480 likes | 589 Views
Creating Confidentiality Agreements that Protect Data and Privacy: The Challenge of Keeping up With Changes in State and Federal Regulations. Elaine S. Reber California Institute of Technology. Agenda. Speaker’s Qualifications Background Focus/Goal Access to Data
E N D
Creating Confidentiality Agreements that Protect Data and Privacy:The Challenge of Keeping up With Changes in State and Federal Regulations Elaine S. Reber California Institute of Technology
Agenda • Speaker’s Qualifications • Background • Focus/Goal • Access to Data • Noteworthy Federal and State Laws • Policies versus Confidentiality Statements • What do we need to protect data? • Summary • Questions and Answers
Speaker’s Qualifications • Associate Director of Infrastructure for Administrative Applications for Caltech • Oversees the areas of System Administration, Database Administration, Operations, Applications Security, and Telecommunications
Background • Caltech’s Mission: To expand human knowledge and benefit society by developing creative scientists and engineers • Students: 900 undergraduates and 1200 graduates • Faculty: 300 Full Time and 700 post-doctoral fellows • Staff: 2,000 • Research Funding: Over $200 million • Total Budget: ~ $500 million • Caltech administers the JPL (Jet Propulsion Laboratory) budget for NASA.
Background (continued) • July 1999 – Caltech upgraded its network and replaced of its legacy administrative systems with new applications, including: • Oracle HRMS and Financials on 10.7 Network Computing Architecture (NCA) • Exeter Student System • Famis Job Costing System • CEI Purchasing Card System • Since 1999, Caltech has upgraded all of its administrative applications multiple times and has added several 3rd party applications and tools.
Focus/Goal • Understand the challenges of protecting personal data, student information, and financial and business records that we maintain for our community (students, faculty, staff, etc.)
Focus/Goal – continued • Be aware of the laws and regulations that protect the privacy of data • Recognize that security and privacy are different, but security is essential to privacy1 • Make recommendations to create more robust data security environments on our campuses 1. Dr. Michael Zastrocky, “Higher Education and IT: What’s in the Future, http://www.njedge.net/conference2003/presentations/Gartner.ppt
Internally: Human Resources Finance Student Affairs Development Offices Faculty Health Care Providers Administrative Staff Software Developers Database Administrators Application Security Staff Business Analysts Internal Auditors Others Who gets access to protected data?
Externally: External Auditors 3rd Party Vendors Gov’t Offices Law Enforcement Officials Schools Requesting Transcripts Organizations Conducting Certain Types of Studies Others Who gets access to protected data?(continued)
What is the Process for Internal Staff to get Access to Data? • Identify Data Needs • Identify Appropriate Responsibilities / Privileges • Submit Access Request Form/s • Obtain Approvals • May receive Training • Maysign Confidentiality / Non-disclosure Agreement or Implied Consent • Receive Logon Credentials from Application Security Office
Is that protocol for getting data access sufficient to protect the privacy, security, and integrity of our Institutions’ data?
…in a perfect world, YES! But in this world, we face: • Hackers • Viruses • Cyber takeovers • S/W with security holes • H/W with security holes • Stolen laptops • Opportunists • Etc. Give me passwords!
Perhaps, the laws surrounding privacy of data will fill in the gaps
Noteworthy Federal and State Laws • FEDERAL: • 1974 – Family Education Right To Privacy Act (FERPA) • 1996 – Health Insurance Portability and Accountability Act (HIPAA) • 1999 – Financial Services Modernization Act (Gramm-Leach Bliley Act) • 2002 – Sarbanes-Oxley (SOX) • STATE: • 1977 – California Information Practices Act
Family Educational Rights And Privacy Act of 1974 - FERPA(20 U.S.C § 1232g) • FERPA, also known as the Buckley Amendment, is a federal law that protects the privacy of student education records. It is administered by the Family Policy Compliance Office (FPCO) at the U.S. Education Department.1 • The Act went into law on 19 November 1974 and has been amended several times since its enactment. It applies to all educational agencies and institutions that are the recipients of federal funding.2 • Schools are required to notify parents and eligible students annually of their rights under FERPA.3 1. http://chronicle.com/cgi-bin/printable.cgi?article=http://dhronicle.com/weekly/v50/i06/06a02202.htm 2. http://www.ed.gov/print/policy/gen/guid/fpco/ferpa/leg-history.html 3. Ibid.
