1 / 48

Elaine S. Reber California Institute of Technology

Creating Confidentiality Agreements that Protect Data and Privacy: The Challenge of Keeping up With Changes in State and Federal Regulations. Elaine S. Reber California Institute of Technology. Agenda. Speaker’s Qualifications Background Focus/Goal Access to Data

mairi
Download Presentation

Elaine S. Reber California Institute of Technology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Creating Confidentiality Agreements that Protect Data and Privacy:The Challenge of Keeping up With Changes in State and Federal Regulations Elaine S. Reber California Institute of Technology

  2. Agenda • Speaker’s Qualifications • Background • Focus/Goal • Access to Data • Noteworthy Federal and State Laws • Policies versus Confidentiality Statements • What do we need to protect data? • Summary • Questions and Answers

  3. Speaker’s Qualifications • Associate Director of Infrastructure for Administrative Applications for Caltech • Oversees the areas of System Administration, Database Administration, Operations, Applications Security, and Telecommunications

  4. Background • Caltech’s Mission: To expand human knowledge and benefit society by developing creative scientists and engineers • Students: 900 undergraduates and 1200 graduates • Faculty: 300 Full Time and 700 post-doctoral fellows • Staff: 2,000 • Research Funding: Over $200 million • Total Budget: ~ $500 million • Caltech administers the JPL (Jet Propulsion Laboratory) budget for NASA.

  5. Background (continued) • July 1999 – Caltech upgraded its network and replaced of its legacy administrative systems with new applications, including: • Oracle HRMS and Financials on 10.7 Network Computing Architecture (NCA) • Exeter Student System • Famis Job Costing System • CEI Purchasing Card System • Since 1999, Caltech has upgraded all of its administrative applications multiple times and has added several 3rd party applications and tools.

  6. Focus/Goal • Understand the challenges of protecting personal data, student information, and financial and business records that we maintain for our community (students, faculty, staff, etc.)

  7. Focus/Goal – continued • Be aware of the laws and regulations that protect the privacy of data • Recognize that security and privacy are different, but security is essential to privacy1 • Make recommendations to create more robust data security environments on our campuses 1. Dr. Michael Zastrocky, “Higher Education and IT: What’s in the Future, http://www.njedge.net/conference2003/presentations/Gartner.ppt

  8. Internally: Human Resources Finance Student Affairs Development Offices Faculty Health Care Providers Administrative Staff Software Developers Database Administrators Application Security Staff Business Analysts Internal Auditors Others Who gets access to protected data?

  9. Externally: External Auditors 3rd Party Vendors Gov’t Offices Law Enforcement Officials Schools Requesting Transcripts Organizations Conducting Certain Types of Studies Others Who gets access to protected data?(continued)

  10. What is the Process for Internal Staff to get Access to Data? • Identify Data Needs • Identify Appropriate Responsibilities / Privileges • Submit Access Request Form/s • Obtain Approvals • May receive Training • Maysign Confidentiality / Non-disclosure Agreement or Implied Consent • Receive Logon Credentials from Application Security Office

  11. Is that protocol for getting data access sufficient to protect the privacy, security, and integrity of our Institutions’ data?

  12. …in a perfect world, YES! But in this world, we face: • Hackers • Viruses • Cyber takeovers • S/W with security holes • H/W with security holes • Stolen laptops • Opportunists • Etc. Give me passwords!

