Data Privacy and Security: Overview and Update Beth Cate Associate University Counsel
Old laws and new Numerous laws have been passed in recent years to protect privacy and security of certain types of data that are obtained, created, maintained, used and shared by IU Numerous laws have been passed in recent years to protect privacy and security of certain types of data that are obtained, created, maintained, used and shared by IU E.g., FERPA (Family Educational Rights and Privacy Act), protects privacy of student education records E.g., FERPA (Family Educational Rights and Privacy Act), protects privacy of student education records E.g., HIPAA (Health Insurance Portability and Accountability Act), protects privacy and security of personal health information E.g., HIPAA (Health Insurance Portability and Accountability Act), protects privacy and security of personal health information Want to alert you to three new state laws taking effect 7/1/06 that affect data privacy and security at IU Want to alert you to three new state laws taking effect 7/1/06 that affect data privacy and security at IU Prohibiting unauthorized disclosures of Social Security Numbers Prohibiting unauthorized disclosures of Social Security Numbers Requiring secure disposal of records with certain personal information Requiring secure disposal of records with certain personal information Requiring notice of security breaches that expose personal information to unauthorized access Requiring notice of security breaches that expose personal information to unauthorized access Want to also say a word about payment card industry security standards for credit card information Want to also say a word about payment card industry security standards for credit card information
Multi-level approach at IU to data privacy and security Identify and implement overall “best practices” for handling institutional data Identify and implement overall “best practices” for handling institutional data Identify certain types of sensitive data for heightened privacy and security rules—either because law requires it or we think it’s a good idea as a policy matter Identify certain types of sensitive data for heightened privacy and security rules—either because law requires it or we think it’s a good idea as a policy matter Work with units who have sensitive data to ensure compliance with applicable laws and policies (Registrars/FERPA, Health Center/HIPAA, Student Financial Assistance/GLB, etc.) Work with units who have sensitive data to ensure compliance with applicable laws and policies (Registrars/FERPA, Health Center/HIPAA, Student Financial Assistance/GLB, etc.) Educate University community on best practices and particular obligations concerning data privacy and security Educate University community on best practices and particular obligations concerning data privacy and security
Each law is somewhat different, but general principles seem to be emerging Three categories of data security measures: Three categories of data security measures: Administrative (policies and procedures and sanctions for violations) Administrative (policies and procedures and sanctions for violations) Physical (locks, keycards, physical barriers to data) Physical (locks, keycards, physical barriers to data) Technical (passwords, encryption, etc.) Technical (passwords, encryption, etc.) Continuing assessment and adjustment of security measures in light of own, and similar others’, experience Continuing assessment and adjustment of security measures in light of own, and similar others’, experience Periodic monitoring and testing of security measures Periodic monitoring and testing of security measures Education of people handling sensitive data on their roles and obligations Education of people handling sensitive data on their roles and obligations Appropriate security and confidentiality obligations imposed on third parties with whom we share data Appropriate security and confidentiality obligations imposed on third parties with whom we share data
And these principles may also begin to set standards for tort claims Tort law includes things like negligence claims – the claim that the University has breached a duty of reasonable care and that the breach proximately caused harm. Tort law includes things like negligence claims – the claim that the University has breached a duty of reasonable care and that the breach proximately caused harm. Plaintiffs’ lawyers have begun bringing negligence claims in response to systems breaches that expose personal data to unauthorized access Plaintiffs’ lawyers have begun bringing negligence claims in response to systems breaches that expose personal data to unauthorized access May be difficult to prove that breach caused harm, unless courts define harm to include fear of identity theft and extra time/resources spent taking steps to protect oneself against it May be difficult to prove that breach caused harm, unless courts define harm to include fear of identity theft and extra time/resources spent taking steps to protect oneself against it Tort law also includes “invasion of privacy” claims Tort law also includes “invasion of privacy” claims Intrusion upon seclusion Intrusion upon seclusion Misappropriation Misappropriation False light publicity False light publicity Public disclosure of private facts Public disclosure of private facts
Three new Indiana laws on data privacy and security
