© 2003, educause information privacy: public policy and institutional policies rodney j. petersen...
TRANSCRIPT
© 2003, EDUCAUSE
Information Privacy: Public Policy and Institutional Policies
Rodney J. PetersenPolicy Analyst, EDUCAUSE
EDUCAUSE/Internet2 Security Task Force Coordinator
Wendy WigenPolicy Analyst, EDUCAUSE
Information Privacy Information ~ data and personally
identifiable Collection Storage Use Dissemination
Privacy ~ loss of freedom Volume of information compiled about
individuals without their knowledge Unauthorized access to information in
computerized databases Electronic surveillance
Cyber Security - Public Policy Recent Legislation & Regulations
HIPAA – Security Regulations Gramm-Leach-Bliley Act Safeguard Rules
Proposed Legislation S. 1350 Notification of Risk to Personal
Data Act Prospects for Future Developments
Info Security Governance & Accountability
Cyber Security - ImplicationsCampus Policy Issues: Designate employee(s) to
coordinate Conduct a risk assessment
Inventory Assets Identify reasonably
foreseeable risks Assess the sufficiency of
safeguards in place to control these risks
Design and implement safeguards to control the risks you identified through risk assessment
Regularly test and monitor the effectiveness of the safeguards
Procedural Issues: Confidentiality and
Nondisclosure Breach notification Logging and monitoring Identification of departmental
contacts Blocking network access Incident response
Education & Awareness: Train Personnel Inform Users of Safeguards Raise Awareness 3rd Party Services
Identity Theft – Public Policy Fair and Accurate Credit Transactions
Act – Signed December 4 Will serve as model for privacy/ID theft Incorporates most Identity Theft proposals
Prevention: SSN’s Credit Card truncation and red alerts i.e. address change/new card
Victim Assistance: rights and education Enforcement: coordination and improved
technology
Identity Theft - Implications Eliminate use of Social Security
numbers as primary identifiers Identity Management Identity Theft Awareness &
Resources
Privacy Policies – Public Policy Legislation & Regulations
Family Education Rights & Privacy Act Maryland Data Security & Privacy Policies HIPAA – Security Regulations
Proposed Legislation Interagency Proposal to Consider Alternative
Forms of Privacy Notices Under the Gramm-Leach-Bliley Act
Prospects for Future Developments Notices that are useful & more readable Balancing “compliance” with “ethical”
standards
Privacy Policies - Implications Complicated in large, decentralized
academic institutions Collection and Disclosure of
Personal Information Application to “paper” as well as
“electronic” practices Training, Oversight, and Advocacy
SPAM – Public Policy CAN-SPAM Act: signed December 15 Work in progress: main goals
Establish a National Law/ work toward an International agreement
Target egregious spammers/ enable law enforcement
Protect legitimate e-marketing/ establish standards
SPAM - Implications Referral of user complaints
State Attorney General’s Office Department of Justice Federal Trade Commission
Institutions pursuit of damages Acceptable Use Policy/Terms of
Service Use of SPAM Filtering Software
USA PATRIOT Act – Public Policy SAFE Act (Security and Freedom Ensured) and
Protecting the Rights of Individuals Act Addresses:
Improved oversight of FBI/DoJ Expanded sunset provisions-demand review for
renewal Restores pre-PATRIOT standards for search warrants Clarifies delayed notice or “Sneak and Peek” searches Exempts Libraries/booksellers from National Security
Authorities (NSL’s) Strong counterbalance to DoJ/ signals
awareness in Congress
USA PATRIOT Act – Implications
Responding to Law Enforcement Requests
Voluntary Disclosure of Information Logging and Monitoring Training of Personnel Notification to Users
For more information:
EDUCAUSE D.C. Office
http://www.educause.edu/policy
(202)872.4200
[email protected]@educause.edu