether “negligent” disclosure under the law “negligent” disclosure under the law covers only affirmative transfer of an covers only affirmative transfer of an SSN or also inadvertent exposure of SSN or also inadvertent exposure of SSNs to unauthorized access due to SSNs to unauthorized access due to inadequate security measures. inadequate security measures.

THIS REINFORCES THE NEED FOR THIS REINFORCES THE NEED FOR PROPER ELECTRONIC AND PAPER PROPER ELECTRONIC AND PAPER SECURITY FOR RECORDS WE SECURITY FOR RECORDS WE MAINTAIN WITH SSNsMAINTAIN WITH SSNs

Why are SSNs getting all this Why are SSNs getting all this protection?protection?

Increased concerns about identity theft and Increased concerns about identity theft and perception that SSNs may be used in perception that SSNs may be used in identity theftidentity theft

Perception that SSNs have become a default Perception that SSNs have become a default identifier for individuals instead of being identifier for individuals instead of being limited to their intended use, and desire to limited to their intended use, and desire to cut backcut back

Numerous state laws on SSNs, some federal Numerous state laws on SSNs, some federal laws, and further federal bills have been laws, and further federal bills have been proposedproposed

#2--Personal Information Secure #2--Personal Information Secure Disposal Law Disposal Law

Effective July 1, 2006, it is a crime for Effective July 1, 2006, it is a crime for IU or an IU employee to dispose of IU or an IU employee to dispose of certain personal information of a certain personal information of a “customer” in a non-secure manner“customer” in a non-secure manner

What does “dispose of” mean?What does “dispose of” mean?

Discarding or abandoning the Discarding or abandoning the “personal information” of a “personal information” of a “customer” in an area accessible to “customer” in an area accessible to the publicthe public

Includes placing the personal Includes placing the personal information in a container for trash information in a container for trash collectioncollection

What types of “personal What types of “personal information” are covered?information” are covered?

SSNsSSNs First initial or name PLUS last name First initial or name PLUS last name

AND:AND: Credit card numberCredit card number Financial account number or debit card Financial account number or debit card

number in combination with a security number in combination with a security code, password, or access code that code, password, or access code that permits account accesspermits account access

Driver’s license numberDriver’s license number State identification numberState identification number

Also…Also…

The law only applies to personal information The law only applies to personal information that is neither “encrypted” nor “redacted”that is neither “encrypted” nor “redacted” ““Encrypted”:Encrypted”:

transformed through the use of an algorithmic process transformed through the use of an algorithmic process into a form in which there is a low probability of into a form in which there is a low probability of assigning meaning without use of a confidentail assigning meaning without use of a confidentail process or key; orprocess or key; or

secured by another method that renders the personal secured by another method that renders the personal information unreadable or unusuableinformation unreadable or unusuable

““Redacted”: information is truncated so only Redacted”: information is truncated so only last 5 digits of SSN or last 4 of other personal last 5 digits of SSN or last 4 of other personal information are accessibleinformation are accessible

Who are “customers”?Who are “customers”?

Anyone who has received or contracted for Anyone who has received or contracted for the direct or indirect provision of goods or the direct or indirect provision of goods or services from IU and whose personal services from IU and whose personal information we store, and information we store, and

Anyone given us their personal Anyone given us their personal information in connection with a information in connection with a transaction with IUtransaction with IU

E.g., students, parents, employees, E.g., students, parents, employees, bookstore and theater customers, vendors bookstore and theater customers, vendors who give us personal information, etc….who give us personal information, etc….

What types of disposal are What types of disposal are secure enough?secure enough?

ShreddingShredding IncineratingIncinerating MutilatingMutilating ErasingErasing Methods that otherwise render the Methods that otherwise render the

information illegible or unusableinformation illegible or unusable

Relationship to other Relationship to other data security lawsdata security laws

State disposal law EXEMPTS persons State disposal law EXEMPTS persons who are already maintaining and who are already maintaining and complying with disposal program complying with disposal program under:under: HIPAA HIPAA Gramm-Leach-BlileyGramm-Leach-Bliley Fair Credit Reporting Act Fair Credit Reporting Act Driver’s Privacy Protection ActDriver’s Privacy Protection Act USA Patriot Act/Executive Order 13224 USA Patriot Act/Executive Order 13224

#3 – Security Breach #3 – Security Breach Notification LawNotification Law

Effective July 1, 2006, IU must notify Effective July 1, 2006, IU must notify individuals whose “unencrypted personal individuals whose “unencrypted personal information was or is reasonably believed to information was or is reasonably believed to have been acquired by an unauthorized have been acquired by an unauthorized person” as a result of a system security person” as a result of a system security breach breach

This law essentially codifies something IU This law essentially codifies something IU and other schools have been doing already and other schools have been doing already as “best practices” in the event of a breachas “best practices” in the event of a breach

What types of “personal What types of “personal information” does this cover?information” does this cover?

First initial or name PLUS last name First initial or name PLUS last name AND:AND: SSN (> last 4 digits)SSN (> last 4 digits) Driver’s license numberDriver’s license number State identification card numberState identification card number Credit card numberCredit card number Debit card numberDebit card number Financial Account numberFinancial Account number Security code, access code, or password Security code, access code, or password

of financial accountof financial account

What does “unencrypted” mean?What does “unencrypted” mean?