#1--Social Security Number Disclosure Law Effective July 1, 2006, it is a crime to disclose an individual’s Social Security Number to a party outside of IU unless the disclosure is authorized under Indiana state law Effective July 1, 2006, it is a crime to disclose an individual’s Social Security Number to a party outside of IU unless the disclosure is authorized under Indiana state law
Types of disclosures covered Electronic Electronic Paper Paper Oral Oral
Whose Social Security Numbers does this apply to? Any individual’s SSN that IU maintains in its records -- not limited to just personnel and students
What SSN disclosures are authorized? Except where prohibited by state or federal law or a court order: Except where prohibited by state or federal law or a court order: Disclosures to a local, state, or federal agency Disclosures to a local, state, or federal agency Disclosures by IUPD to an individual, entity, or local, state or federal agency, for the purpose of furthering an investigation Disclosures by IUPD to an individual, entity, or local, state or federal agency, for the purpose of furthering an investigation Disclosures that are expressly required (not just permitted) by state or federal law or a court order Disclosures that are expressly required (not just permitted) by state or federal law or a court order Disclosures for which we have the individual’s express written consent Disclosures for which we have the individual’s express written consent Disclosures of only the last four (4) digits of the SSN Disclosures of only the last four (4) digits of the SSN Disclosures for the purpose of administering health benefits of an employee or the employee’s dependent(s) Disclosures for the purpose of administering health benefits of an employee or the employee’s dependent(s) Disclosures made in the context of certain counterterrorism investigations Disclosures made in the context of certain counterterrorism investigations Disclosures to commercial entities for use in certain activities authorized under 3 federal laws Disclosures to commercial entities for use in certain activities authorized under 3 federal laws
Examples of disclosures that would fall within these exemptions Disclosures by FMS personnel to state and federal tax agencies for tax reporting purposes Disclosures by FMS personnel to state and federal tax agencies for tax reporting purposes Disclosure in response to valid subpoena demanding employee or student records Disclosure in response to valid subpoena demanding employee or student records Disclosure to health care plan vendors for the purpose of enrolling employees in health care plans Disclosure to health care plan vendors for the purpose of enrolling employees in health care plans
Penalties for unauthorized disclosures -- IU IU must notify individual(s) affected under new notice law IU must notify individual(s) affected under new notice law Costs in terms of constituent trust, time and other resources to notify Costs in terms of constituent trust, time and other resources to notify Possibility of civil suit filed by affected individual(s) Possibility of civil suit filed by affected individual(s)
Penalties for unauthorized disclosures -- Employees Knowing, intentional, or reckless violations are felonies: Knowing, intentional, or reckless violations are felonies: Up to 3 years’ jail time Up to 3 years’ jail time Up to $10,000 fines Up to $10,000 fines Negligent violations are “infractions” are misdemeanors: Negligent violations are “infractions” are misdemeanors: Up to 1 year jail time Up to 1 year jail time Up to $5,000 fines Up to $5,000 fines Possibility of civil suit filed by affected individual(s) Possibility of civil suit filed by affected individual(s)
NOTE: it is not clear whether “negligent” disclosure under the law covers only affirmative transfer of an SSN or also inadvertent exposure of SSNs to unauthorized access due to inadequate security measures. THIS REINFORCES THE NEED FOR PROPER ELECTRONIC AND PAPER SECURITY FOR RECORDS WE MAINTAIN WITH SSNs
Why are SSNs getting all this protection? Increased concerns about identity theft and perception that SSNs may be used in identity theft Increased concerns about identity theft and perception that SSNs may be used in identity theft Perception that SSNs have become a default identifier for individuals instead of being limited to their intended use, and desire to cut back Perception that SSNs have become a default identifier for individuals instead of being limited to their intended use, and desire to cut back Numerous state laws on SSNs, some federal laws, and further federal bills have been proposed Numerous state laws on SSNs, some federal laws, and further federal bills have been proposed
#2--Personal Information Secure Disposal Law Effective July 1, 2006, it is a crime for IU or an IU employee to dispose of certain personal information of a “customer” in a non-secure manner Effective July 1, 2006, it is a crime for IU or an IU employee to dispose of certain personal information of a “customer” in a non-secure manner
What does “dispose of” mean? Discarding or abandoning the “personal information” of a “customer” in an area accessible to the public Discarding or abandoning the “personal information” of a “customer” in an area accessible to the public Includes placing the personal information in a container for trash collection Includes placing the personal information in a container for trash collection
