View
216
Download
0
Tags:
Embed Size (px)
Citation preview
Does Your Campus Need a Chief Privacy Officer?
Dennis Devlin, Chief Information Security Officer, Brandeis University
Steven J. McDonald, General Counsel, Rhode Island School of Design
ICPL 2008
August 14, 2008 1
Introduction and Plan
• Steve will describe information privacy from a legal perspective, with an overview of privacy laws that apply to us (and not too much legalese)
• Dennis will discuss privacy (and security) from a CISO’s perspective and some things a university can do to begin to prepare for a privacy program
• Everyone will then participate in a discussion, and prove that none of us is as smart as all of us when it comes to information privacy
August 14, 2008 2
Icebreaker
• A quick quiz to test how well we all know the subject: http://www.cdt.org/privacy/quiz/
• What are some of the top information privacy concerns for your institution?
August 14, 2008 3
“Perhaps the biggest problem faced by all concerned is the fact that we live today in
a world of technologically recorded, maintained and communicated
information”
– Statement introduced during the debate on FERPA, 120 Cong. Rec. 36,532 (Nov. 19, 1974)
4August 14, 2008
5
What is Privacy (Legally)?
"[T]he right to be let alone – the most comprehensive of rights, and the right most valued by civilized men."
– Justice Louis Brandeis Olmstead v. U.S.
August 14, 2008 5
The Legal Basis for Privacy:A Crazy Quilt
• U.S. and state constitutions– But no explicit reference in U.S. constitution– Fourth amendment (and state versions)
• Statutory privacy– FERPA, HIPAA, GLB, and other general and topical
privacy statutes– ECPA, data breach notification, and other
computer-specific privacy statutes– But also federal and state FOIA laws
• Contract law• The common law of privacyAugust 14, 2008 6
Common LawInvasion of Privacy
• Intrusion– "One who intentionally intrudes, physically or
otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person."
• Public Disclosure of Private Facts– "One who gives publicity to a matter concerning the
private life of another is subject to liability to the other for invasion of his privacy, if the matter publicized is of a kind that (a) would be highly offensive to a reasonable person, and (b) is not of legitimate concern to the public."
August 14, 2008 7
The Fourth Amendment
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
August 14, 2008 8
The Fourth Amendment in Cyberspace
"We are satisfied that the Constitution requires that the FBI and other police agencies establish probable cause to enter into a personal and private computer."
– U.S. v. Maxwell
August 14, 2008 9
Publics are Private,Privates are Not
"Although individuals have a right under the Fourth Amendment of the United States Constitution to be free from unreasonable searches and seizures by the Government, private searches are not subject to constitutional restrictions."
– U.S. v. HallAugust 14, 2008 10
O'Connor v. Ortega
"Fourth Amendment rights are implicated [whenever] the conduct of the [government] officials at issue . . . infringe[s] 'an expectation of privacy that society is prepared to consider reasonable.'"
August 14, 2008 11
• PCI-DSS: credit card transaction data• Federal grants: human subjects research data• Privacy policies
– "Your privacy is our number one priority. We will not share your information with any other organization."
– Translation: "We're liars!"– Or: "Our marketing people, who wrote this, are
idiots."
Contract Law
12August 14, 2008 12
• Gramm-Leach-Bliley: financial institution customer information
• HIPAA: protected health information
• Electronic Communications Privacy Act: electronic communications
Statutes
13August 14, 2008 13
ECPA
• "[A] fog of inclusions and exclusions" – Briggs v. American Air Filter Co. (5th Cir. 1980)
• "[A] statute . . . which is famous (if not infamous) for its lack of clarity" – Steve Jackson Games, Inc. v. United States Secret Service (5th Cir. 1994)
• "[T]he Fifth Circuit . . . might have put the matter too mildly." – U.S. v. Smith (9th Cir. 1998)
August 14, 2008 14
• 44 states + D.C. to date
• "'[P]ersonal information' means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: – (1) Social security number; – (2) Driver's license number or Rhode Island Identification Card
number; – (3) Account number, credit or debit card number, in combination
with any required security code, access code, or password that would permit access to an individual's financial account."
Data Breach Notification
15August 14, 2008 15
Fundamental FERPA
• The Family Educational Rights and Privacy Act of 1974
• A.K.A. the Buckley Amendment
August 14, 2008 16
We Don't Need No "Education"
• FERPA: "education records"• Includes transcripts, exams, papers, and the like• But it also includes:
– Financial aid and account records– Discipline records, including complaints– SSNs and campus ID numbers– E-mail– Photographs– "Unofficial" files– Records that are publicly available elsewhere– Information that the student has publicly revealed– Virtually everything!
August 14, 2008 17
Structural Basics
• Definition/scope: what is protected• Privacy: what rules govern its disclosure• Safeguarding/security: what must be done to
protect it from unauthorized access and disclosure
August 14, 2008 18
It Takes a Village
• "[G]iven that it is virtually impossible to use physical or technological safeguards to prevent authorized users from using their access to education records for unauthorized purposes, it is important that an educational agency or institution establish and enforce policies and procedures, including appropriate training, to help ensure that school officials do not in fact misuse education records for their own purposes."
August 14, 2008 19
And a "Reasonable Person"
• "[W]hen an institution is authorized to disclose information from education records . . ., FERPA does not specify or restrict the method of disclosure. . . . FERPA does not mandate any specific method, such as encryption technology, for achieving these standards with electronic disclosure of information from education records. However, reasonable and appropriate steps consistent with current technological developments should be used to control access to and safeguard the integrity of education records in electronic data storage and transmission, including the use of e-mail, Web sites, and other Internet protocols."