It’s not defined in this law – best to It’s not defined in this law – best to assume the definition in the disposal assume the definition in the disposal law would applylaw would apply

NOTENOTE

This law only addresses computerized This law only addresses computerized (electronic) data, not paper data(electronic) data, not paper data Of course, IU can still give notice as a Of course, IU can still give notice as a

policy matter if there were a disclosure of policy matter if there were a disclosure of personal information in paper recordspersonal information in paper records

Also, the law doesn’t cover theft of Also, the law doesn’t cover theft of portable electronic devices with portable electronic devices with personal information stored on them, personal information stored on them, if access is protected by a password if access is protected by a password that has not been disclosedthat has not been disclosed

When does notice have to be When does notice have to be given?given?

““without unreasonable delay” without unreasonable delay” Consistent with Consistent with

legitimate needs of law enforcement, legitimate needs of law enforcement, andand

measures needed to determine scope of measures needed to determine scope of breach and restore system integritybreach and restore system integrity

Notice may be delayed if law Notice may be delayed if law enforcement determines notice will enforcement determines notice will impede criminal investigationimpede criminal investigation

How may notice be given?How may notice be given?

In writingIn writing By emailBy email By conspicuous posting on IU website By conspicuous posting on IU website

and notice to major statewide media, ifand notice to major statewide media, if Cost of notice to individuals $250K or Cost of notice to individuals $250K or

more,more, More than 500,000 people must be More than 500,000 people must be

notified, ornotified, or Insufficient contact information for Insufficient contact information for

personal noticepersonal notice

Who else must be notified?Who else must be notified?

If more than 1,000 individuals’ If more than 1,000 individuals’ information involved, must notify information involved, must notify “without unreasonable delay” all “without unreasonable delay” all consumer reporting agencies that we consumer reporting agencies that we have sent notices to the individualshave sent notices to the individuals Equifax, TransUnion, ExperianEquifax, TransUnion, Experian Head’s up to them that individuals may Head’s up to them that individuals may

be requesting credit reports to monitor be requesting credit reports to monitor for attempted identity theftfor attempted identity theft

IF YOU BECOME AWARE OF A IF YOU BECOME AWARE OF A SECURITY BREACHSECURITY BREACH

Contact your local Systems Support Contact your local Systems Support Center or Network Operations Center Center or Network Operations Center immediatelyimmediately

Send details of incident to: Send details of incident to:

it-incident@iu.eduit-incident@iu.edu

IT Policy Office will coordinate response IT Policy Office will coordinate response and take all appropriate stepsand take all appropriate steps

Payment Card Industry Data Payment Card Industry Data Security StandardsSecurity Standards

Merchant bank agreements with IU impose Merchant bank agreements with IU impose payment card data security standardspayment card data security standards

Extensive and rigorous requirements that apply Extensive and rigorous requirements that apply to all components of IT system involved with to all components of IT system involved with cardholder data access, retention and processingcardholder data access, retention and processing

Requires immediate notice to payment card co. in Requires immediate notice to payment card co. in case of security breachcase of security breach

Noncompliance may lead to fines, revocation of Noncompliance may lead to fines, revocation of right to accept cards for paymentright to accept cards for payment

Conference coming up with payment card Conference coming up with payment card industry personnel and higher ed personnel to industry personnel and higher ed personnel to work through implementation issues for work through implementation issues for campusescampuses

So those are the new state So those are the new state laws and payment card laws and payment card

standards – how do they fit standards – how do they fit into the “big legal picture” into the “big legal picture” concerning data privacy concerning data privacy

and security?and security?

Many privacy/security rules dealing Many privacy/security rules dealing with discrete categories of datawith discrete categories of data

FERPA – student education recordsFERPA – student education records GLB – nonpublic customer information of GLB – nonpublic customer information of

“financial institutions” “financial institutions” HIPAA – personal health informationHIPAA – personal health information FACTA – consumer report dataFACTA – consumer report data New Indiana laws – SSN, other “personal New Indiana laws – SSN, other “personal

information”information” Payment card industry security standards – credit Payment card industry security standards – credit

card transaction informationcard transaction information

Operating under certain best Operating under certain best practices will help us comply with practices will help us comply with

these laws and new IN lawsthese laws and new IN laws

Best data handling/retention/ Best data handling/retention/ disposal practicesdisposal practices

Review old records to determine whether sensitive data Review old records to determine whether sensitive data exists that is no longer neededexists that is no longer needed

Going forward, only obtain/retain sensitive personal Going forward, only obtain/retain sensitive personal information when really neededinformation when really needed

Limit who has access to the data to who really needs itLimit who has access to the data to who really needs it Limit the servers on which sensitive data is storedLimit the servers on which sensitive data is stored Limit or prohibit downloading sensitive data onto Limit or prohibit downloading sensitive data onto

portable devices and PCsportable devices and PCs Use encryption and redaction when possible in storage Use encryption and redaction when possible in storage

and transmissionand transmission Require strong passwords for accessRequire strong passwords for access Dispose of all business records with sensitive Dispose of all business records with sensitive

information securelyinformation securely Review data privacy and security practices of third Review data privacy and security practices of third

parties who will receive IU sensitive data and parties who will receive IU sensitive data and contractually obligate them to safeguard data contractually obligate them to safeguard data sufficiently/indemnify us for any privacy or security sufficiently/indemnify us for any privacy or security breachesbreaches

EDUCATION!!!!EDUCATION!!!!

Overall Data Privacy and Overall Data Privacy and Security FrameworkSecurity Framework

Should have three types of Should have three types of safeguards, noted earliersafeguards, noted earlier AdministrativeAdministrative PhysicalPhysical TechnicalTechnical

Continuous assessment and Continuous assessment and adjustment of security and privacy adjustment of security and privacy measures in light of experience, to measures in light of experience, to achieve data security and integrityachieve data security and integrity

Questions?Questions?