technology and the law presented at the greene county educational service center bricker &...
TRANSCRIPT
Technology and the LawTechnology and the Law
Presented at thePresented at theGreene County Educational Service CenterGreene County Educational Service Center
Bricker & Eckler LLPBricker & Eckler LLP
Sue W. YountSue W. Yount
C. Allen ShafferC. Allen Shaffer
October 7, 2009October 7, 2009
© Bricker & Eckler 2009 2
Format and IntroductionFormat and Introduction
• About 14 separate topicsAbout 14 separate topics
• Data security/ Public Records requests• Records Technology• Acceptable Use of Computers/ Forensics• Termination and discipline/ Off-Campus computing• The Copyright Act/ new laws, new technology• Searching electronics/ “Sexting”• “cutting edge” problems• Your Questions
© Bricker & Eckler 2009 3
Data and Records: Data and Records: Security, storage, and Security, storage, and
requests for datarequests for data
© Bricker & Eckler 2009 4
Legal aspects of Legal aspects of Data Breaches in Ohio: when Data Breaches in Ohio: when
must I report? must I report?
SWYSWY
© Bricker & Eckler 2009 5
Data Security, Data BreachesData Security, Data Breaches
Chapter 1347 of the Ohio Revised Code creates duties and responsibilities for those who maintain “personal information systems”
R.C. 1347.05 imposes 8 duties, including –
There must be an individual “caretaker” of the data system who is responsible for overseeing performance of the duties.
© Bricker & Eckler 2009 6
Data Security, Data BreachesData Security, Data Breaches
1347.12 Agency disclosure of security breach 1347.12 Agency disclosure of security breach of computerized personal information data.of computerized personal information data.
unauthorized access to . . . computerized unauthorized access to . . . computerized data that . . . reasonably is believed to have data that . . . reasonably is believed to have caused, or reasonably is believed will cause acaused, or reasonably is believed will cause a material risk of identity theft or other fraudmaterial risk of identity theft or other fraud to to the person or property of a resident of this the person or property of a resident of this state. state.
© Bricker & Eckler 2009 7
Data Security, Data BreachesData Security, Data Breaches
((6)(a) “Personal information” means . . . an 6)(a) “Personal information” means . . . an individual’s name, consisting of the individual’s first individual’s name, consisting of the individual’s first name or first initial and last name, in combination with name or first initial and last name, in combination with . . . . . . (i) Social security number;(i) Social security number;(ii) Driver’s license number or state identification card (ii) Driver’s license number or state identification card number;number;(iii) Account number or credit or debit card number, in (iii) Account number or credit or debit card number, in combination with and linked to any required security combination with and linked to any required security code, access code, or password that would permit code, access code, or password that would permit access to an individual’s financial account.access to an individual’s financial account.
© Bricker & Eckler 2009 8
Data Security, Data BreachesData Security, Data Breaches
When must I disclose the breach?When must I disclose the breach?
. . . shall make the disclosure . . . in the . . . shall make the disclosure . . . in the most most expedientexpedient time possible but not later than time possible but not later than forty-five daysforty-five days following its discovery or following its discovery or notification of the breach in the security of the notification of the breach in the security of the system, subject to . . . any measures system, subject to . . . any measures necessary to determine the scope of the necessary to determine the scope of the breach . . . and to restore the reasonable breach . . . and to restore the reasonable integrity of the data system. integrity of the data system.
© Bricker & Eckler 2009 9
Data Security, Data BreachesData Security, Data Breaches
PRACTICAL reporting of Data PRACTICAL reporting of Data Breaches:Breaches:
- Get ahead of the rumorsGet ahead of the rumors- Inform all affectedInform all affected- Share remediation effortsShare remediation efforts- Talk about limits of the riskTalk about limits of the risk
© Bricker & Eckler 2009 10
Remediation of a Data BreachRemediation of a Data Breach
CASCAS
The 1938 “Woolworth” wallet card
The 1938 “Woolworth” wallet card- the REAL SSN of the CEO’s secretary- 40,000+ persons have used the number- 12 people used it in 1977- Now, 987-65-4320 to 987-65-4329 are reserved for use in advertisements
© Bricker & Eckler 2009 13
• Get back anything you canGet back anything you can
• Decide about reportingDecide about reporting
• Report to ALL, not just those affectedReport to ALL, not just those affected
• Have 1 year of credit monitoring ready Have 1 year of credit monitoring ready to offer (the “gold standard”)to offer (the “gold standard”)
• Suggest Suggest www.ftc.com,www.ftc.com, “Identity theft” “Identity theft”
• Have the “fix” ready to talk aboutHave the “fix” ready to talk about
Data Security, Data BreachesData Security, Data Breaches
© Bricker & Eckler 2009 14
• most data security breaches are not most data security breaches are not from complicated “hacking” or other from complicated “hacking” or other outside interventionoutside intervention
• many data breaches do NOT have a many data breaches do NOT have a financial motivefinancial motive
• “ “anticipate curiosity”anticipate curiosity”
• get review from those not “burned out” get review from those not “burned out” due to familiarity with the systemdue to familiarity with the system
Data Security, Data BreachesData Security, Data Breaches
© Bricker & Eckler 2009 15
The Public Records Law and its The Public Records Law and its Interface with Recordkeeping Interface with Recordkeeping
TechnologyTechnology
SWYSWY
© Bricker & Eckler 2009 16
Public Records - DefinitionsPublic Records - Definitions
1. Any record that is stored on a fixed medium (e.g. paper, microfiche, the computer, etc.), AND
2. Created, stored, transmitted or received under a public office’s jurisdiction, AND
3. Documents the organization, functions, policies, decisions, procedures, operations or other activities of the school district. R.C. § 149.011(G).