FERPA - continued (20 U.S.C § 1232g) • Schools may not furnish or release identifiable personal information without written consent specifying the records to be released, the reasons for release, and parties to whom they are being released.1 The same rules apply to third parties acting on behalf of the schools.2 • The act also provides the “eligible student” (18 years or older or attending post-secondary school) and parents the right to inspect and review education records, to seek to amend those records, and to limit disclosure of information from those records.3 1. http://www.ed.gov/print/policy/gen/guid/fpco/ferpa/leg-history.html 2. http://nces.ed.gov/pubs97/web/97859.asp 3. http://www.ed.gov/print/policy/gen/guid/fpco/ferpa/index.html
FERPA - continued (20 U.S.C § 1232g) • Any data collected by authorized officials must be protected from unauthorized access. It is the requester’s responsibility to destroy the data after it is no longer needed.1 • Each school is required to keep a record of every request for student education information. Only the parents, the “eligible student”, and school officials responsible for the custody of records and auditing the system may see this information.2 1. http://www.epic.org/privacy/education/ferpa.html 2. http://www.ed.gov/print/policy/gen/guid/fpco/ferpa/leg-history.html
FERPA - continued (20 U.S.C § 1232g) • Growing demands for institutional accountability, greater transparency, and national security have increased the challenge of protecting student data.1 • VariousState Freedom-of-Information Acts, The 2001 USA Patriot Act, and the 2001 No Child Left Behind Act also require schools to provide student information under certain circumstances. 1. http://chronicle.com/prm/weekly/v50/i42/42b00401.htm 2. http://chronicle.com/prm/weekly/v50/i42/42b00401.htm 3. http://www.ed.gov/print/policy/gen/guid/fpco/ferpa/leg-history.html
FERPA - continued (20 U.S.C § 1232g) • The National Center for Education Statistics (NCES) is studying the feasibility of requiring colleges to provide “unit record (individually identifiable)” data rather than “aggregate” data for reporting.1 • Officials at the Department of Education claim that “unit record” data would make it easier to measure a college’s retention and graduation rates and the net cost of tuition after financial aid is taken into account.2 • FERPA would need to be amended to allow the release of student records without permission from the parents or student.3 1. CLHE,The Campus Privacy Letter, Volume 1, No.1, December 2004; http://www.clhe.org/campusprivacy/cplv1n1.pdf 2. Ibid. 3. http://chronicle.com/weekly/v5/i14/14a2201.htm
Health Insurance Portability and Accountability Act (HIPAA) • HIPAA was implemented in 1996. The final HIPAA Security Rule establishing health data security standards was published in 2003. • The main goals of HIPAA are to: • Make the health care system more efficient, especially through increased use of electronic resources, and • Make health insurance more portable (“portability”) when persons change employers. 1, 1. http://privacy.med.miami.edu/glossary/xd_hipaa.htm
HIPAA (continued) • HIPAA protects private health information. Health plans, health care clearinghouses, health providers, and other organizations that process, transmit, and/or store Protected Health Information (PHI) in electronic form are covered by the Act.1 • PHI is any individually identifiable health information. • HIPAA is administered by the federal Department of Health and Human Services. 1. Marne Gordon, HIPAA Security Standards Cybertrust Implementation and Strategy and Management, 2005, http://www.trusecure.com/cgi-bin/download.cgi?ESCD=W0188&file=wp_HIPAA_Cybertrust.pdf
HIPAA (continued) • In general, covered entities are required to: • Ensure the confidentiality, integrity, and availability of all electronic PHIthey create, receive, maintain, or transmit • Protect against threats or hazards to the security and integrity of the PHI • Protect against unauthorized disclosures of PHI • Ensure compliance by employees of the covered organization1 1. Marne Gordon, HIPAA Security Standards Cybertrust Implementation and Strategy and Management, 2005, http://www.trusecure.com/cgi-bin/download.cgi?ESCD=W0188&file=wp_HIPAA_Cybertrust.pdf
HIPAA, FERPA, and State Laws • The definition of protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA), specifically excludes identifiable health information in "education records" subject to the Family Education Rights and Privacy Act (FERPA, 20 USC 1232g).1 • FERPA provides privacy protections for student health records held by federally funded educational institutions.2 • If State laws are more stringent than HIPAA, then HIPAA gives way to State law.3 1. http://privacy.med.miami.edu/glossary/xd_education_records.htm 2. Ibid. 3. http://www.bowditch.com/PDF/HIPPA.pdf
Financial Services Modernization Act of 1999 – Gramm-Leach Bliley Act (GLB) • The GLB establishes federal requirements for safeguarding non-public personal information collected by financial institutions. There are three principal parts to the GLB privacy requirements: • The Financial Privacy Rule governs the collection and disclosure of customers’ personal financial information. • The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. • The Pretexting Provision of the GLB Act protects consumers from individuals and companies that obtain their personal financial information under false pretenses, a practice known as “pretexting.” 1. http://www.ftc.gov/privacy/glbact/
Gramm-Leach Bliley Act (GLB) - continued • The GLB requires financial institutions to establish an information security program that will: • Insure the security and confidentiality of customer information; • Protect against any anticipated threats or hazards to the security or integrity of such information; and • Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.1 1. Federal Register / Vol. 67, No. 100 / Thursday, May 23, 2002 / Rules and Regulations
