540 likes | 716 Views
Educause Enterprise 2007. The Convergence of Privacy, Security and Electronic Information. M. Peter Adler JD, LLM, CISSP, CIPP Adler InfoSec & Privacy Group LLC Director of Privacy and Cybersecurity (Interim), Montgomery College, Rockville, MD. Agenda. Legal Drivers/Applicable Laws
E N D
Educause Enterprise 2007 The Convergence of Privacy, Security and Electronic Information M. Peter Adler JD, LLM, CISSP, CIPP Adler InfoSec & Privacy Group LLC Director of Privacy and Cybersecurity (Interim), Montgomery College, Rockville, MD
Agenda • Legal Drivers/Applicable Laws • Security Laws • Compliance Elements • Privacy Laws • Compliance Approach • Rules of Civil Procedure • Information Management Requirements • Convergence and Compliance
Legal Drivers in Higher Education Security Privacy Information Management
Security • GLBA • HIPAA • FISMA • State Law – Notice of Security Breach and Others
GLBA and Information Security • GLBA: Gramm-Leach-Bliley Act, 15 U.S.C. §§6801,6805
GLBA and Higher Education • Higher Education Institutions are “non-bank businesses” subject to GLBA • the university (i.e. the “financial institution”) provides a financial service, administering a financial product such as a scholarship, or dispensing financial advice to customers (students and possibly staff). • This includes student loans, scholarships, bursaries and emergency student aid • GLBA Privacy provisions are met if the institution complies with FERPA • The Security Regulations Do Apply Regardless • Standards for Safeguarding Customer Information; Final Rule: 67 Fed. Reg. 36484, codified at 16 C.F.R. Part 314 (“GLBA Safeguards”) • Therefore, colleges and universities have a legal obligation under the GLBA to safeguard all the students’ nonpublic financial information
Administrative Security Procedures, Legal Compliance Technical Security Physical Security HIPAA COMPLIANCE Business Associate Management HIPAA Requirements/Security To guard the confidentiality, integrity and availability (CIA) of health information
Federal Information Security Act of 2002 (FISMA) • FISMA: Federal Information Security Act of 2002, 44 U.S.C. §3537 et seq. • Requires compliance with a set of standards federal government information security • Federal Information Processing Standards (FIPS) • NIST Standards • Applies to Federal information System • An information system used or operated by an executive agency, or by another organization on behalf of an executive agency • May be applicable to higher education through government contracts. • Department of Defense and Department of Labor hold fund recipients to these standards. • Department of Education, National Science Foundation and National institutes of Health may do the same.
Approaching Security • Goals • Unified Approach • Risk Assessment Cycle • Risk Assessment Methodology • Risk Handling Methods • Controlling and Mitigating Risk • GLBA Example
Goal of Security Generally Physical To guard the confidentiality, integrity and availability (CIA) of protected information Administrative Protected Information Technical
Risk Assessment Cycle Risk = Threats x Vulnerabilities x Impact
Example: GLBA Information Security Program • Implement, and maintain a comprehensive information security program • that is written in one or more readily accessible parts and • contains administrative, technical, and physical safeguards • The safeguards are to be appropriate • to the organization’s size and complexity, • the nature and scope of its activities, and • the sensitivity of any customer information
Roles and Responsibilities • Roles and Responsibilities: • Designate an employee or employees to coordinate the information security program
GLBA Risk Assessment • Risk Assessment: • Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse alteration, destruction or other compromise of such information, • Assess the sufficiency of any safeguards in place to control these risks. • Minimal areas to be addressed: • Employee training and management; • Information systems, including network and software design, as well as information processing, storage, transmission and disposal; • Detecting, preventing and responding to attacks, intrusions, or other systems failures.
Implement and Monitor Safeguards • Safeguard Implementation: • Design and implement information safeguards to control the identified risks • Monitoring Safeguard Effectiveness: • Regularly test or otherwise monitor the effectiveness of the safeguards (i.e., key controls, systems and procedures)
Evaluate and Modify GLBA Information Security Program • Evaluate and adjust the GLBA information security program in light of the results of the testing and monitoring • any material changes to business operations or arrangements; or • any other circumstances that you know or have reason to know may have a material impact on your information security program
Third Party Service Providers • Selection of Service Providers: • Select and retain service providers that are capable of maintaining appropriate safeguards for the customer information • Contractually Bind Security Safeguards: • Contractually require service providers to implement and maintain such safeguards to protect customer information.
