Security Professionals Workshop: Legal Issues in Computer and Network Security Peter C. Cassat.

Slides:

Advertisements

Similar presentations

Data Privacy and Security in the Cloud Presented by Robert J. Scott Managing Partner Scott & Scott, LLP

Advertisements

Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

NAU HIPAA Awareness Training

Today’s Schools face:  Numerous State and Federal Regulations  Reduced Technology Funding  More Stringent Guidelines for Technology Use.

Regulatory Issues in Campus Computing Privacy and Security in a Digital World Presented by David Gleason, Esq. University Counsel University of Maryland,

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Health Insurance Portability and Accountability Act (HIPAA)

Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

1 SAFEGUARDING REGULATIONS AND HOW THEY EFFECT US MICHIGAN ASSOCIATION FOR STUDENT FINANACIAL SERVICE ADMINISTRATORS BY: KAREN REDDICK NATIONAL CREDIT.

© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.

Ethical Issues in Data Security Breach Cases Presented by Robert J. Scott Scott & Scott, LLP

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

Information Security Policies Larry Conrad September 29, 2009.

E-Commerce: Legal and Practical Issues Legal Issues: Security – December 2, 2005 Stephen M. Foxman Philadelphia.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

FERPA 2008 New regulations enact updates from over a decade of interpretations.

Informed Consent and HIPAA Tim Noe Coordinating Center.

1 IT Security-related Legislation Judy Borreson Caruso CUMREC 2004 May 18, 2004 Copyright Judy Borreson Caruso, This work is the intellectual property.

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Introduction to Health Law B. Barrowman September 2002.

Privacy and Security Risks in Higher Education

Investigating & Preserving Evidence in Data Security Incidents Robert J. Scott Scott & Scott, LLP

Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.

HIPAA PRIVACY AND SECURITY AWARENESS.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

EMS Law Chapter 16. Copyright © 2007 Thomson Delmar Learning Objectives Identify the tools that a state health agency responsible for emergency medical.

Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP

Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.

© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® CISO Executive Network Executive Breakfast.

Lesson 5-Legal Issues in Information Security. Overview U.S. criminal law. State laws. Laws of other countries. Issues with prosecution. Civil issues.

Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Eliza de Guzman HTM 520 Health Information Exchange.

A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.

FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.

HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.

The Impact of Evolving IT Security Concerns On Cornell Information Technology Policy.

Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.

Student Financial Assistance. Session 55-2 Session 55 Internet Privacy Laws.

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

Data Security and Privacy Overview and Update Peter Moldave October 28, 2015.

Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.

Chapter 4: Laws, Regulations, and Compliance

Sharing Information (FERPA) FY07 REMS Initial Grantee Meeting December 5, 2007, San Diego, CA U.S. Department of Education, Office of Safe and Drug-Free.

Safeguarding Sensitive Information. Agenda Overview Why are we here? Roles and responsibilities Information Security Guidelines Our Obligation Has This.

CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,

An Update on FERPA and Student Privacy

Chapter 3 Legal Issues.

Privacy principles Individual written policies

E&O Risk Management: Meeting the Challenge of Change

IS4680 Security Auditing for Compliance

Cyber Issues Facing Medical Practice Managers

Move this to online module slides 11-56

Current Privacy Issues That May Affect Your Credit Union

Cybersecurity compliance for attorneys

Paul T. Smith, Esq. Partner, Davis Wright Tremaine LLP

THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,

Presentation transcript:

Security Professionals Workshop: Legal Issues in Computer and Network Security Peter C. Cassat

Introduction and Agenda Purpose: Provide an overview of the legal issues confronting institutions of higher education in the area of IT security. From a legal perspective, IT security is intertwined with privacy law. Network security compromise resulting in breach of obligation to maintain privacy can give rise to liability. Discuss some of the challenges unique to educational institutions and what practical steps can be taken.

Current Environment Colleges and universities increasingly operate in electronic environments that are themselves increasingly complex. Increased use of networked systems has resulted in a proliferation of electronic records, data, devices and communications. This is true for traditional classroom instruction, as well as for new delivery methods and media (e.g., distance learning, streaming media, content repositories).

