Insights on the Legal Landscape for Data Privacy

in Higher Education

Rodney Petersen, J.D.Government Relations Officer

and Security Task Force CoordinatorEDUCAUSE

IT Policy Framework

Law Constitution, federal & state laws, liability

Values academic freedom

community expectations privacy vs. access

Ethics responsible use stewardship

Morality absolutes

Agenda Topics

U.S. Constitution

Federal Law and Regulation

State Law and Regulation

Contractual Obligations

Emerging Case Law

Emerging Policy Issues

Dimensions of Privacy

Personal Privacy – the right or interest for individuals to keep their personal information, communications, and facts concerning them out of the hands of unauthorized parties.

Privacy Protection – the responsibility or stewardship role of a 3rd party that holds personal data concerning an individual that has been entrusted to them.

Data and the Constitution

14th Amendment:No state shall . . . deprive any person of life, liberty, or property, without due process of law. 4th Amendment:People have the right . . . to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures . . . no warrants shall issue [without] probable cause . . .

Federal Law

Electronic Communications Privacy Act (ECPA)

Family Educational Rights and Privacy Act (FERPA)

Federal Information Security Management Act (FISMA)

Foreign Intelligence Surveillance Act (FISA)

Gramm-Leach-Bliley Act (GLBA)

Health Information Portability and Accountability Act (HIPAA)

FTC Regulatory Enforcement

ChoicePoint – settlement for $10 million in civil penalties and $5 million to be used to reimburse consumers for expenses due to identity theft caused by the security breach. BJ’s Wholesale Club – ordered to “establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.”Guidance Software, Inc. - settled for its failure to take reasonable security measures to protect sensitive customer data, contradicted security promises made on its Web site, and violated federal law. The data-security failure allowed hackers to access sensitive credit card information for thousands of consumers. The settlement will require the company to implement a comprehensive information-security program and obtain audits by an independent third-party security professional every other year for 10 years.

State Law

Data Incident (Breach) Notification Laws Define what constitutes a “breach” Establish procedures for “notifications” Qualified by exceptions and protections

Privacy Policies for Websites Applies to collection of “personal records” Specifies “notice” requirements Websites only

“Notice” and Other Principles

1. The purpose for which the personal information is collected;

2. Any specific consequences to the person for refusal to provide the personal information;

3. The person’s right to inspect, amend, or correct personal records, if any;

4. Whether the personal information is generally available for public inspection;

5. Whether the personal information is made available or transferred to or shared with any entity other than the official custodian.

Fair Information Practices

NotificationMinimizationSecondary UseNondisclosure and ConsentNeed to KnowData Accuracy, Inspection, and ReviewInformation Security, Integrity, and AccountabilityEducation

Contractual Obligations

Contract law is a function of state law and “common law”Procurement of Hardware and SoftwareOutsourced Services (data handling, email, etc.)Government Contracts and Grants (e.g., NASA, NIH, NSF, ED, etc.) Payment Card Industry – Data Security Standard (PCI DSS)

Desktop Configuration

Case Law

Based upon Tort/Negligence Law Duty Breach of Duty Damages Foreseeable Risks

Public Policy

Identity Theft

Social Security Number use

Data Privacy and Security Proposals

FISA Amendments

Communications Assistance for Law Enforcement Act

Data Retention

For More Information

EDUCAUSE/Internet2 Security Task Forcehttp://www.educause.edu/security

EDUCAUSE Washington Officehttp://www.educause.edu/policy

Rodney PetersenEmail: rpetersen@educause.eduPhone: 202.331.5368