© Bricker & Eckler 2009 17
Exceptions to disclosureExceptions to disclosure
1. Medical records (provided that the records pertain to the diagnosis, prognosis or medical condition of an individual AND were created and maintained in the course of treatment).
2. “Records the release of which is prohibited by state or federal law.” R.C. §149.43(A)(1)(v).
© Bricker & Eckler 2009 18
Exceptions to disclosureExceptions to disclosure
3. Social Security numbers. State ex rel. Beacon Journal Publishing Co. v. City of Akron, 70 Ohio St.3d 605 (1994).
4. Attorney-client privileged information.
© Bricker & Eckler 2009 19
Rights & Responsibilities of a school Rights & Responsibilities of a school district under the Public Records Actdistrict under the Public Records Act
1. Prompt inspection of public records. R.C. §149.43(B)(1).
– “Prompt” means within a reasonable period of time or without undue delay, depending on the circumstances.
– Inspections must be allowed during regular business hours.
– Cannot charge an individual for inspecting records, but may charge for requested copies.
© Bricker & Eckler 2009 20
Rights & Responsibilities of a school Rights & Responsibilities of a school district under the Public Records Actdistrict under the Public Records Act
2. Upon request, copies of public records shall be provided within a reasonable amount of time. R.C. § 149.43(B)(1).
– A “reasonable amount of time” is determined based upon the circumstances of the request.
– May charge actual cost for making copies of the public records.
– Has no duty to provide free copies to any individual who cannot or will not pay for them, regardless of indigent status.
– May require an individual to pay for the copies in advance of the copying.
© Bricker & Eckler 2009 21
Rights & Responsibilities of a school Rights & Responsibilities of a school district under the Public Records Actdistrict under the Public Records Act
3. Upon request, copies of the records shall be transmitted by mail or other method of delivery.
4. An individual may specify, with certain limitations, that the copies of the public records be in a specific medium.
5. There is no requirement to create a new record to fit the public records request. If the information, however, is in such a format (e.g. computer) that would allow a tailored response to the request, then it exists in that form and must be disclosed in that form.
© Bricker & Eckler 2009 22
Rights & Responsibilities of a school Rights & Responsibilities of a school district under the Public Records Actdistrict under the Public Records Act
6. Undue burden or expense is not a valid reason for refusing to comply with a public records request. State ex. rel Beacon Journal Publishing Co. v. Andrews, 48 Ohio St.2d 283 (1976). Where a public records request unreasonably interferes with the discharge of a records custodian’s duties or endangers the safety of the record, however, the school district may not be required to comply with the request.
© Bricker & Eckler 2009 23
Redaction & Withholding DocumentsRedaction & Withholding Documents
1. If a public body redacts a record, the person responsible for the record must notify the person requesting documents of any redaction made, or make the redaction plainly visible.
2. Any redaction of information pursuant to a public records request is deemed to be a denial of the request "except if federal or state law authorizes or requires a public office to make the redaction.”
© Bricker & Eckler 2009 24
Redaction & Withholding DocumentsRedaction & Withholding Documents
3. Upon ultimate denial of a request, the public body is required to provide an explanation, including citations to legal authority, for its denial of a request.
© Bricker & Eckler 2009 25
The Problem of E-MailThe Problem of E-Mail
• You must keep all e-mails that are public records in accordance with a records retention policy.
• Are e-mails sent and received on private accounts public records?