  13. Perhaps, the laws surrounding privacy of data will fill in the gaps

  14. Noteworthy Federal and State Laws • FEDERAL: • 1974 – Family Education Right To Privacy Act (FERPA) • 1996 – Health Insurance Portability and Accountability Act (HIPAA) • 1999 – Financial Services Modernization Act (Gramm-Leach Bliley Act) • 2002 – Sarbanes-Oxley (SOX) • STATE: • 1977 – California Information Practices Act

  15. Family Educational Rights And Privacy Act of 1974 - FERPA(20 U.S.C § 1232g) • FERPA, also known as the Buckley Amendment, is a federal law that protects the privacy of student education records. It is administered by the Family Policy Compliance Office (FPCO) at the U.S. Education Department.1 • The Act went into law on 19 November 1974 and has been amended several times since its enactment. It applies to all educational agencies and institutions that are the recipients of federal funding.2 • Schools are required to notify parents and eligible students annually of their rights under FERPA.3 1. http://chronicle.com/cgi-bin/printable.cgi?article=http://dhronicle.com/weekly/v50/i06/06a02202.htm 2. http://www.ed.gov/print/policy/gen/guid/fpco/ferpa/leg-history.html 3. Ibid.

  16. FERPA - continued (20 U.S.C § 1232g) • Schools may not furnish or release identifiable personal information without written consent specifying the records to be released, the reasons for release, and parties to whom they are being released.1 The same rules apply to third parties acting on behalf of the schools.2 • The act also provides the “eligible student” (18 years or older or attending post-secondary school) and parents the right to inspect and review education records, to seek to amend those records, and to limit disclosure of information from those records.3 1. http://www.ed.gov/print/policy/gen/guid/fpco/ferpa/leg-history.html 2. http://nces.ed.gov/pubs97/web/97859.asp 3. http://www.ed.gov/print/policy/gen/guid/fpco/ferpa/index.html

  17. FERPA - continued (20 U.S.C § 1232g) • Any data collected by authorized officials must be protected from unauthorized access. It is the requester’s responsibility to destroy the data after it is no longer needed.1 • Each school is required to keep a record of every request for student education information. Only the parents, the “eligible student”, and school officials responsible for the custody of records and auditing the system may see this information.2 1. http://www.epic.org/privacy/education/ferpa.html 2. http://www.ed.gov/print/policy/gen/guid/fpco/ferpa/leg-history.html

  18. FERPA - continued (20 U.S.C § 1232g) • Growing demands for institutional accountability, greater transparency, and national security have increased the challenge of protecting student data.1 • VariousState Freedom-of-Information Acts, The 2001 USA Patriot Act, and the 2001 No Child Left Behind Act also require schools to provide student information under certain circumstances. 1. http://chronicle.com/prm/weekly/v50/i42/42b00401.htm 2. http://chronicle.com/prm/weekly/v50/i42/42b00401.htm 3. http://www.ed.gov/print/policy/gen/guid/fpco/ferpa/leg-history.html

  19. FERPA - continued (20 U.S.C § 1232g) • The National Center for Education Statistics (NCES) is studying the feasibility of requiring colleges to provide “unit record (individually identifiable)” data rather than “aggregate” data for reporting.1 • Officials at the Department of Education claim that “unit record” data would make it easier to measure a college’s retention and graduation rates and the net cost of tuition after financial aid is taken into account.2 • FERPA would need to be amended to allow the release of student records without permission from the parents or student.3 1. CLHE,The Campus Privacy Letter, Volume 1, No.1, December 2004; http://www.clhe.org/campusprivacy/cplv1n1.pdf 2. Ibid. 3. http://chronicle.com/weekly/v5/i14/14a2201.htm

  20. Health Insurance Portability and Accountability Act (HIPAA) • HIPAA was implemented in 1996. The final HIPAA Security Rule establishing health data security standards was published in 2003. • The main goals of HIPAA are to: • Make the health care system more efficient, especially through increased use of electronic resources, and • Make health insurance more portable (“portability”) when persons change employers. 1, 1. http://privacy.med.miami.edu/glossary/xd_hipaa.htm

  21. HIPAA (continued) • HIPAA protects private health information. Health plans, health care clearinghouses, health providers, and other organizations that process, transmit, and/or store Protected Health Information (PHI) in electronic form are covered by the Act.1 • PHI is any individually identifiable health information. • HIPAA is administered by the federal Department of Health and Human Services. 1. Marne Gordon, HIPAA Security Standards Cybertrust Implementation and Strategy and Management, 2005, http://www.trusecure.com/cgi-bin/download.cgi?ESCD=W0188&file=wp_HIPAA_Cybertrust.pdf

