180 likes | 394 Views
Data Privacy Laws/Regulations. FERPA – Family Educational Rights and Privacy Act HIPAA – Health Insurance Portability and Accountability Act GLBA – Gramm-Leach-Bliley Act RFR – Red Flags Rule of the Federal Trade Commission FISMA – Federal Information Security Management Act
E N D
Data Privacy Laws/Regulations • FERPA – Family Educational Rights and Privacy Act • HIPAA – Health Insurance Portability and Accountability Act • GLBA – Gramm-Leach-Bliley Act • RFR – Red Flags Rule of the Federal Trade Commission • FISMA – Federal Information Security Management Act • PCI DSS – Payment Card Industry Data Security Standards • Others exist, but the above are primary 2
General Institutional Requirements • FERPA, HIPAA, GLBA, RFR, FISMA, and PCI-DSS require the following: • Designated information security responsibility • Risk-based information security program • Data security policies and procedures • Monitoring and incident handling/compliance • Data security training and awareness 3
Consequences of Noncompliance • FERPA – Loss of federal funding to institution • HIPAA – Monetary penalties of up to $6M / year • GLBA – Fines and imprisonment • RFR – Federal fines • FISMA – Loss of research and contract funding • PCI DSS • Fines • Removal of institution’s ability to take credit card payments 4
Recent Higher Ed Data Breaches • Butler University, June 2014 • 163,000 records taken • Iowa State University (NMSU peer), April 2014 • 48,729 records taken • North Dakota University, March 2014 • 291,465 records taken • Indiana University, February 2014 • 146,000 records taken • University of Maryland, February 2014 • 309,079 records taken 5
Hard Costs Related to Breaches • Maricopa Community College District for last year's data breach costs are approaching $20 million • University of Maryland to pay $2.6M just for credit monitoring of data breach victims. Other costs TBD • Target estimates data breach costs at nearly $150 million and shares are down • These are just a few examples… 6
NMSU’s Risk If hackers compromised Banner, how many unique social security numbers would they have access to? A. 10,000 B. 25,000 C. 50,000 D. I already have enough trouble sleeping at night 7
~ 500,000 (including the SSNs of the people sitting to your right and left) 8
NMSU’s Risk (continued) • In addition to social security numbers and other Personally Identifiable Information (PII), NMSU’s systems contain other regulated data • Not all regulated data resides centrally --- desktop/shadow systems and departmental servers may also contain regulated data • We still get reports of PII data being transmitted “in the clear” despite NMSU data security policy 9
Estimated Cost of a Data Breach • Based on 2013 Study by Ponemon Institute & Symantec • $111 per record at US universities and colleges • $136 per record across industry • Estimated cost of a breach at NMSU • $55,500,000 based on loss of 500,000 records at $111 per record • Includes costs associated with loss of public confidence, reputation, etc. 10
Breaches Bring Greater Focus • Higher education institutions are reacting to data breaches by committing to improved data security • University of Maryland created a President's Task Force on Cybersecurity, adding more staff and purchasing expensive security tools • Iowa State University is creating policies and deploying security tools, etc. 11
NMSU is being proactive • Enhancing security practices within the technology – network, servers, software • Implementing new security tools • Beefing up training & awareness, compliance across the institution • Working to establish a risk-based information security program • Doing what we can with available resources, but more is needed 12
Changing IT Landscape • Factors that are now shaping IT • Greater and very real threats to institutional data • Integration of information technology into all areas of NMSU’s business, requiring a strategic versus strictly operational perspective of IT • Competition for IT resources is growing, requiring better planning, resource allocation, and sharing • A move to IT Governance is key! 13
Information Technology Governance • Just what is IT Governance? • The processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. (Gartner) • What does IT Governance do for NMSU? • Ensures the effective evaluation, selection, prioritization, and funding of competing IT investments • Optimizes resources • Lowers risk • Enhances measurement of institutional IT performance 14
IT Governance, Then Data Governance • Data governance is born of IT governance • Once IT governance is established, data governance follows 15
Governance Leads to Security • IT and Data Governance are the foundation of data security, culminating in protection that is based on identified risk • Awareness is the first step • Information security is everyone’s responsibility • Appropriate governance ensures that the university is in compliance with data security laws and NMSU policies 16
What Can You Do? • Participate in IT and data governance taskforces • See IT as a strategic asset • Endorse a risk-based information security program • You and your staff should participate in online or in person data security training 18
Risk-Based Information Security Program at NMSU Questions? Thanks Norma Grijalva John Roberts Carlos S. Lobato