Upload
powa
View
28
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Insights on the Legal Landscape for Data Privacy in Higher Education. Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator EDUCAUSE. IT Policy Framework. Law Constitution, federal & state laws, liability - PowerPoint PPT Presentation
Citation preview
Insights on the Legal Landscape for Data Privacy
in Higher Education
Rodney Petersen, J.D.Government Relations Officer
and Security Task Force CoordinatorEDUCAUSE
IT Policy Framework
Law Constitution, federal & state laws, liability
Values academic freedom
community expectations privacy vs. access
Ethics responsible use stewardship
Morality absolutes
Agenda Topics
U.S. Constitution
Federal Law and Regulation
State Law and Regulation
Contractual Obligations
Emerging Case Law
Emerging Policy Issues
Dimensions of Privacy
Personal Privacy – the right or interest for individuals to keep their personal information, communications, and facts concerning them out of the hands of unauthorized parties.
Privacy Protection – the responsibility or stewardship role of a 3rd party that holds personal data concerning an individual that has been entrusted to them.
Data and the Constitution
14th Amendment:No state shall . . . deprive any person of life, liberty, or property, without due process of law. 4th Amendment:People have the right . . . to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures . . . no warrants shall issue [without] probable cause . . .
Federal Law
Electronic Communications Privacy Act (ECPA)
Family Educational Rights and Privacy Act (FERPA)
Federal Information Security Management Act (FISMA)
Foreign Intelligence Surveillance Act (FISA)
Gramm-Leach-Bliley Act (GLBA)
Health Information Portability and Accountability Act (HIPAA)
FTC Regulatory Enforcement
ChoicePoint – settlement for $10 million in civil penalties and $5 million to be used to reimburse consumers for expenses due to identity theft caused by the security breach. BJ’s Wholesale Club – ordered to “establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.”Guidance Software, Inc. - settled for its failure to take reasonable security measures to protect sensitive customer data, contradicted security promises made on its Web site, and violated federal law. The data-security failure allowed hackers to access sensitive credit card information for thousands of consumers. The settlement will require the company to implement a comprehensive information-security program and obtain audits by an independent third-party security professional every other year for 10 years.
State Law
Data Incident (Breach) Notification Laws Define what constitutes a “breach” Establish procedures for “notifications” Qualified by exceptions and protections
Privacy Policies for Websites Applies to collection of “personal records” Specifies “notice” requirements Websites only
“Notice” and Other Principles
1. The purpose for which the personal information is collected;
2. Any specific consequences to the person for refusal to provide the personal information;
3. The person’s right to inspect, amend, or correct personal records, if any;
4. Whether the personal information is generally available for public inspection;
5. Whether the personal information is made available or transferred to or shared with any entity other than the official custodian.
Fair Information Practices
NotificationMinimizationSecondary UseNondisclosure and ConsentNeed to KnowData Accuracy, Inspection, and ReviewInformation Security, Integrity, and AccountabilityEducation
Contractual Obligations
Contract law is a function of state law and “common law”Procurement of Hardware and SoftwareOutsourced Services (data handling, email, etc.)Government Contracts and Grants (e.g., NASA, NIH, NSF, ED, etc.) Payment Card Industry – Data Security Standard (PCI DSS)
Desktop Configuration
Case Law
Based upon Tort/Negligence Law Duty Breach of Duty Damages Foreseeable Risks
Public Policy
Identity Theft
Social Security Number use
Data Privacy and Security Proposals
FISA Amendments
Communications Assistance for Law Enforcement Act
Data Retention
For More Information
EDUCAUSE/Internet2 Security Task Forcehttp://www.educause.edu/security
EDUCAUSE Washington Officehttp://www.educause.edu/policy
Rodney PetersenEmail: [email protected]: 202.331.5368