© Bricker & Eckler 2009 26
Ohio Office of Information TechnologyOhio Office of Information Technology
• Any communication that documents your organization itself and/or functions, policies, decisions, procedures, operations or other activities of your office, is a public record. This applies whether your communication is from a personal e-mail account (ex: yahoo, hotmail), personal instant message account (ex: AIM), personal Internet chat room, text message from your personal cell phone, or other means. Similarly, it applies whether you are sending the communication from a personal laptop, cell phone, Blackberry, PDA, or similar device.
© Bricker & Eckler 2009 27
Ohio Office of Information TechnologyOhio Office of Information Technology
• Others disagree. R.C. 149.43 (A)(1) says, "Public record" means records kept by any public office.
• State ex rel Glasgow v. Jones (2008) 119 Ohio State 3d 391, 2008 Ohio 4788 at ¶ 23:– Based on this concession, we need not
address the issue whether an e-mail message sent from or to a private account can be a public record.
© Bricker & Eckler 2009 28
The Problem of E-MailThe Problem of E-Mail
• In Toledo Blade, supra, the Supreme Court ruled that deleted e-mail messages remain public records as long as they remain on a hard drive.
© Bricker & Eckler 2009 29
Toledo BladeToledo Blade
• Court can order public body to reconstruct deleted e-mails upon the following showings:
– The e-mails have not been destroyed.– The e-mails were deleted in violation of
records retention and destruction policy.– There must be some evidence that
recovery may be successful.
© Bricker & Eckler 2009 30
Toledo BladeToledo Blade
• Just because recovery would be expensive does not bar the Court from ordering that it be attempted.
• Recovery effort only needs to be reasonable, not Herculean.
© Bricker & Eckler 2009 31
Problems with electronic Problems with electronic storage of recordsstorage of records
• How do you destroy them?How do you destroy them?
• Is the software right?Is the software right?
• Is it reliable?Is it reliable?
• What about technology changes?What about technology changes?
© Bricker & Eckler 2009 32
““ESI” – Electronically Stored ESI” – Electronically Stored Information and Public Records or Information and Public Records or
e-discoverye-discovery
CASCAS
© Bricker & Eckler 2009 33
A large and rapidly expanding A large and rapidly expanding “Digital Universe”“Digital Universe”
SOURCE: IDC, “The Diverse and Exploding Digital Universe: An Updated Forecast of Worldwide Information Growth Through 2011” (March 2008), Figure 1 used with permission.
© Bricker & Eckler 2009 34
Greater Complexity In the Storage Greater Complexity In the Storage and Use of ESIand Use of ESI
© Bricker & Eckler 2009 35
Potential Sources of ESIPotential Sources of ESI
• Network email servers• File servers, application servers• Third party hosts – AOL, Yahoo, Google, MSN• PDAs, Blackberries, Treos, Smart phones• Diskettes, CDs, DVDs, Thumb drives• Voice mail, cell phones, text messages• Home computers• Websites and intranets• i-Pods• Web 2.0: Social Networks, Blogs, Wikis, Cloud
Computing
© Bricker & Eckler 2009 36
The Dynamic and Fragile Nature of ESIThe Dynamic and Fragile Nature of ESI
© Bricker & Eckler 2009 37
The ConvergenceThe Convergence
Records Retention
Legal Discovery
These two issues are converging from both legal process and technology perspectives.
Both records managers and lawyers face significant eRetention and eDiscovery issues
© Bricker & Eckler 2009 38
What is the Challenge Facing Lawyers What is the Challenge Facing Lawyers and Records Managers?and Records Managers?
They must understand:
• Where ESI is
• What ESI should be preserved
• How it is technologically stored and managed
© Bricker & Eckler 2009 39
What is the Challenge Facing What is the Challenge Facing Information Technology?Information Technology?
IT is being asked not just to archive and back up information, but also to help classify it, policy manage it, and efficiently preserve, search, retrieve, and produce it.
© Bricker & Eckler 2009 40
Duty to PreserveDuty to Preserve
• What preservation steps must be taken?
© Bricker & Eckler 2009 41
Preservation StepsPreservation Steps
• Written notice must be issued to every custodian of potentially relevant ESI with detailed explanation of what ESI might be relevant in the litigation, and explanation of what to do to preserve
© Bricker & Eckler 2009 42
Preservation StepsPreservation Steps
• Must be followed by meeting with each custodian, and measures to isolate relevant ESI, while preserving metadata
© Bricker & Eckler 2009 43
Preservation StepsPreservation Steps
• The legal hold must be monitored by counsel, the hold notice must be periodically reissued, and it must be updated as conditions change
© Bricker & Eckler 2009 44
Public Records vs. EdiscoveryPublic Records vs. Ediscovery
Public Records have a number of automatic (statutory)
exceptions.
EDiscovery has few exceptions, and a judge must agree. (e.g.,
irrelevancy)
BOTH are ESI we must manage and sometimes produce!