Privacy • Family Educational Rights and Privacy Act (FERPA) • Health Insurances Portability and Accountability Act • State Law • Notice of Breach Laws • Other state laws
Family Education Rights & Privacy Act(FERPA) • Leading federal privacy law for educational institutions. • Imposes confidentiality requirements over student educational records. • Prohibiting institutions from disclosing "personally identifiable education information" such as grades or financial aid information without the student's written permission. • Provides students with the right to request and review their educational records and to make corrections to those records. • Law applies with equal force to electronic and hardcopy records.
HIPAA • Applies to Health Care Providers, Health Plans and Health Care Clearinghouses, e.g., • Student Health Services • Academic medical centers • Business associates (through contracts) • Imposes confidentiality requirements on Protected Health Information (“PHI”) • PHI is individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. • PHI excludes: • education records covered by FERPA • and employment records held by a covered entity in its role as employer. • PHI may be used and disclosed for treatment, payment and healthcare operation, under an authorization or as permitted by regulation
State Breach Notification Laws • Most of the laws require notification if there has been, or there is a reasonable basis to believe the occurrence of unauthorized access that compromises personal data • “Notice triggering information,” e.g., name, in combination with a Social Security number, driver's license or state identification number, or financial account or debit card number plus an access code • Some states have some form of harm or risk threshold, under which entities need not notify individuals of a breach if an investigation by the covered entity (sometimes in conjunction with law enforcement) finds no significant possibility that the breached data will be misused to do harm to the individual • Most apply only to breaches of unencrypted personal information, and require written notification after a breach is discovered
State Breach Notice Laws • Some state laws may require compliance with security standards, e.g., California and Maryland. • Some provide a “safe harbor” for covered entities that maintain internal data security policies that include breach notification provisions consistent with state law. • Some give state’s Attorney General enforcement authority; • Most allow for a delay in notification if a disclosure would compromise a law enforcement investigation, except Illinois; • Most allow substitute notice to affected individuals via announcements in statewide media and on a Web site if more than 500,000 people are affected or the cost of notification would exceed $250,000 --Rhode Island, Delaware, Nebraska, Ohio set lower thresholds.
AICPA/CICA Privacy Framework • AICPA/CICA Trust Services Privacy Principle • Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the AICPA/CICA Trust Services Privacy Criteria.
AICPA/CICA Privacy Framework • Trust Services Privacy Components and Criteria • The Framework contains 10 privacy components and related criteria that are essential to the proper protection and management of personal information. • These privacy components and criteria are based on internationally known fair information practices included in many privacy laws and regulations of various jurisdictions around the world
AICPA/CICA Privacy Framework Criteria 1-5 • Management. The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures. • Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed. • Choice and Consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information. • Collection. The entity collects personal information only for the purposes identified in the notice. • Use and Retention. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes.
AICPA/CICA Privacy FrameworkCriteria 6-10 • Access. The entity provides individuals with access to their personal information for review and update. • Disclosure to Third Parties. The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual. • Security. The entity protects personal information against unauthorized access (both physical and technical). • Quality.The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice. • Monitoring and Enforcement. The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.