Gramm-Leach Bliley Act (GLB) - continued • The GLB preempts only “inconsistent” state laws. It sets a minimum standard beyond which states may pass stricter laws.1 1. http://www.the-dma.org/government/grammleachblileyact.shtml
Sarbanes-Oxley Act of 2002 (SOX) • SOX sets new financial accountability standards for publicly held companies and their audit firms. • SOX does not apply to nonprofits, but companies that rate bonds for universities advise them to follow its guidelines. Investors are asking for “more disclosure and transparency of information.”1 • Officials in several States (California, Maryland, and New York) have proposed legislation to require nonprofits to follow the same rules as publicly traded companies.2 1. http://chronicle.com/weekly/v50/i23/23a02602.htm 2. http://chronicle.com/weekly/v50/i18/18a03201.htm
SOX - continued • Some universities have already adopted reforms in response to SOX, such as: • Clarifying procedures for preparation and certification of financial statements • Establishing policies for disclosure of transactions not usually included in main budget reports • Creating standards for audit committees of governing boards • Modifying code of ethics for senior financial officers • Increasing protection for whistle-blowers1 1. http://chronicle.com/weekly/v50/i18/18a03201.htm
Privacy Coverage Compared1 1. http://www.usmd.edu/Leadership/USMOffice/AdminFinance/itcc/day/regissues.ppt
Security Requirements Compared1 1. http://www.usmd.edu/Leadership/USMOffice/AdminFinance/itcc/day/regissues.ppt
California Information Practices Act(California Civil Code §§1798) • Applies to California state agencies, including state-funded educational institutions. • Does not apply to student records, but does apply to records of potential students before enrollment, i.e., records of applicants for admission.1 • Establishes requirements for the collection, maintenance, and dissemination of any information that identifies or describes an individual.2 1. http://www.ucop.edu/ucophome/policies/bfb/rmp8.html 2. Ibid.
California Information Practices Act(California Civil Code §§1798) - continued • Any information that identifies or describes an individual, the disclosure of which would constitute an unwarranted invasion of personal privacy, is considered personal information. Common types of personal information are: • Birth date • Citizenship • Social Security Number • Income Tax Withholding Information • Performance evaluations • Letter of corrective actions • Names of spouse or other relatives1 1. http://www.ucop.edu/ucophome/policies/bfb/rmp8.html
California Information Practices Act(California Civil Code §§1798) - continued • In recent years, the Act has been amended to require: • Notification of security breaches involving personal information1 • Greater protection of Social Security Numbers (SSNs) by: • Reducing collection of SSNs • Explaining the purpose of the collection, the intended use, whether it is mandatory, and consequences of refusing to provide SSN • Eliminating public display of SSNs • Controlling access to SSNs • Improving security safeguards • Making the organization accountable for protecting SSNs2 1. http://www.privacy.ca.gov/recommendations/secbreach.pdf 2. http://www.privacy.ca.gov/recommendations/ssnrecommendations.pdf
Are the laws really sufficient to protect the privacy, security, and integrity of our Institutions’ data?
…in a perfect world, YES! But in this world, we face: • Hackers • Viruses • Cyber takeovers • S/W with security holes • H/W with security holes • Opportunists • Legislation is not enough Give me passwords!
Maybe policies and confidentiality agreementswill fill in the gaps.
What is a Policy? A policy is “a definite course or method of action selected from among alternatives and in light of given conditions to guide and determine present and future decisions.”1 1. Webster’s Ninth New Collegiate Dictionary
What is a Confidentiality Agreement? A Confidentiality Agreement (or Non-disclosure Agreement) is a document that, when signed, will allow one party to discuss their confidential information (including their work and ideas) with other interested parties. It legally binds those parties to keep the information confidential and not to disclose it to third parties. 1. King’s College of London: Technology Transfer Group
What is a Confidentiality Agreement?(continued) A Confidentiality Agreement should give the purpose for the disclosure and also state that the receiving party shall not be permitted to use the confidential information for any purpose except the one defined in the agreement (e.g., to evaluate their interest in collaborating/investing in the ideas/work).1 1.King’s College of London: Technology Transfer Group
Will policies and confidentiality statements increase the likelihood that we can protect the privacy, security, and integrity of our Institutions’ data?
Not really…. Then, what do we Need? • Commitment from the University Leadership • IT security group/CSO • Resources • Institute Privacy Policies
Not really…. Then, what do we Need? (cont) • Institute Policies for the Acceptable Use of Electronic Information Resources • Confidentiality/ Non-Disclosure Agreements or Implied Consent • Active User Awareness Training • Periodic Risk Assessments • Firewalls • SSL
Not really…. Then, what do we Need? (cont) • Strong Authentication / Single Sign On • Authorization • Anti Virus Software • Vigilant Network Monitoring • Incident Reporting • Enforcement
Summary • To protect the privacy of our data; we need • Legislation • Institute commitment • Institute policy statements • Confidentiality statements • User awareness training programs • Develop Best Practices • Pro-Active Network Monitoring • Antivirus Protection
Summary • Authentication/Authorization • Utilize the experts • Legal Department • Risk Management • Human Resources • Security Department • Local Law Enforcement • Peer Institutions • Enforcement