  22. HIPAA (continued) • In general, covered entities are required to: • Ensure the confidentiality, integrity, and availability of all electronic PHIthey create, receive, maintain, or transmit • Protect against threats or hazards to the security and integrity of the PHI • Protect against unauthorized disclosures of PHI • Ensure compliance by employees of the covered organization1 1. Marne Gordon, HIPAA Security Standards Cybertrust Implementation and Strategy and Management, 2005, http://www.trusecure.com/cgi-bin/download.cgi?ESCD=W0188&file=wp_HIPAA_Cybertrust.pdf

  23. HIPAA, FERPA, and State Laws • The definition of protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA), specifically excludes identifiable health information in "education records" subject to the Family Education Rights and Privacy Act (FERPA, 20 USC 1232g).1 • FERPA provides privacy protections for student health records held by federally funded educational institutions.2 • If State laws are more stringent than HIPAA, then HIPAA gives way to State law.3 1. http://privacy.med.miami.edu/glossary/xd_education_records.htm 2. Ibid. 3. http://www.bowditch.com/PDF/HIPPA.pdf

  24. Financial Services Modernization Act of 1999 – Gramm-Leach Bliley Act (GLB) • The GLB establishes federal requirements for safeguarding non-public personal information collected by financial institutions. There are three principal parts to the GLB privacy requirements: • The Financial Privacy Rule governs the collection and disclosure of customers’ personal financial information. • The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. • The Pretexting Provision of the GLB Act protects consumers from individuals and companies that obtain their personal financial information under false pretenses, a practice known as “pretexting.” 1. http://www.ftc.gov/privacy/glbact/

  25. Gramm-Leach Bliley Act (GLB) - continued • The GLB requires financial institutions to establish an information security program that will: • Insure the security and confidentiality of customer information; • Protect against any anticipated threats or hazards to the security or integrity of such information; and • Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.1 1. Federal Register / Vol. 67, No. 100 / Thursday, May 23, 2002 / Rules and Regulations

  26. Gramm-Leach Bliley Act (GLB) - continued • The GLB preempts only “inconsistent” state laws. It sets a minimum standard beyond which states may pass stricter laws.1 1. http://www.the-dma.org/government/grammleachblileyact.shtml

  27. Sarbanes-Oxley Act of 2002 (SOX) • SOX sets new financial accountability standards for publicly held companies and their audit firms. • SOX does not apply to nonprofits, but companies that rate bonds for universities advise them to follow its guidelines. Investors are asking for “more disclosure and transparency of information.”1 • Officials in several States (California, Maryland, and New York) have proposed legislation to require nonprofits to follow the same rules as publicly traded companies.2 1. http://chronicle.com/weekly/v50/i23/23a02602.htm 2. http://chronicle.com/weekly/v50/i18/18a03201.htm

  28. SOX - continued • Some universities have already adopted reforms in response to SOX, such as: • Clarifying procedures for preparation and certification of financial statements • Establishing policies for disclosure of transactions not usually included in main budget reports • Creating standards for audit committees of governing boards • Modifying code of ethics for senior financial officers • Increasing protection for whistle-blowers1 1. http://chronicle.com/weekly/v50/i18/18a03201.htm

  29. Privacy Coverage Compared1 1. http://www.usmd.edu/Leadership/USMOffice/AdminFinance/itcc/day/regissues.ppt

  30. Security Requirements Compared1 1. http://www.usmd.edu/Leadership/USMOffice/AdminFinance/itcc/day/regissues.ppt

  31. California Information Practices Act(California Civil Code §§1798) • Applies to California state agencies, including state-funded educational institutions. • Does not apply to student records, but does apply to records of potential students before enrollment, i.e., records of applicants for admission.1 • Establishes requirements for the collection, maintenance, and dissemination of any information that identifies or describes an individual.2 1. http://www.ucop.edu/ucophome/policies/bfb/rmp8.html 2. Ibid.

