Dr. Don Lloyd Cook Gill Ragon Owen, PA

 Practicing law in AR since 1989  Virginia Tech, Ph.D. in Marketing ◦ Virginia Tech Congressional Fellow in the office of Congressman Rick Boucher (1996)  Taught at Louisiana Tech University, Georgia State University and University of New Mexico.

 Certified Information Privacy Professional (CIPP) 2004; CIPP/Canada 2006  Acxiom Corporation ◦ Privacy and Risk Consultant  Feeva Technology ◦ Chief Privacy Officer and later General Counsel  Walmart, Inc ◦ Director of Privacy  Lunarline, Inc ◦ Director of Privacy

 Counsel at Gill Ragon Owen, P.A. ◦ Member of the Privacy and Data Management Practice ◦ Principal Blogger at “The View from 30,000 Feet”  (we will come back to this later) ◦ Ponemon Institute Distinguished Fellow

 Breaches are common ◦ 4,457 DATA BREACHES made public since 2005 ◦ Over 900 million records breached  Breaches are expensive (Ponemon Institute) ◦ Average cost per record breached of $145  Regulators are paying attention ◦ New laws, new techologies  Consumers and Investors are paying attention ◦ Just ask Gregg Steinhafe.

 Higher Ed Breaches in the Last Year (handout via the Chronology of Data Breaches)  22 significant breaches  Over 1 million records breached  Costs ◦ Direct vs. indirect ◦ Damage to brand equity  Admissions  Donor support (GT)

 FERPA  FACTA  HIPAA/HITECH  Notification Framework  Minnesota Plastic Card Security Act  Regulatory Actions  Civil Litigation

 Network Operations ◦ Multiple networks and access points  Internet Usage and Social Networks  Outsourcing  IT Implementation  Healthcare and Additional Miscellaneous Risks  Decentralized Culture  Massive record keeping  Academic and Personal Freedom  Budget

 University of Miami (2008) ◦ Backup tapes containing 2.1 million medical records stolen from off-site storage  Hired expert to determine whether information on tapes was accessible  Notified 47,000 individuals whose financial information was compromised  Established website and call center to handle information requests

 UCLA Health Systems ( ) ◦ Employees of the health system, repeatedly and without authorization viewed protective health information of patients (celebrities) ◦ Office of Civil Rights investigated ◦ UCLA agreed to corrective action and paid a settlement of $865,000

 Unidentified Major State University ( ) ◦ Since 2009 more than 100,000 faculty, alumni, student and parent records, including names, SSNs, credit card information ◦ Class action lawsuit seeking 2 years credit monitoring, fraud resolution services for affected individuals ◦ Also seeks injunction mandating the university take additional measures to protect personally identifiable information

 Be Proactive  Privacy by Design for New Applications, particular for BYOD  Develop the expertise, internally and externally ◦ Information inventory ◦ Policies and procedures  Build a culture of privacy  Contractual risk sharing and insurance

 International Association of Privacy Professionals (IAPP) ◦ Education and Certification ◦ Daily Dashboard and other resources  The View from 30,000 Feet The View from 30,000 Feet ◦ Privacy blog from Gill Ragon Owen

 Perform an information audit so you can evaluate your risk  Strong passwords and encryption  Use social media for advertising and building relationships, not for monitoring employees  Look at your partner/vendor contracts. Who bears the risk?  Make your policies clear and enforce them  Flash drives are evil  BYOD is a godsend/disaster  SECURE YOUR NETWORKS

 An ounce of prevention can be worth big bucks down the road!  Outsourcing may be cheaper  Capitalize on the misfortune of others  Insurance can help you manage the risk  There are software solutions, vendors, experts and other resources to steer you through the process  Shredders are cheap!

?