Information Management • Federal Rules of Civil Procedure (FRCP) • Notice of Security Breach Laws, GLBA, HIPAA
The Federal Rules of Civil Procedure (and most state law) provides the following discovery tools: Depositions Upon Written or Oral Written Questions (Rules 30, 31 and 32) Written Interrogatories (Rule 33) Production of Document or Things (Rule 34) Permission to Enter Upon Land for Inspection and Other Purposes (Rule 34) Physical and Mental Examinations (Rule 35) Requests for Admission (Rule 36) Tools to Ensure or Excuse Discovery Motion to Compel (Rule 37(a)) Sanctions (Rule 37 (b),(c)&(d)) Protective Orders (Rule 26(c)) The Federal Rules of Civil Procedure “The pretrial devices that can be used by one party to obtain facts and information about another party in order to assist the party’s preparation for trial.” - Blacks Law Dictionary
E-Discovery: 12/2006 • New and amended rules of civil procedure governing the treatment of electronically stored information (ESI) are expected by December of this year. • These Rules are broken into the following categories: • Early attention to electronic discovery issues: Rules 16 and 26(f) • Better management of discovery into ESI that is not reasonably accessible: Rule 26(b)(2) • New provision setting out procedure for assertions of privilege after production: Rule 26(b)(5) • Interrogatories and Requests for Production of ESI: Rules 33 and 34 • Application of sanctions rules pertaining to ESI: Rule 37
ESI Retention Balanced Against Duty to Preserve • Legal Duty • e.g., Sarbanes–Oxley, HIPAA, FACTA and other document retention requirements • Lawyer’s duty to preserve evidence in discovery and litigation Continued Operations • Normal system Operations • Data Backup • Data Destruction
Duty to Preserve • Duty attaches when a person knows or reasonably anticipates litigation involving identifiable parties and identifiable facts. • Encompasses potential evidence related to identifiable facts, which may shift as litigation proceeds.Stevenson v. Union Pac. R.R., 354 F.3d 739 (8th Cir. 2004) • Exists independent of any preservation demand letter, or court order. Wigington v. Ellis, 2003 WL 22439865 (N.D. Ill. 2003) (Wigington I); Treppel v. Biovail Corp., 233 F.R.D. 363 (S.D.N.Y 2006). • The fact that ESI is not reasonably accessible does not relieve a party from its duty to preserve the information if potentially relevant. Zubulake v. UBS Warburg LLC, 220 F.R.D. 212 (S.D.N.Y. 2003) (“Zubulake IV”)
Failure to Preserve: Sanctions for Spoliation • Duty to monitor preservation falls on inside and outside counsel. • Potential sanctions will vary on intent and behavior of producing party (bad faith, gross negligence, negligence) and degree of prejudice to the requesting party caused by spoliation. Possible sanctions include: • Fines; • Adverse inference jury instruction; • Striking of a pleading or defense; • Dismissal or default; and • Costs for supplemental discovery.
Right to Destroy • Courts have acknowledged that organizations have the right to destroy - whether or not it is consciously deleted - electronic information that does not meet the internal criteria of information or records requiring retention. • “‘Document retention policies,’ which are created in part to keep certain information from getting into the hands of others, including the Government, are common in business …. It is, of course, not wrongful for a manager to instruct his employees to comply with a valid document retention policy under ordinary circumstances’ Arthur Andersen, LLP v. United States, 125 S. Ct. 2129, 2135 (2005).
Safe Harbor: Rule 37(f) • The court will not impose sanctions parties who fail to produce ESI that was lost as a result of routine, good faith operation of an electronic information system, absent exceptional circumstances. Rule 37(f) • Good faith destruction of potentially relevant ESI will be difficult to establish when there is a claim pending or has received a credible threat of a claim. • A Committee Note to Rule 37 (f) states: “Good Faith in the routine operation of an information system may involve a party’s intervention to modify or suspend certain features of that routine operation to prevent the loss of information if that information is subject to a preservation obligation.
ESI Retention Risks • Spoliation and Sanction Risks. Because of retention duties, a party persuade the court that those documents that no longer exist were purged pursuant to a policy and were not willfully destroyed or spoliated. • Cost of Retrieval Risk. Knowing where information is stored or if it has been destroyed pursuant to document retention policies will avoid the high costs associated with e-discovery fishing expeditions. • Inability to Defend Risk. The loss of critical evidence potentially leads to the inability to properly defend a claim.
ESI Retention/Destruction Program • Compliance and Auditing Plan • Create or Amend Policy on ESI Retention and Destruction • Indexing and Document Naming System • Attorney-Client Privilege Procedures • Litigation Hold Procedures • Employee Training • Post-Implementation Compliance and Auditing
ESI Retention/Destruction • Review Written vs. Actual ESI Retention Practices • Creation • Use • Disposal • Are electronic records being kept as required by law and internal procedures? • Are electronic records being managed over their entire lifecycle?
ESI Retention/Destruction Program • An ESI Management Program contains many of the elements found in security and privacy programs. • Removal of sensitive ESI on a regular basis will enhance an organization’s privacy and security. • Will lower discovery costs in litigation
Convergence and Compliance Security Privacy Information Management