© Bricker & Eckler 2009 45
Acceptable Use of Acceptable Use of Computers and Computers and
Investigating MisuseInvestigating Misuse
© Bricker & Eckler 2009 46
Acceptable Use of ComputersAcceptable Use of Computers
The District’s Acceptable Use Policy is the single most important tool in managing the misuse of technology
SWYSWY
© Bricker & Eckler 2009 47
Acceptable Use of ComputersAcceptable Use of Computers
The AUP permits our investigation and gives notice
of potential discipline; dismissal or termination
© Bricker & Eckler 2009 48
Acceptable Use of Computers
The AUP must cover:• No expectation of privacy – complete waiver of privacy
rights• District owns the system and makes all the rules• Personal use, if permitted, is limited and does not
misuse work time• Responsibility for protection of student confidential data
© Bricker & Eckler 2009 49
Acceptable Use of Computers
Our experience with misuse by staff:• Not “borderline” abuse• Investigation many times triggered by non-computer
events• Often massive amounts of work time used for surfing or
outside business; “content-neutral”• Weight of computer evidence provokes resignation
© Bricker & Eckler 2009 50
Computer Forensics “light”: Computer Forensics “light”: Investigating Misuse of Investigating Misuse of
Computers and diversion of work Computers and diversion of work time by employeestime by employees
CASCAS
© Bricker & Eckler 2009 51
A Word on Computer Forensics• Used to identify and
review “deleted data” that persists on the hard drives until overwritten
• Data persists in the “slack space”
• Painstaking, expensive, time consuming
• Anti-Forensics
• Trained personnel & forensic software
© Bricker & Eckler 2009 52
How investigations begin…How investigations begin…
Where is the “crime scene?”
Perpetrator’s
System
Victim’s
System
Electronic Crime
Scene
Cyberspace
© Bricker & Eckler 2009 53
© Bricker & Eckler 2009 54
© Bricker & Eckler 2009 55
© Bricker & Eckler 2009 56
© Bricker & Eckler 2009 57
© Bricker & Eckler 2009 58
© Bricker & Eckler 2009 59
WARNING:WARNING:
OFFLINE content on the hard drive OFFLINE content on the hard drive is “fair game”is “fair game”
NEVER go “online” to access a NEVER go “online” to access a subject’s accounts without subject’s accounts without
permission or a search warrant!permission or a search warrant!
© Bricker & Eckler 2009 60
DO “try this at home”:DO “try this at home”:
Web Historian:Web Historian:www.mandiant.comwww.mandiant.com
© Bricker & Eckler 2009 61
When teachers or staff misuse When teachers or staff misuse access to District computers, access to District computers,
what rules apply?what rules apply?
© Bricker & Eckler 2009 62
Termination for Misuse (staff)Termination for Misuse (staff)
Using the new Licensure Code of Professional Conduct - “Conduct Unbecoming” includes:
1(g) Using technology to intentionally host or post improper or inappropriate material that could reasonably be accessed by the school community.
SWYSWY
© Bricker & Eckler 2009 63
Termination for Misuse (staff)Termination for Misuse (staff)
Using the new Licensure Code of Professional Conduct - “Conduct Unbecoming” includes:
2 (i) Using technology to promote inappropriate communications with students.
© Bricker & Eckler 2009 64
Termination for Misuse (staff)Termination for Misuse (staff)
Using the new Licensure Code of Professional Conduct - “Conduct Unbecoming” includes:
5 (a) Willfully or knowingly violating any student confidentiality required by federal or state laws, including publishing, providing access to, or altering confidential student information on district or public web sites such as grades, personal information, photographs, disciplinary actions, or individual educational plans (IEPs)
© Bricker & Eckler 2009 65
Termination for Misuse (staff)Termination for Misuse (staff)
Using the new Licensure Code of Professional Conduct - “Conduct Unbecoming” includes:
7 (h) Using school property without the approval of the superintendent or designee and/or not in accordance with local board policy (e.g., technology, copy machines, vehicles).