August 14, 2008 20
And a "Reasonable Person"
• "[W]hen an institution is authorized to disclose information from education records . . ., FERPA does not specify or restrict the method of disclosure. . . . FERPA does not mandate any specific method, such as encryption technology, for achieving these standards with electronic disclosure of information from education records. However, reasonable and appropriate steps consistent with current technological developments should be used to control access to and safeguard the integrity of education records in electronic data storage and transmission, including the use of e-mail, Web sites, and other Internet protocols."
August 14, 2008 21
Resources• General:
– http://counsel.cua.edu/fedlaw– http://www.educause.edu/security/16030
• GLB:– http://counsel.cua.edu/glb
• PCI-DSS:– http://counsel.cua.edu/fedlaw//PCI .cfm
• HIPAA:– http://counsel.cua.edu/HIPAA
• Data breach notification:– http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm
• Privacy policy example:– http://privacy.ahc.umn.edu/pub_pri_info.html
August 14, 2008 22
Some Disclaimers
• “If you steal from one author, it's plagiarism; if you steal from many, it's research.” – Wilson Mizner, US screenwriter (1876 - 1933)
• Many people (some in this room) contributed to the ideas used in this part of the presentation
• If during the next 15 minutes you feel like “Noah attending a talk about floods” please be patient– We just want to level set everyone in the room for the
lively discussion which will immediately follow…
August 14, 2008 23
Risks to Managing Information
• Fortune 500– Regulations– Reputation– Revenues
• Are risks in Higher Education different?• Risks are mitigated by reducing vulnerabilities
– Vulnerabilities can be exploited accidentally or intentionally – to a victim it really doesn’t matter
August 14, 2008 24
What are Vulnerabilities?
August 14, 2008 25
Specification (What the systemshould do)
Reality (What the systemactually does)
Vulnerabilities(What the systemshouldn’t do thatit does)
Deficiencies(What the systemdoesn’t do thatit should)
“Systems”can bePeople,
Process orTechnology
Adapted from “Testing for Software Security”, www.ddj.com, November
2002
Information Security
• Ensuring information integrity and availability and restricting access only to authorized users (confidentiality)– Focus areas
• People, Process, Technology
– Control objectives• Protection, Detection, Response
• Emphasis on protecting enterprise information
August 14, 2008 26
How Much is Enough?
August 14, 2008 27
Cost of Security
Investments
Cost ($)
Security Capability 100%0%
Impact ofSecurityIncidents
OptimumROSI
Information Privacy
• Providing individuals with general control over disclosure and the subsequent use of their personal information– Notice - what is being collected, how it will be used– Choice - right to opt in or opt out– Access - right to see information and correct errors– Security - expectation steward will ensure C, I, A
• Focus on empowering individual control– Security is a major enabler to achieving privacy
August 14, 2008 28
Some Moments of Truth
• Your institution is already making privacy decisions– Websites
http://www.upenn.edu/about/privacy_policy.php
– Librarieshttp://lts.brandeis.edu/research/borrowing/privacy.html
– Learning Management Systemshttp://latte.brandeis.edu/help/latte-best/latte-security.html
– Registrar Noticeshttp://www.brandeis.edu/registrar/catalog/introAnnualNotice.htm
– Appropriate Use Policieshttp://lts.brandeis.edu/about/policies/computingpolicies.html
August 14, 2008 29
Laying the Foundation
• Build security and privacy awareness and resolve– Spend your time outside your comfort zone educating and
evangelizing, not with converted colleagues– Form an Information Security/Privacy Advisory Council– Be a change agent and champion of institutional character
expression (as well as regulatory compliance) via policies
• Engage, educate, and be patient– Unconscious incompetence– Conscious incompetence– Conscious competence– Unconscious competence
30August 14, 2008
A P&P Maturity Model
August 14, 2008 31
Information Security and Privacy
Policies and Procedures
1. Reactive· Technology Focused· Bottom-Up· Obvious· Not Controversial
2. Proactive· Audit Focused· Top Down· More Subtle· Inconvenient
3. “Radioactive”· ROI ≠ ROI · Sideways· Sneaky· Difficult
Examples:· Malicious Code Protection· Patching Vulnerabilities· Incident Response (IT)· Appropriate Use
Examples:· Separation of Duties· Identity Management· Auditability and Compliance· Information Retention
Examples:· Information Classification· Stewards and Custodians· Incident Response (CEO)· Information Destruction· Information Privacy
Formulating Management Intent
August 14, 2008 32
When Is The Right Time?
• “It is a bad idea to criminalize the middle class.”– Dennis Devlin’s Criminology Professor, c. 1968
• “Unfunded mandates are also a very bad idea.”– Dennis Devlin – c. 2000
• Policies can be effective immediately or can be “aspirational” with a “full compliance must be achieved by” statement
• “Begin with an end in mind.” – Stephen Covey
• CPO’s, like CISO’s, are often appear at tipping pointsAugust 14, 2008 33
Emerging Challenges
• The goalposts are moving - How to deal with student and faculty privacy as we employ new technologies for learning, teaching and scholarship– Learning management systems– Social networks– Wikis– Blogs– Folksonomies– Virtual worlds
• Can FERPA and Web 2.0 coexist?
August 14, 2008 34
Lively Discussion
August 14, 2008 35
Wrap Up
• Another Helpful Resource – http://connect.educause.edu
• Our Contact Information– Dennis Devlin:
–[email protected] – Steven McDonald:
36August 14, 2008