What types of “personal information” are covered? SSNs SSNs First initial or name PLUS last name AND: First initial or name PLUS last name AND: Credit card number Credit card number Financial account number or debit card number in combination with a security code, password, or access code that permits account access Financial account number or debit card number in combination with a security code, password, or access code that permits account access Driver’s license number Driver’s license number State identification number State identification number
Also… The law only applies to personal information that is neither “encrypted” nor “redacted” The law only applies to personal information that is neither “encrypted” nor “redacted” “Encrypted”: “Encrypted”: transformed through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidentail process or key; or transformed through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidentail process or key; or secured by another method that renders the personal information unreadable or unusuable secured by another method that renders the personal information unreadable or unusuable “Redacted”: information is truncated so only last 5 digits of SSN or last 4 of other personal information are accessible “Redacted”: information is truncated so only last 5 digits of SSN or last 4 of other personal information are accessible
Who are “customers”? Anyone who has received or contracted for the direct or indirect provision of goods or services from IU and whose personal information we store, and Anyone who has received or contracted for the direct or indirect provision of goods or services from IU and whose personal information we store, and Anyone given us their personal information in connection with a transaction with IU Anyone given us their personal information in connection with a transaction with IU E.g., students, parents, employees, bookstore and theater customers, vendors who give us personal information, etc…. E.g., students, parents, employees, bookstore and theater customers, vendors who give us personal information, etc….
What types of disposal are secure enough? Shredding Shredding Incinerating Incinerating Mutilating Mutilating Erasing Erasing Methods that otherwise render the information illegible or unusable Methods that otherwise render the information illegible or unusable
Relationship to other data security laws State disposal law EXEMPTS persons who are already maintaining and complying with disposal program under: State disposal law EXEMPTS persons who are already maintaining and complying with disposal program under: HIPAA HIPAA Gramm-Leach-Bliley Gramm-Leach-Bliley Fair Credit Reporting Act Fair Credit Reporting Act Driver’s Privacy Protection Act Driver’s Privacy Protection Act USA Patriot Act/Executive Order USA Patriot Act/Executive Order 13224
#3 – Security Breach Notification Law Effective July 1, 2006, IU must notify individuals whose “unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person” as a result of a system security breach Effective July 1, 2006, IU must notify individuals whose “unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person” as a result of a system security breach This law essentially codifies something IU and other schools have been doing already as “best practices” in the event of a breach This law essentially codifies something IU and other schools have been doing already as “best practices” in the event of a breach
What types of “personal information” does this cover? First initial or name PLUS last name AND: First initial or name PLUS last name AND: SSN (> last 4 digits) SSN (> last 4 digits) Driver’s license number Driver’s license number State identification card number State identification card number Credit card number Credit card number Debit card number Debit card number Financial Account number Financial Account number Security code, access code, or password of financial account Security code, access code, or password of financial account
What does “unencrypted” mean? It’s not defined in this law – best to assume the definition in the disposal law would apply It’s not defined in this law – best to assume the definition in the disposal law would apply
NOTE This law only addresses computerized (electronic) data, not paper data This law only addresses computerized (electronic) data, not paper data Of course, IU can still give notice as a policy matter if there were a disclosure of personal information in paper records Of course, IU can still give notice as a policy matter if there were a disclosure of personal information in paper records Also, the law doesn’t cover theft of portable electronic devices with personal information stored on them, if access is protected by a password that has not been disclosed Also, the law doesn’t cover theft of portable electronic devices with personal information stored on them, if access is protected by a password that has not been disclosed
When does notice have to be given? “without unreasonable delay” “without unreasonable delay” Consistent with Consistent with legitimate needs of law enforcement, and legitimate needs of law enforcement, and measures needed to determine scope of breach and restore system integrity measures needed to determine scope of breach and restore system integrity Notice may be delayed if law enforcement determines notice will impede criminal investigation Notice may be delayed if law enforcement determines notice will impede criminal investigation