© Bricker & Eckler 2009 66
Termination for Misuse (staff)Termination for Misuse (staff)
Using Existing Board Policy(Cyberspace is NOT a “separate place”)
• Inappropriate student relationships• Fraternizing• Professional Conduct• Misuse of District Resources• AND – Make sure that the AUP is authorized by and “springs
from” Board policy regarding computers
© Bricker & Eckler 2009 67
Termination for Misuse (staff)Termination for Misuse (staff)
Experiences with Computer misuse by Staff and
Collective Bargaining Agreements:• These are NOT “borderline” cases• Overwhelming evidence generated by the system• District looks at system AFTER problems spark
an investigation – not “routine”
© Bricker & Eckler 2009 68
What speech is “free”? (staff)What speech is “free”? (staff)
• The Pickering test still applies:
- speech as a citizen on a matter of public interest, balanced against:
- the right of the District to avoid disruption of the workplace (Pickering v. Bd. of Education, 391 U.S.563 (1968)
• See also: Garcetti v. Ceballos, 547 U.S. 410 (2006)
- the Court will not “constitutionalize a grievance”
© Bricker & Eckler 2009 69
Teacher activities in Cyberspace:Teacher activities in Cyberspace:Blogging, social networking, Blogging, social networking,
Tweeting and other Tweeting and other communicationscommunications
CASCAS
© Bricker & Eckler 2009 70
The “Drunken Pirate” caseThe “Drunken Pirate” case
© Bricker & Eckler 2009 71
Hennessy v. City of Melrose, 194 F.3d 237 (1999)Hennessy v. City of Melrose, 194 F.3d 237 (1999)
. . . requires the court to strike a . . . requires the court to strike a balance between the interests of the balance between the interests of the teacher, as a citizen, in commenting teacher, as a citizen, in commenting upon matters of public concern and upon matters of public concern and
the interest of the State, as an the interest of the State, as an employer, in promoting the efficiency employer, in promoting the efficiency
of the public services it performs of the public services it performs through its employees. through its employees.
© Bricker & Eckler 2009 72
Hennessy v. City of Melrose, 194 F.3d 237 (1999)Hennessy v. City of Melrose, 194 F.3d 237 (1999)
Expression should not be considered Expression should not be considered in a vacuum; the manner, time, and in a vacuum; the manner, time, and place of the employee's expression place of the employee's expression
are relevant, as is the context in which are relevant, as is the context in which the dispute arose . . . whether the the dispute arose . . . whether the
statement impairs discipline by statement impairs discipline by superiors or harmony among co-superiors or harmony among co-
workers, has a detrimental impact on workers, has a detrimental impact on close working relationships or close working relationships or
impedes the performance of the impedes the performance of the speaker's duties.speaker's duties.
© Bricker & Eckler 2009 73
““On-line disinhibition effect”On-line disinhibition effect”
Many people feel a “distance” from their Many people feel a “distance” from their actions on a computer/ on the Internet that actions on a computer/ on the Internet that
they would never feel otherwisethey would never feel otherwise
Psychologists have likened it to the Psychologists have likened it to the phenomenon of “mob behavior”, where phenomenon of “mob behavior”, where
individual limits and values are submerged individual limits and values are submerged in the anonymity of the mob in the anonymity of the mob
© Bricker & Eckler 2009 74
Rule of Thumb?Rule of Thumb?
““Blog” or otherwise put on the Blog” or otherwise put on the Internet those things that you would Internet those things that you would feel comfortable standing in front of feel comfortable standing in front of
the local Grocery and saying to the local Grocery and saying to customers, while illustrating your customers, while illustrating your
points on a whiteboard.points on a whiteboard.
© Bricker & Eckler 2009 75
When students misuse access When students misuse access to District computers, or “act up” to District computers, or “act up”
on the Internet, what rules on the Internet, what rules apply?apply?
© Bricker & Eckler 2009 76
Dismissal for Misuse (students)Dismissal for Misuse (students)
The Student Acceptable Use Policy: again, the most important tool for the District
• Must cover known and emerging technology• Focuses on OUR system and on OUR time• Can be a “teachable moment”• No expectation of privacy, and no ownership• Tailored to District practices, teaching needs
SWYSWY
© Bricker & Eckler 2009 77
Dismissal for Misuse (students)Dismissal for Misuse (students)
The “Tinker” Standard of “substantial disruption”
Tinker v. DesMoines ind. Comm. Sch. Dist. 393 U.S. 503 (1969) (suspension of students for wearing black armbands protesting the Vietnam War)
“students and teachers do not shed their constitutional rights to freedom of speech or expression at the schoolhouse gate”
© Bricker & Eckler 2009 78
Dismissal for Misuse (students)Dismissal for Misuse (students)
The “True Threat” Analysis
– D.F. v. Bd. of Educ. of Syosset Central Sch. Dist. (E.D.N.Y., 2005) 386 F. Supp.2d 119
• A student wrote a fictional story of graphic violence and sexual acts in his school journal and read the story aloud to his classmates. The student was suspended.
• The court ruled that because the story involved real students and used real names, it constituted a “true threat” and did not qualify as free speech. The student’s suspension was upheld.
