Does Your Campus Need a Chief Privacy Officer?

Dennis Devlin, Chief Information Security Officer, Brandeis University

Steven J. McDonald, General Counsel, Rhode Island School of Design

ICPL 2008

August 14, 2008 1

Introduction and Plan

• Steve will describe information privacy from a legal perspective, with an overview of privacy laws that apply to us (and not too much legalese)

• Dennis will discuss privacy (and security) from a CISO’s perspective and some things a university can do to begin to prepare for a privacy program

• Everyone will then participate in a discussion, and prove that none of us is as smart as all of us when it comes to information privacy

August 14, 2008 2

Icebreaker

• A quick quiz to test how well we all know the subject: http://www.cdt.org/privacy/quiz/

• What are some of the top information privacy concerns for your institution?

August 14, 2008 3

“Perhaps the biggest problem faced by all concerned is the fact that we live today in

a world of technologically recorded, maintained and communicated

information”

– Statement introduced during the debate on FERPA, 120 Cong. Rec. 36,532 (Nov. 19, 1974)

4August 14, 2008

5

What is Privacy (Legally)?

"[T]he right to be let alone – the most comprehensive of rights, and the right most valued by civilized men."

– Justice Louis Brandeis Olmstead v. U.S.

August 14, 2008 5

The Legal Basis for Privacy:A Crazy Quilt

• U.S. and state constitutions– But no explicit reference in U.S. constitution– Fourth amendment (and state versions)

• Statutory privacy– FERPA, HIPAA, GLB, and other general and topical

privacy statutes– ECPA, data breach notification, and other

computer-specific privacy statutes– But also federal and state FOIA laws

• Contract law• The common law of privacyAugust 14, 2008 6

Common LawInvasion of Privacy

• Intrusion– "One who intentionally intrudes, physically or

otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person."

• Public Disclosure of Private Facts– "One who gives publicity to a matter concerning the

private life of another is subject to liability to the other for invasion of his privacy, if the matter publicized is of a kind that (a) would be highly offensive to a reasonable person, and (b) is not of legitimate concern to the public."

August 14, 2008 7

The Fourth Amendment

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

August 14, 2008 8

The Fourth Amendment in Cyberspace

"We are satisfied that the Constitution requires that the FBI and other police agencies establish probable cause to enter into a personal and private computer."

– U.S. v. Maxwell

August 14, 2008 9

Publics are Private,Privates are Not

"Although individuals have a right under the Fourth Amendment of the United States Constitution to be free from unreasonable searches and seizures by the Government, private searches are not subject to constitutional restrictions."

– U.S. v. HallAugust 14, 2008 10

O'Connor v. Ortega

"Fourth Amendment rights are implicated [whenever] the conduct of the [government] officials at issue . . . infringe[s] 'an expectation of privacy that society is prepared to consider reasonable.'"

August 14, 2008 11

• PCI-DSS: credit card transaction data• Federal grants: human subjects research data• Privacy policies

– "Your privacy is our number one priority. We will not share your information with any other organization."

– Translation: "We're liars!"– Or: "Our marketing people, who wrote this, are

idiots."

Contract Law

12August 14, 2008 12

• Gramm-Leach-Bliley: financial institution customer information

• HIPAA: protected health information

• Electronic Communications Privacy Act: electronic communications

Statutes

13August 14, 2008 13

ECPA

• "[A] fog of inclusions and exclusions" – Briggs v. American Air Filter Co. (5th Cir. 1980)

• "[A] statute . . . which is famous (if not infamous) for its lack of clarity" – Steve Jackson Games, Inc. v. United States Secret Service (5th Cir. 1994)

• "[T]he Fifth Circuit . . . might have put the matter too mildly." – U.S. v. Smith (9th Cir. 1998)

August 14, 2008 14

• 44 states + D.C. to date

• "'[P]ersonal information' means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: – (1) Social security number; – (2) Driver's license number or Rhode Island Identification Card

number; – (3) Account number, credit or debit card number, in combination

with any required security code, access code, or password that would permit access to an individual's financial account."

Data Breach Notification

15August 14, 2008 15

Fundamental FERPA

• The Family Educational Rights and Privacy Act of 1974

• A.K.A. the Buckley Amendment

August 14, 2008 16

We Don't Need No "Education"

• FERPA: "education records"• Includes transcripts, exams, papers, and the like• But it also includes:

– Financial aid and account records– Discipline records, including complaints– SSNs and campus ID numbers– E-mail– Photographs– "Unofficial" files– Records that are publicly available elsewhere– Information that the student has publicly revealed– Virtually everything!

August 14, 2008 17

Structural Basics

• Definition/scope: what is protected• Privacy: what rules govern its disclosure• Safeguarding/security: what must be done to

protect it from unauthorized access and disclosure

August 14, 2008 18

It Takes a Village

• "[G]iven that it is virtually impossible to use physical or technological safeguards to prevent authorized users from using their access to education records for unauthorized purposes, it is important that an educational agency or institution establish and enforce policies and procedures, including appropriate training, to help ensure that school officials do not in fact misuse education records for their own purposes."

August 14, 2008 19

And a "Reasonable Person"

• "[W]hen an institution is authorized to disclose information from education records . . ., FERPA does not specify or restrict the method of disclosure. . . . FERPA does not mandate any specific method, such as encryption technology, for achieving these standards with electronic disclosure of information from education records. However, reasonable and appropriate steps consistent with current technological developments should be used to control access to and safeguard the integrity of education records in electronic data storage and transmission, including the use of e-mail, Web sites, and other Internet protocols."

