Working Effectively with Law Enforcement: How to Protect the Privacy of Your University Community Without Going to Jail Michael Corn Director, Security.

Slides:



Advertisements
Similar presentations
Protect Our Students Protect Ourselves
Advertisements

Public Records Office Indiana Access to Public Records Act and Responding to Subpoenas Employee Training.
Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.
ALTERNATIVE SEARCH PROCEDURE/PROCESS/PROTOCOL (ASP) Office on Volunteerism and Community Service.
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.
1 Office of the General Counsel FERPA  Family Educational Rights and Privacy Act (20 U.S.C § 1232g)
CALEA Compliance in 2006 H. Michael Warren Vice President, Fiduciary Services NeuStar, Inc February 2006.
SIU School of Medicine Identity Protection Act and Associated SIU Policy.
Web Applications: Get a Grip on Privacy Michael Corn CAMP 2008.
1 GRAND VALLEY STATE UNIVERSITY FAMILY EDUCATIONAL RIGHTS & PRIVACY ACT (FERPA) TRAINING OFFICES OF THE REGISTRAR AND UNIVERSITY COUNSEL JANUARY 20, 2009.
Data Management Awareness January 23, University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
The Family Educational Rights and Privacy Act (FERPA) The Importance of Protecting Student Records This session will help you better understand the law.
FERPA 101 Student Records: Institutional Responsibility and Student Rights What Every University Employee Should Know Prepared by the Office of the Registrar.
Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Network security policy: best practices
Health Insurance Portability and Accountability Act (HIPAA)
Chapter 7 Database Auditing Models
Peer Information Security Policies: A Sampling Summer 2015.
Security Awareness Norfolk State University Policies.
FERPA The Family Educational Rights and Privacy Act (FERPA) also known as the Buckley Amendment, passed by Congress in 1974, grants four specific rights.
CPS Acceptable Use Policy Day 2 – Technology Session.
FERPA at The Catholic University of America Presented by Laura Jacobs Anderson Associate Registrar Office of Enrollment Services.
2015 ANNUAL TRAINING By: Denise Goff
Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.
Responding to a Security Incident Maryland Security Day March 2, 2004 Joy Hughes, CIO
707 KAR 1:360 Confidentiality of Information. Section 1: Access Rights 1) An LEA shall permit a parent to inspect and review any education records relating.
CALEA Discussion Internet2 Joint Techs July 19, 2006 Doug Carlson Executive Director, Communications & Computing Services New York University
FERPA 101 Student Records: Institutional Responsibility and Student Rights What Every University Employee Should Know Prepared by the Office of Academic.
FERPA: What you Need to Know The Family Educational Rights and Privacy Act & SEI.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.
Watech.wa.gov Records Management In a nutshell. watech.wa.gov What’s a record? A record is anything you create in the course of doing your work – Everything.
Privacy and Security Tiger Team Today’s Discussion: Query/Response Scenarios for Health Information Exchange February 21, 2013.
Family Educational Rights and Privacy Act (FERPA) UNION COLLEGE.
DATA PROTECTION & FREEDOM OF INFORMATION. What is the difference between Data Protection & Freedom of Information? The Data Protection Act allows you.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Information Asset Classification Community of Practicerev. 10/24/2007 Information Asset Classification What it means to employees.
OPEN UP! Introduction to handling Freedom of Information requests.
UMBC POLICY ON ESH MANAGEMENT & ENFORCEMENT UMBC Policy #VI
The Impact of Evolving IT Security Concerns On Cornell Information Technology Policy.
October 10, 2007 Fenwick & West Conference Center EFF 2007 Bootcamp 2.0 Best Practices for OSPs: Law Enforcement Information Requests Kurt Opsahl, Senior.
May 11, 2009 Golden Gate University EFF 2009 Bootcamp 2.0 Best Practices for OSPs: Law Enforcement Information Requests Kurt Opsahl, Senior Staff Attorney.
Freedom of Information Act (FOIA) November What Is FOIA?  A statutory right of public access to federal agency records unless those records are.
Watech.wa.gov Records Management In a nutshell. watech.wa.gov What’s a record? A record is anything you create in the course of doing your work – Everything.
Illinois Freedom of Information Act The Basics of FOIA 2015.
Educause Live! August 3, USA PATRIOT Act and Beyond: How Higher Education Institutions and Libraries are Cooperating and Coping Marilu Goodyear CIO.
Sharing Information (FERPA) FY07 REMS Initial Grantee Meeting December 5, 2007, San Diego, CA U.S. Department of Education, Office of Safe and Drug-Free.
FERPA for the Financial Aid Office NCASFAA Fall Conference November 2012.
TASFAA 2016 Legacy of Leadership. TASFAA 2016 Legacy of Leadership Family Educational Rights and Privacy Act (FERPA) An Overview Molly Thompson Associate.
CITY OF PHOENIX RECORDS MANAGEMENT AND E-PRIVACY Margie Pleggenkuhle City Clerk Department March 18, 2004.
Understanding Privacy An Overview of our Responsibilities.
Incident Response Strategy and Implementation Anthony J. Scaturro University IT Security Officer September 22, 2004.
Understanding Privacy An Overview of our Responsibilities.
UW-Madison Guidelines for Managing the Records of Departing Employees*
An Introduction to Public Records Office of the General Counsel
Privacy & Access to Information
Reporting personal data breaches to the ICO
U.S. Department of Justice
Red Flags Rule An Introduction County College of Morris
Introduction to Records Management, FOI & Data Protection
Employee Privacy and Privacy of Employee Information
Welcome to the FERPA training for Faculty and Staff.
Web Applications: Get a Grip on Privacy
General Data Protection Regulations 2018
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
HIPAA Overview.
Good Spirit School Division
Anatomy of a Common Cyber Attack
Presentation transcript:

Working Effectively with Law Enforcement: How to Protect the Privacy of Your University Community Without Going to Jail Michael Corn Director, Security Services and Information Privacy University of Illinois at Urbana-Champaign Office of the CIO

2 Presentation Topics  Working effectively with LEAs protects privacy  You are not alone: it takes a team to respond to a subpoena  What knowing your environment means  Advise on handling an investigation  References

3 Themes and Assumptions  Working with law enforcement is no longer exceptional but typical  We have a legal obligation to comply with valid documents  Proper handling of law enforcement requests enhances the privacy accorded members of your campus community

4 It Takes a Team  Develop a firm and clear understanding of responsibilities and roles  There are three critical positions that can handle 100% of most incidents and 95% of the rest Security Officer, Legal Counsel, Campus Police

5 Campus Police  Validate credentials  Have deep contacts in Law Enforcement  Bring a level of comfort to agents of LEAs  Partners in a variety of incidents: –Harassment –Laptop theft –Identity theft / SSN disclosures Consider whether they are internal or external to Institution

6 Campus Counsel  Validate all legal documents  Interpret type of request: subpoena, preservation request, search warrant, NSL, etc…  Interpret request elements: data, dates/times, identities, etc… Should be highly familiar with relevant campus policies, such as your Appropriate/Acceptable Use and Infosec

7 Security Officer  Advises on technical capabilities / hurdles  Advises on impact and visibility  Advises on what is available  Collection of evidence / information

8 Words of Advice to Security Officers  Keep judicial, legislative, investigative and interpretive roles separate  Regulation != Common Sense  Having a law degree does not make you the University’s Counsel

9 Know your Environment  Focus on those elements of your environment that are likely to be relevant to a request for information: –Log files – (and traffic logs) –s/Flow data –Authn/z logs –Technical contacts in units –Which units provide their own IT services? –How long are backup stored and how much work is it to do a restore? “If you can’t count something you don’t control it” Mike’s dictum

10 Know your Environment (cont.)  Discuss the possibility of confidential investigations with your service managers and their supervisors (i.e., middle managers)  Emphasize that you’re helping to insulate them from crises  Buy your network engineers lunch. Regularly

11 Handling an Investigation - confidentiality  Confidentiality –Understand your obligations with regard to confidentiality. “In accordance with 18 U.S.C. section 2709(c) (1), I certify that a disclosure of the fact that the FBI has sought or obtained access to the information sought by this letter may endanger the national security of the United States...and (2) prohibits you, or any officer, employee, or agent of yours, from disclosing this letter, other than to those to whom disclosure is necessary to comply with the letter or to an attorney to obtain legal advice...” ACLU: FBI: National Security Letter (NSL) quote found via Google search.

12 Confidentiality (cont.)  Discuss with the agent(s) in charge of an investigation whom you wish to inform of the investigation and why. This includes, –your supervisor –campus/University Officers (Provost, Chancellor, etc..) –unit heads –technical staff  Develop internal procedures that control the materials and information of legally restricted documentation. Buy a safe for storing legal documents and evidence.

13 Handling the Investigation – impact  Minimizing the impact of the investigation –Work with the agent(s) in charge of an investigation to review what they are looking for and what will not be useful to them. –Work with law enforcement agents to better understand your environment and narrow the scope of information requests.

14 Narrowing the Scope of a Request I Original “Provide all records, logs, transaction records, connection records, headers and IP numbers for the account and computers associated with Bullwinkle J. Moose and the account from Jan 1st 2007 to

15 Narrowing the Scope of a Request II  redirects to  Physics.whatsamattau.edu not centrally provided (do they log sendmail at physics?)  also exists as  accounts accessible from any IP on campus  Bullwinkle reads most of his mail from a multi-user machine  Flow logs from that machine show traffic from multiple users  Bullwinkle has logged into any number of campus services in the last 8 months

16 Narrowing the Scope of a Request III  Discuss with agent: – redirection –And Legal if is covered by document –Flow logs don’t help with –Central IT account is unused –Campus authentication records –Capturing multi-user machine will endanger confidentiality of investigation –Multi-month restore will endanger confidentiality of investigation –Need to work with departmental IT staff  May require working with unit head or IT staff supervisors

17 None of this will matter if the LE agent doesn’t trust and have confidence in you.

18 Narrowing the Scope of a Request IV New Preservation Request “Please retain all existing and backups of the account associated with the address from the period Jan 1st 2007 to present.” New Data Request “Please provide all headers from existing from the account associated with the address from the period Jan 1st 2007 to present.”

19 Summary  Create a policy to address the handling of all legal documents.  Form a team consisting of the security officer, legal counsel, and campus police.  Put campus legal counsel on your telephone speed-dial.  Meet with provost and/or chancellor to discuss law enforcement requests and investigations.  Review and document the salient features of your environment, including your institutional policies on data release and retention.  Understand your obligations with regard to confidentiality.  Discuss with the agent(s) in charge of an investigation whom you wish to inform of the investigation and why.  Work with the agent(s) in charge of an investigation to review what they are looking for and what will not be useful to them.  Work with law enforcement agents to better understand your environment and narrow the scope of information requests  Develop internal procedures that control the materials and information of legally restricted information. Buy a safe for storing legal materials.

20 References & Contact  Guidelines for Working with Law Enforcement Agencies. Michael Corn. Educause Quarterly, Vol. 30 No asp asp  Educause Policy and Law Constituent Group  Contact: Michael Corn,