© Bricker & Eckler 2009 79
Dismissal for Misuse (students)Dismissal for Misuse (students)
The “Mission of Education” or “Who’s in Charge Here” Analysis
Bethel School Dist. v. Fraser, 478 U.S. 675 (1986)
(Student gave a speech at a school assembly nominating another for elective office. The speech referred to the candidate in “terms of an elaborate, graphic, and explicit sexual metaphor”).
“the Federal Constitution does not compel teachers, parents, and elected school officials to surrender control of the American public school system to public school students”
© Bricker & Eckler 2009 80
““Off-Site” computing by students Off-Site” computing by students using private equipment; what using private equipment; what
happens when it offends?happens when it offends?
CASCAS
© Bricker & Eckler 2009 81
Dismissal for Misuse (students)Dismissal for Misuse (students)
The potential new “Student Welfare” standard
from Morse v. Frederick, 551 U.S. 393 (students unfurled a banner reading “Bong Hits 4 Jesus” during a televised Olympic torch relay. Student suspended 10 days”
“the First amendment does not require schools to tolerate at school events student expression that contributes to the danger of drug use”
© Bricker & Eckler 2009 82
Dismissal for Misuse (students)Dismissal for Misuse (students)
The problem: Layshock v. Hermitage Sch. Dist., 496 F. Supp 2d 587 (W.D. Pa. 2007)
The very specific facts of this case place it squarely on the borders of almost all of our previous understanding of discipline for student speech and off-campus activities.
Therefore, each new Court has seen this case differently and reached a different result!
© Bricker & Eckler 2009 83
Dismissal for Misuse (students)Dismissal for Misuse (students)
Libel and Defamation is the only LEGAL assistance for teachers and administrators; however,
• Unions, administrators, and counsel for both have joined together to get such sites removed from the internet
• All such sites are contrary to the “terms of service” of the various social network services
© Bricker & Eckler 2009 84
Copyright law for Copyright law for teachers in a Digital teachers in a Digital
EnvironmentEnvironment
© Bricker & Eckler 2009 85
General Copyright LawGeneral Copyright Law
• Fair Use• Educators may use copyrighted materials
within their own classrooms without express permission from the copyright owner.
SWYSWY
© Bricker & Eckler 2009 86
General Copyright LawGeneral Copyright Law
What is Fair Use?
The guidelines apply to use that is:
• ...without permission,
• ...of portions,
• ...of lawfully acquired copyrighted works,
• ...in educational multimedia projects,
• ...created by educators or students,
• ...as part of a systematic learning activity,
• ...by nonprofit educational institutions.
© Bricker & Eckler 2009 87
General Copyright LawGeneral Copyright Law
Fair Use Standards:
• The purpose and character of the use
• The nature of the copyrighted work
• The amount and substantiality of the portion used in relation to the work as a whole
• The effect of the use upon the potential market for or value of the work
© Bricker & Eckler 2009 88
Specific new copyright law: the Specific new copyright law: the “Digital Millenium”, Chafee “Digital Millenium”, Chafee
Amendment, and the TEACH ActAmendment, and the TEACH Act
CASCAS
© Bricker & Eckler 2009 89
Section 230:
-“service provider” not liable if:
-Does not have actual knowledge
-Not aware of circumstances from which infringement is apparent
- if knows, acts expeditiously to remove
-Does not receive a financial benefit
Digital Millenium Copyright Act (DMCA)Digital Millenium Copyright Act (DMCA)
© Bricker & Eckler 2009 90
• May reproduce any and all copyrighted works for the use of the blind and disabled
• “Disabled” is an old definition from a 1930’s law – it requires “an organic basis” for the disability
• In the opinion of most, reading disabilities “have an organic basis”, at least in part
• Applies to material, for example, for use in a Kurzweil 3000
• Make sure parents sign an agreement
The Chafee Amendment (Section 168)The Chafee Amendment (Section 168)
© Bricker & Eckler 2009 91
• Recognizes the “digital classroom” in distance learning environments
• Basically allows all that is necessary for teachers to use copyrighted material in distance learning classes in the same way they use it in physical classrooms
• Some extra provisions require minimal “copyright law training” for staff in order to use the protections of the Act.
The TEACH Act The TEACH Act
© Bricker & Eckler 2009 92
• Releases used to say “the District owns all student work” when releases were gathered for exhibitions, web use, publication, etc.
• New trend is for releases to give District a “license to use” student work for the purpose – student retains all other rights
• District and student may share if work was created with significant District resources
• What is arguably the most famous piece of student artwork in America?