How may notice be given? In writing In writing By By By conspicuous posting on IU website and notice to major statewide media, if By conspicuous posting on IU website and notice to major statewide media, if Cost of notice to individuals $250K or more, Cost of notice to individuals $250K or more, More than 500,000 people must be notified, or More than 500,000 people must be notified, or Insufficient contact information for personal notice Insufficient contact information for personal notice
Who else must be notified? If more than 1,000 individuals’ information involved, must notify “without unreasonable delay” all consumer reporting agencies that we have sent notices to the individuals If more than 1,000 individuals’ information involved, must notify “without unreasonable delay” all consumer reporting agencies that we have sent notices to the individuals Equifax, TransUnion, Experian Equifax, TransUnion, Experian Head’s up to them that individuals may be requesting credit reports to monitor for attempted identity theft Head’s up to them that individuals may be requesting credit reports to monitor for attempted identity theft
IF YOU BECOME AWARE OF A SECURITY BREACH Contact your local Systems Support Center or Network Operations Center immediately Contact your local Systems Support Center or Network Operations Center immediately Send details of incident to: Send details of incident to: IT Policy Office will coordinate response and take all appropriate steps IT Policy Office will coordinate response and take all appropriate steps
Payment Card Industry Data Security Standards Merchant bank agreements with IU impose payment card data security standards Merchant bank agreements with IU impose payment card data security standards Extensive and rigorous requirements that apply to all components of IT system involved with cardholder data access, retention and processing Extensive and rigorous requirements that apply to all components of IT system involved with cardholder data access, retention and processing Requires immediate notice to payment card co. in case of security breach Requires immediate notice to payment card co. in case of security breach Noncompliance may lead to fines, revocation of right to accept cards for payment Noncompliance may lead to fines, revocation of right to accept cards for payment Conference coming up with payment card industry personnel and higher ed personnel to work through implementation issues for campuses Conference coming up with payment card industry personnel and higher ed personnel to work through implementation issues for campuses
So those are the new state laws and payment card standards – how do they fit into the “big legal picture” concerning data privacy and security?
Many privacy/security rules dealing with discrete categories of data FERPA – student education records FERPA – student education records GLB – nonpublic customer information of “financial institutions” GLB – nonpublic customer information of “financial institutions” HIPAA – personal health information HIPAA – personal health information FACTA – consumer report data FACTA – consumer report data New Indiana laws – SSN, other “personal information” New Indiana laws – SSN, other “personal information” Payment card industry security standards – credit card transaction information Payment card industry security standards – credit card transaction information
Operating under certain best practices will help us comply with these laws and new IN laws
Best data handling/retention/ disposal practices Review old records to determine whether sensitive data exists that is no longer needed Review old records to determine whether sensitive data exists that is no longer needed Going forward, only obtain/retain sensitive personal information when really needed Going forward, only obtain/retain sensitive personal information when really needed Limit who has access to the data to who really needs it Limit who has access to the data to who really needs it Limit the servers on which sensitive data is stored Limit the servers on which sensitive data is stored Limit or prohibit downloading sensitive data onto portable devices and PCs Limit or prohibit downloading sensitive data onto portable devices and PCs Use encryption and redaction when possible in storage and transmission Use encryption and redaction when possible in storage and transmission Require strong passwords for access Require strong passwords for access Dispose of all business records with sensitive information securely Dispose of all business records with sensitive information securely Review data privacy and security practices of third parties who will receive IU sensitive data and contractually obligate them to safeguard data sufficiently/indemnify us for any privacy or security breaches Review data privacy and security practices of third parties who will receive IU sensitive data and contractually obligate them to safeguard data sufficiently/indemnify us for any privacy or security breaches EDUCATION!!!! EDUCATION!!!!
Overall Data Privacy and Security Framework Should have three types of safeguards, noted earlier Should have three types of safeguards, noted earlier Administrative Administrative Physical Physical Technical Technical Continuous assessment and adjustment of security and privacy measures in light of experience, to achieve data security and integrity Continuous assessment and adjustment of security and privacy measures in light of experience, to achieve data security and integrity
Questions?