© 2003, EDUCAUSE

Information Privacy: Public Policy and Institutional Policies

Rodney J. PetersenPolicy Analyst, EDUCAUSE

EDUCAUSE/Internet2 Security Task Force Coordinator

Wendy WigenPolicy Analyst, EDUCAUSE

Information Privacy Information ~ data and personally

identifiable Collection Storage Use Dissemination

Privacy ~ loss of freedom Volume of information compiled about

individuals without their knowledge Unauthorized access to information in

computerized databases Electronic surveillance

Cyber Security - Public Policy Recent Legislation & Regulations

HIPAA – Security Regulations Gramm-Leach-Bliley Act Safeguard Rules

Proposed Legislation S. 1350 Notification of Risk to Personal

Data Act Prospects for Future Developments

Info Security Governance & Accountability

Cyber Security - ImplicationsCampus Policy Issues: Designate employee(s) to

coordinate Conduct a risk assessment

Inventory Assets Identify reasonably

foreseeable risks Assess the sufficiency of

safeguards in place to control these risks

Design and implement safeguards to control the risks you identified through risk assessment

Regularly test and monitor the effectiveness of the safeguards

Procedural Issues: Confidentiality and

Nondisclosure Breach notification Logging and monitoring Identification of departmental

contacts Blocking network access Incident response

Education & Awareness: Train Personnel Inform Users of Safeguards Raise Awareness 3rd Party Services

Identity Theft – Public Policy Fair and Accurate Credit Transactions

Act – Signed December 4 Will serve as model for privacy/ID theft Incorporates most Identity Theft proposals

Prevention: SSN’s Credit Card truncation and red alerts i.e. address change/new card

Victim Assistance: rights and education Enforcement: coordination and improved

technology

Identity Theft - Implications Eliminate use of Social Security

numbers as primary identifiers Identity Management Identity Theft Awareness &

Resources

Privacy Policies – Public Policy Legislation & Regulations

Family Education Rights & Privacy Act Maryland Data Security & Privacy Policies HIPAA – Security Regulations

Proposed Legislation Interagency Proposal to Consider Alternative

Forms of Privacy Notices Under the Gramm-Leach-Bliley Act

Prospects for Future Developments Notices that are useful & more readable Balancing “compliance” with “ethical”

standards

Privacy Policies - Implications Complicated in large, decentralized

academic institutions Collection and Disclosure of

Personal Information Application to “paper” as well as

“electronic” practices Training, Oversight, and Advocacy

SPAM – Public Policy CAN-SPAM Act: signed December 15 Work in progress: main goals

Establish a National Law/ work toward an International agreement

Target egregious spammers/ enable law enforcement

Protect legitimate e-marketing/ establish standards

SPAM - Implications Referral of user complaints

State Attorney General’s Office Department of Justice Federal Trade Commission

Institutions pursuit of damages Acceptable Use Policy/Terms of

Service Use of SPAM Filtering Software

USA PATRIOT Act – Public Policy SAFE Act (Security and Freedom Ensured) and

Protecting the Rights of Individuals Act Addresses:

Improved oversight of FBI/DoJ Expanded sunset provisions-demand review for

renewal Restores pre-PATRIOT standards for search warrants Clarifies delayed notice or “Sneak and Peek” searches Exempts Libraries/booksellers from National Security

Authorities (NSL’s) Strong counterbalance to DoJ/ signals

awareness in Congress

USA PATRIOT Act – Implications

Responding to Law Enforcement Requests

Voluntary Disclosure of Information Logging and Monitoring Training of Personnel Notification to Users

For more information:

EDUCAUSE D.C. Office

http://www.educause.edu/policy

(202)872.4200

rpetersen@educause.eduwwigen@educause.edu