Ownership of Student Work Ownership of Student Work
© Bricker & Eckler 2009 93
Student Possession of Student Possession of contraband electronic contraband electronic information or devicesinformation or devices
© Bricker & Eckler 2009 94
Searching Student DevicesSearching Student Devices
Again, Cyberspace is not Again, Cyberspace is not
a “new place” a “new place”
We can apply what you know We can apply what you know
from previous lawfrom previous law
SWYSWY
© Bricker & Eckler 2009 95
Searching Student DevicesSearching Student Devices
Student searches, since 1985, have been governed by a standard of Student searches, since 1985, have been governed by a standard of “reasonableness”, because of the need for school officials to “reasonableness”, because of the need for school officials to maintain order, and to preserve health, safety and discipline in the maintain order, and to preserve health, safety and discipline in the schools. schools.
Reasonableness is much lower than “probable cause”, and takes in “all Reasonableness is much lower than “probable cause”, and takes in “all the circumstances”the circumstances”
The search should be justified, and reasonably related in scope to the The search should be justified, and reasonably related in scope to the circumstances that brought it about. circumstances that brought it about.
New Jersey v. T.L.O.,New Jersey v. T.L.O., 469 U.S. 325 (1985) 469 U.S. 325 (1985)
© Bricker & Eckler 2009 96
Searching Student DevicesSearching Student Devices
““Justified” (the first part of the test) is satisfied Justified” (the first part of the test) is satisfied “when there are reasonable grounds for “when there are reasonable grounds for suspecting that the search will turn up suspecting that the search will turn up evidence that the student has violated or is evidence that the student has violated or is violating either the law or the rules of the violating either the law or the rules of the school”.school”.
© Bricker & Eckler 2009 97
Searching Student DevicesSearching Student Devices
““Scope” (the second part of the test) is Scope” (the second part of the test) is satisfied when “the measures adopted for satisfied when “the measures adopted for the search are reasonably related to the the search are reasonably related to the objectives of the search and not excessively objectives of the search and not excessively intrusive in light of the age and sex of the intrusive in light of the age and sex of the student and the nature of the infraction”.student and the nature of the infraction”.
© Bricker & Eckler 2009 98
Federal and State LawFederal and State Law as applied to “sexting”: a lack of as applied to “sexting”: a lack of
choices for educatorschoices for educators
CASCAS
© Bricker & Eckler 2009 99
Searching Student DevicesSearching Student Devices
An enormous difference exists when a search An enormous difference exists when a search turns up a nude or semi-nude photograph that turns up a nude or semi-nude photograph that could be of a minor:could be of a minor:
Both the Federal Child Pornography law and Both the Federal Child Pornography law and various Ohio laws can apply to persons who various Ohio laws can apply to persons who possess, copy, or distribute such images.possess, copy, or distribute such images.
© Bricker & Eckler 2009 100
Searching Student DevicesSearching Student Devices
Consider the “Zip-Loc Bag” approach – Consider the “Zip-Loc Bag” approach –
Secure the evidence and immediately turn it over to Secure the evidence and immediately turn it over to the appropriate administrator.the appropriate administrator.
Any other actAny other act, no matter how reasonable or kind, , no matter how reasonable or kind, may place the discoverer at risk under these very may place the discoverer at risk under these very stringent laws. stringent laws.
© Bricker & Eckler 2009 101
Searching Student DevicesSearching Student Devices
Administrators receiving such evidence must immediately Administrators receiving such evidence must immediately inform law enforcement and transfer the evidence to them. inform law enforcement and transfer the evidence to them.
Do not copy (even for safekeeping) or show to others Do not copy (even for safekeeping) or show to others (distribution). (distribution).
Do students have email or network storage spaces in your Do students have email or network storage spaces in your District?District?
You must act, even if you disagree with penalties as they are. You must act, even if you disagree with penalties as they are.
© Bricker & Eckler 2009 102
© Bricker & Eckler 2009 103
Challenges we soon Challenges we soon must solve - where must solve - where law and technology law and technology
mixmix
© Bricker & Eckler 2009 104
The problem of e-mail: how to The problem of e-mail: how to index it for retrieval and how long index it for retrieval and how long
to keep itto keep it
© Bricker & Eckler 2009 105
The Problem of E-Mail
• “Managing Electronic Mail: Guidelines for State of Ohio Local Governments,” Ohio Historical Society:– Simply backing up the e-mail system onto
tapes or other media or purging all messages after a set amount of time are not appropriate strategies for managing e-mail.(!)
© Bricker & Eckler 2009 106
Four Categories of E-Mail Retention
• Non-record messages
• Transitory messages
• Intermediate messages
• Permanent messages
© Bricker & Eckler 2009 107
Non-Record Materials
• E-mail messages that do not meet the criteria of the Ohio Revised Code definition of a record may be deleted at any time, unless they become part of some official record as a result of special circumstances.