August 14, 2008 20

And a "Reasonable Person"

• "[W]hen an institution is authorized to disclose information from education records . . ., FERPA does not specify or restrict the method of disclosure. . . . FERPA does not mandate any specific method, such as encryption technology, for achieving these standards with electronic disclosure of information from education records. However, reasonable and appropriate steps consistent with current technological developments should be used to control access to and safeguard the integrity of education records in electronic data storage and transmission, including the use of e-mail, Web sites, and other Internet protocols."

August 14, 2008 21

Resources• General:

– http://counsel.cua.edu/fedlaw– http://www.educause.edu/security/16030

• GLB:– http://counsel.cua.edu/glb

• PCI-DSS:– http://counsel.cua.edu/fedlaw//PCI .cfm

• HIPAA:– http://counsel.cua.edu/HIPAA

• Data breach notification:– http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm

• Privacy policy example:– http://privacy.ahc.umn.edu/pub_pri_info.html

August 14, 2008 22

Some Disclaimers

• “If you steal from one author, it's plagiarism; if you steal from many, it's research.” – Wilson Mizner, US screenwriter (1876 - 1933)

• Many people (some in this room) contributed to the ideas used in this part of the presentation

• If during the next 15 minutes you feel like “Noah attending a talk about floods” please be patient– We just want to level set everyone in the room for the

lively discussion which will immediately follow…

August 14, 2008 23

Risks to Managing Information

• Fortune 500– Regulations– Reputation– Revenues

• Are risks in Higher Education different?• Risks are mitigated by reducing vulnerabilities

– Vulnerabilities can be exploited accidentally or intentionally – to a victim it really doesn’t matter

August 14, 2008 24

What are Vulnerabilities?

August 14, 2008 25

Specification (What the systemshould do)

Reality (What the systemactually does)

Vulnerabilities(What the systemshouldn’t do thatit does)

Deficiencies(What the systemdoesn’t do thatit should)

“Systems”can bePeople,

Process orTechnology

Adapted from “Testing for Software Security”, www.ddj.com, November

2002

Information Security

• Ensuring information integrity and availability and restricting access only to authorized users (confidentiality)– Focus areas

• People, Process, Technology

– Control objectives• Protection, Detection, Response

• Emphasis on protecting enterprise information

August 14, 2008 26

How Much is Enough?

August 14, 2008 27

Cost of Security

Investments

Cost ($)

Security Capability 100%0%

Impact ofSecurityIncidents

OptimumROSI

Information Privacy

• Providing individuals with general control over disclosure and the subsequent use of their personal information– Notice - what is being collected, how it will be used– Choice - right to opt in or opt out– Access - right to see information and correct errors– Security - expectation steward will ensure C, I, A

• Focus on empowering individual control– Security is a major enabler to achieving privacy

August 14, 2008 28

Some Moments of Truth

• Your institution is already making privacy decisions– Websites

http://www.upenn.edu/about/privacy_policy.php

– Librarieshttp://lts.brandeis.edu/research/borrowing/privacy.html

– Learning Management Systemshttp://latte.brandeis.edu/help/latte-best/latte-security.html

– Registrar Noticeshttp://www.brandeis.edu/registrar/catalog/introAnnualNotice.htm

– Appropriate Use Policieshttp://lts.brandeis.edu/about/policies/computingpolicies.html

August 14, 2008 29

Laying the Foundation

• Build security and privacy awareness and resolve– Spend your time outside your comfort zone educating and

evangelizing, not with converted colleagues– Form an Information Security/Privacy Advisory Council– Be a change agent and champion of institutional character

expression (as well as regulatory compliance) via policies

• Engage, educate, and be patient– Unconscious incompetence– Conscious incompetence– Conscious competence– Unconscious competence

30August 14, 2008

A P&P Maturity Model

August 14, 2008 31

Information Security and Privacy

Policies and Procedures

1. Reactive· Technology Focused· Bottom-Up· Obvious· Not Controversial

2. Proactive· Audit Focused· Top Down· More Subtle· Inconvenient

3. “Radioactive”· ROI ≠ ROI · Sideways· Sneaky· Difficult

Examples:· Malicious Code Protection· Patching Vulnerabilities· Incident Response (IT)· Appropriate Use

Examples:· Separation of Duties· Identity Management· Auditability and Compliance· Information Retention

Examples:· Information Classification· Stewards and Custodians· Incident Response (CEO)· Information Destruction· Information Privacy

Formulating Management Intent

August 14, 2008 32

When Is The Right Time?

• “It is a bad idea to criminalize the middle class.”– Dennis Devlin’s Criminology Professor, c. 1968

• “Unfunded mandates are also a very bad idea.”– Dennis Devlin – c. 2000

• Policies can be effective immediately or can be “aspirational” with a “full compliance must be achieved by” statement

• “Begin with an end in mind.” – Stephen Covey

• CPO’s, like CISO’s, are often appear at tipping pointsAugust 14, 2008 33

Emerging Challenges

• The goalposts are moving - How to deal with student and faculty privacy as we employ new technologies for learning, teaching and scholarship– Learning management systems– Social networks– Wikis– Blogs– Folksonomies– Virtual worlds

• Can FERPA and Web 2.0 coexist?

August 14, 2008 34

Lively Discussion

August 14, 2008 35

Wrap Up

• Another Helpful Resource – http://connect.educause.edu

• Our Contact Information– Dennis Devlin:

–ddevlin@brandeis.edu – Steven McDonald:

–smcdonal@risd.edu

36August 14, 2008