  32. California Information Practices Act(California Civil Code §§1798) - continued • Any information that identifies or describes an individual, the disclosure of which would constitute an unwarranted invasion of personal privacy, is considered personal information. Common types of personal information are: • Birth date • Citizenship • Social Security Number • Income Tax Withholding Information • Performance evaluations • Letter of corrective actions • Names of spouse or other relatives1 1. http://www.ucop.edu/ucophome/policies/bfb/rmp8.html

  33. California Information Practices Act(California Civil Code §§1798) - continued • In recent years, the Act has been amended to require: • Notification of security breaches involving personal information1 • Greater protection of Social Security Numbers (SSNs) by: • Reducing collection of SSNs • Explaining the purpose of the collection, the intended use, whether it is mandatory, and consequences of refusing to provide SSN • Eliminating public display of SSNs • Controlling access to SSNs • Improving security safeguards • Making the organization accountable for protecting SSNs2 1. http://www.privacy.ca.gov/recommendations/secbreach.pdf 2. http://www.privacy.ca.gov/recommendations/ssnrecommendations.pdf

  34. Are the laws really sufficient to protect the privacy, security, and integrity of our Institutions’ data?

  35. …in a perfect world, YES! But in this world, we face: • Hackers • Viruses • Cyber takeovers • S/W with security holes • H/W with security holes • Opportunists • Legislation is not enough Give me passwords!

  36. Maybe policies and confidentiality agreementswill fill in the gaps.

  37. What is a Policy? A policy is “a definite course or method of action selected from among alternatives and in light of given conditions to guide and determine present and future decisions.”1 1. Webster’s Ninth New Collegiate Dictionary

  38. What is a Confidentiality Agreement? A Confidentiality Agreement (or Non-disclosure Agreement) is a document that, when signed, will allow one party to discuss their confidential information (including their work and ideas) with other interested parties. It legally binds those parties to keep the information confidential and not to disclose it to third parties. 1. King’s College of London: Technology Transfer Group

  39. What is a Confidentiality Agreement?(continued) A Confidentiality Agreement should give the purpose for the disclosure and also state that the receiving party shall not be permitted to use the confidential information for any purpose except the one defined in the agreement (e.g., to evaluate their interest in collaborating/investing in the ideas/work).1 1.King’s College of London: Technology Transfer Group

  40. Will policies and confidentiality statements increase the likelihood that we can protect the privacy, security, and integrity of our Institutions’ data?

  41. Not really…. Then, what do we Need? • Commitment from the University Leadership • IT security group/CSO • Resources • Institute Privacy Policies

  42. Not really…. Then, what do we Need? (cont) • Institute Policies for the Acceptable Use of Electronic Information Resources • Confidentiality/ Non-Disclosure Agreements or Implied Consent • Active User Awareness Training • Periodic Risk Assessments • Firewalls • SSL

  43. Not really…. Then, what do we Need? (cont) • Strong Authentication / Single Sign On • Authorization • Anti Virus Software • Vigilant Network Monitoring • Incident Reporting • Enforcement

  44. Peer Survey - Data Privacy Policies

  45. Summary • To protect the privacy of our data; we need • Legislation • Institute commitment • Institute policy statements • Confidentiality statements • User awareness training programs • Develop Best Practices • Pro-Active Network Monitoring • Antivirus Protection

  46. Summary • Authentication/Authorization • Utilize the experts • Legal Department • Risk Management • Human Resources • Security Department • Local Law Enforcement • Peer Institutions • Enforcement

  47. Questions and Answers

  48. Thank you!Elaine.reber@caltech.edu

More Related