© Bricker & Eckler 2009 108
Transient Retention
• Includes telephone messages, drafts and other limited documents which serve to convey information of temporary importance in lieu of oral communication.
• Suggested Retention: Until no longer of administrative value, then destroy. No RC-3 required.
© Bricker & Eckler 2009 109
Intermediate Retention
• These may include (but are not limited to):– General Correspondence: includes
internal correspondence (letters, memos). This correspondence is informative (it does not attempt to influence policy). Suggested Retention: 1 year, then destroy.
– Monthly and Weekly Reports: Document status of on-going projects and issues; advise supervisors of various events and issues. Suggested Retention: 1 year, then destroy.
© Bricker & Eckler 2009 110
Permanent Retention
• Executive Correspondence: Correspondence dealing with significant aspects of the administration of their offices. Correspondence includes information concerning agency policies, program, fiscal and personnel maters. Suggested Retention: 2 years, then appraise for historical value.
© Bricker & Eckler 2009 111
Social engineering attacks: the Social engineering attacks: the greatest threat to your data greatest threat to your data
securitysecurity
CASCAS
© Bricker & Eckler 2009 112
Types of Cyberattacks, by percentage (FBI)
Financial fraud: 11%Sabotage of data/networks: 17% Hacked from the outside: 25%Unauthorized access by insiders: 71%Employee abuse of privileges 79%Viruses: 85%
© Bricker & Eckler 2009 113
What was done to insiders caught misusing company information?
Oral admonishment 54.3%Written admonishment 20.9%Suspended 5.4%Resigned 6.2%Fired 8.5%Referred to Law Enforcement 1.6%Out-of-Court settlement 0.0%No action 3.1%Other 0.0%
© Bricker & Eckler 2009 114
• Here are some definitions of social engineering:– The art and science of getting people to
comply with your wishes.– An outside hacker’s use of psychological
tricks on legitimate users of a computer system in order to obtain information he/she needs to gain access to the system.
– Getting needed information (e.g., a password) from a person rather than breaking into a system.
Protecting your Computer Systems:Immediate, no cost, high-yield
© Bricker & Eckler 2009 115
• Many experienced security experts emphasize this fact: No matter how many articles are published about network holes, patches, and firewalls, security experts can only reduce the threat so much.
• Beyond that, it is up to those who have access to the system not to allow themselves to be taken advantage of.
Protecting your Computer Systems:Immediate, no cost, high-yield
© Bricker & Eckler 2009 116
• The most prevalent type of social engineering attack is conducted by phone.
• A hacker will call up and imitate someone who is either in a position of authority or an otherwise relevant person and gradually pull the information out of the target of the attack (your employee).
Protecting your Computer Systems:Immediate, no cost, high-yield
© Bricker & Eckler 2009 117
• Help desks are a gold mine for social engineering because they are there to help people with their problems.
• Most help desk employees are minimally focused on the area of security.
• This can create a huge security hole.
Protecting your Computer Systems:Immediate, no cost, high-yield
© Bricker & Eckler 2009 118
• A huge amount of information can be collected through dumpsters.
• Potential security leaks in the trash include:– phone books: names and numbers of
people the attacker can impersonate.– policy manuals: show hackers how
secure or insecure the entity really is.– calendars of various kinds: tell the
attacker when people might be out of town.
Protecting your Computer Systems:Immediate, no cost, high-yield
© Bricker & Eckler 2009 119
– Printouts of sensitive data or login names and passwords.
– Printouts of source code.– Outdated hardware: particularly
hard drives.– Organization charts: show people
who are in positions of authority.
Protecting your Computer Systems:Immediate, no cost, high-yield
© Bricker & Eckler 2009 120
• The Internet is fertile ground for social engineers looking to harvest passwords.
• The primary weakness is that many users often repeat the use of one simple password on every account.
• One way in which hackers have been known to obtain passwords is through on-line forms. Naïve users are asked to provide a name, e-mail address, and password.
Protecting your Computer Systems:Immediate, no cost, high-yield
© Bricker & Eckler 2009 121
• Employee training is essential.• Many entities make the mistake of
only planning for attacks on the physical side.
• That leaves them open to social engineering types of attacks.
• Management must understand the importance of developing and implementing well-rounded security policies and procedures.
Protecting your Computer Systems:Immediate, no cost, high-yield
© Bricker & Eckler 2009 122
• Several signs of possible trouble according to the Computer Security Institute:– Refusal to give contact information– Rushing– Name-dropping– Intimidation– Misspellings– Odd questions– Requesting forbidden information
Protecting your Computer Systems:Immediate, no cost, high-yield
© Bricker & Eckler 2009 123
Questions?
Sue W. Yount614.227.2336
C. Allen Shaffer614.227.4868