Current Legal Landscape No comprehensive federal privacy or security laws. Instead, there is a patchwork of federal and state laws that affect or potentially affect institutions. Federal privacy laws to date largely aimed at curbing certain, perceived specific abuses or potential abuses of privacy rights. The extent to which these laws apply specifically to electronic environments and educational institutions varies.

Federal Privacy/Security Laws Most significant federal privacy law for educational institutions remains FERPA, which generally requires institutions to refrain from disclosing student educational records. FERPA could be interpreted to impose liability even where the disclosure of information is result of unauthorized network access. Increased proliferation of electronic records with no clear delineation between non- covered communications and protected educational records raises additional issues.

Other Federal Privacy/Security Laws Other relevant federal laws include: HIPAA (restricts disclosure of personal health information) ECPA (applies to disclosure of electronic records or communications) USA Patriot Act (grants law enforcement increased access to electronic communications)

New Federal TEACH Act Recently enacted federal legislation relaxes copyright restrictions but carries with it obligations that have privacy and security implications. Requirements: limit transmissions to enrolled students to the extent technologically feasible must institute technological means to prevent unauthorized retransmission

Gramm Leach Bliley (GLBA) GLBA applies to financial institutions, which include educational institutions. Educational institutions not subject to GLBA privacy rules if they comply with FERPA. No comparable safe harbor for GLBA security rules, which go into effect on May 23, 2003.

GLBA Security Rule Requirements Develop, implement and maintain a comprehensive, written information security program. Designate employee(s) to coordinate program. Identify reasonably foreseeable internal and external risks and assess those risks. Design and implement safeguards to control those risks. Oversee service providers (including by contract).

Other Federal Laws and Regulations Other significant federal laws and regulations in the privacy area (but they apply only tangentially to non-profit educational institutions): COPPA (children) FTC’s Section 5 Jurisdiction (enunciates core privacy principles)

State Law -- the Sleeping Giant State common law and statutes protecting right of privacy should not be overlooked. Many states also have adopted laws specifically criminalizing electronic eavesdropping or computer theft. Moreover, absence of comprehensive federal standards is leading to proliferation of state online privacy laws, e.g., MN and CA (an example of be careful what you ask for).

State Law (continued...) Numerous states considering or adopting “little DMCAs.” Possible or even likely potential for negligence suits based on unauthorized disclosures of confidential information. FERPA, GLBA Security Rule or even the President’s outline for a national cyber-security strategy could be pointed to as standards in a state law suit alleging negligence in failing to protect personal information.

Additional Observations Absence of uniform standards relating to optimal or mandatory levels of security. No uniform standards relating to acceptable means of authentication or binding e-contracts for use where consent to disclosure is required.

Observations (continued) The technological and legal landscapes together provide increased complexity, decreased certainty and therefore increased risk. Problems are complicated by inherent friction between need to ensure security and prevent unauthorized access, on the one hand, with the desire to protect privacy on the other hand. These challenges are exacerbated in the educational environment where decision making often reflects traditional educational values of open-ness, informal policy making, and de- centralized control.

Where We Go From Here Current path suggests increased costs associated with compliance, legal exposure, and policy making. Unilateral policy making process is a double edged sword (greatest exposure may result from failure to follow adopted policies). At the same time, challenges may present opportunities.

Practical Suggestions Review and analyze applicable state laws as well as federal legal obligations. Assess information security vulnerabilities. Review IT security and privacy policies. Review personnel/user policies and procedures focusing on security. Promptly implement safeguards when vulnerabilities are identified and minimize creation and retention of harmful records.

Practical Suggestions (cont.) Scrutinize relationships with third party vendors. Consider insuring against cyber security risks. Develop rapid response team and disaster recovery plan in advance of a security compromise. Encourage associations to continue their proactive role – so as to effectuate sensible federal and state policies.

Questions? Peter C. Cassat 1200 New Hampshire Avenue Washington, D.C Telephone: Fax