Presentation is loading. Please wait.

Presentation is loading. Please wait.

Student Lending Privacy and Data Security

Published byByron Morton Modified over 6 years ago

Similar presentations

Presentation on theme: "Student Lending Privacy and Data Security"— Presentation transcript:

1 Student Lending Privacy and Data Security
Privacy and Data Security Update:  Although federal efforts on data security appear to have stalled for now, many states have stepped up their regulation of privacy and data security issues. This session will provide an overview of the current state of play in this important area, with respect to both federal and state efforts, including recent developments in New York. (60 Minutes) Introduction/Moderator: Speaker:  Dino Tsibouris, Tsibouris & Associates Dino Tsibouris (614)

2 Data Breaches Average $6.5M in Damage to US Companies

3 How much is your customers’ data worth?

4 Sample Student Loan Breaches
Student loan data ( Lost offsite storage media) Theft of portable media holding student loan records ( million affected) Unauthorized website logins ( ,328 affected) FAFSA auto-populated IRS data into false student loan applications, allowing for fraudulent tax returns ( ,000 affected)

5

6 Federal Privacy

7 Protecting Student Privacy Act
Introduced in Senate April 6, 2017 Amending FERPA No PII to outside parties who do not have a comprehensive information security program Must keep records of those with access to PII Outside parties must: Provide parental access to PII Offer hearings through institution to address data correction, deletion

8 Federal Disclosures GLBA Model Privacy Notice
Applies to financial institutions Initial, annual, and revised privacy notices must be sent to customers FAST Act of 2015 (PL ) eliminated the requirement to deliver annual notices in limited cases

9

10 Federal Disclosures GLBA Model Privacy Notice
Annual notices eliminated if: NPI not shared in a way that triggers an opt-out right under GLBA or FCRA Section 603 No changes to policies and practices since the last notice Model form is used

11 Federal Disclosures GLBA Model Privacy Notice
CFPB proposed regulations to implement the 2015 amendment in July 2016 Not finalized yet NCUA treats the statutory exemption as effective (16-CU-03) FDIC, CFPB, FRB examination procedures are similar OCC has not provided guidance

12 FTC Update on COPPA Children’s Online Privacy Protection Act
16 CFR 312 Updated business guidance issued Jun 21, 2017 Adds coverage to “IoT” as well as websites, mobile apps Adds knowledge-based authentication questions and facial recognition to obtain parental consent

13

14 FTC Update on COPPA Determine if you collect personal information from kids under 13 Post a compliant privacy policy Notify parents directly before collecting data Get parents’ verifiable consent Honor parents’ ongoing rights Implement reasonable security procedures

15 FTC Enforcement - Leads
Purchasing lists and leads is common in student lending Lists should contain names of persons who authorized the collection and sharing of their data Contracts for purchase of leads should include representations and warranties ensuring leads have agreed to have their information collected and shared with you 2015 FTC hosted lead generation compliance workshops 2016 took action against a lead generator

16

17

18

19 State Privacy

20 Background: California AG Data Breach Report
Key Recommendations: “Reasonable security” involves 20 controls (Center for Internet Security’s Critical Security Controls) Multi-factor authentication Strong encryption with portable and desktop devices

21 State Breach Notification Laws California AB-2828 (1/1/17)
(a) A person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or,

22 State Breach Notification Laws California AB-2828 (1/1/17)
(2) whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable.

23 State Breach Notification Laws California AB-2828 (1/1/17)
For purposes of this section, “encrypted” means rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.

24 State Breach Notification Laws Illinois HB1260 (1/1/17)
Notify if username and password/security question combination acquired Encryption safe harbor does not apply if key is compromised May notify electronically If entity subject to GLBA, GLBA compliance deemed equivalent

25 State Breach Notification Laws Nebraska (7/21/16)
Nebraska L.B. 835 Includes username or address combined with password/security question Encryption safe harbor not applicable if key is compromised Notification to Attorney General if consumer notice is required

26 State Breach Notification Laws New Mexico (6/17/17)
HB 15 Notify if “significant risk of identity theft or fraud” Notification within 45 days unless requested by law enforcement Notification to Attorney General and major CRAs if over 1,000 residents

27 State Breach Notification Laws New Mexico (6/17/17)
Must dispose of PII when not needed Contractually require service providers to have reasonable security and protect PII No definition of “reasonable” Does not apply to entities subject to GLBA

28 State Breach Notification Laws Tennessee (4/1/17)
Exception for encrypted data if NIST FIPS Compliant 45-day notification time frame extended an additional 45 days if further investigation requested by law enforcement Private right of action Excludes companies subject to Title V of GLBA

29 State Cybersecurity Regulation New York (3/1/17)
Applies to entities regulated by the NY DFS Written annual risk assessment Written cybersecurity policy Written incident response plan

30 State Cybersecurity Regulation New York (3/1/17)
Appointment of a CISO Annual penetration tests (defined) and quarterly vulnerability assessments (undefined) “Adequate staffing” Regular awareness training, updated annually

31 State Cybersecurity Regulation New York (3/1/17)
Maintain audit trail and documentation for six years Encryption in transit and at rest Annual certification to NY DFS

32 State Cybersecurity Regulation New York (3/1/17)
Third party service provider security policy (required within next two years) Multifactor authentication “Risk-based authentication” (undefined) Notify NY DFS within 72 hours of cybersecurity event

33 State Law Data Breach Considerations
Access triggers notification Encrypted data exclusion Risk of harm analysis Notice to AG or regulator Notice within specified time frame Private cause of action Paper records may trigger notice

34 Privacy Statements and Notices: Putting It In Writing

35

36 State Disclosures California Privacy Notice
California Online Privacy Protection Act of 2003 Applies if you collect PII from a single California visitor Website privacy policy required: Home page/first significant page on site Linked icon using the word “privacy” in a contrasting color

37 State Disclosures California Privacy Notice
Must include: Categories of PII collected Categories of third parties with whom PII is shared Process for reviewing, requesting changes to PII Describe change notification process Effective date

38 State Disclosures California Privacy Notice
Using GLBA Model Privacy Notice for website privacy notice does not comply with state law requirements

39

40 Website Privacy Policies
Site MapTerms of UsePrivacy©2017 Member FDIC

41 Website Privacy

42 Website Privacy - Updates

43 Website Privacy - Updates

44 Mobile Privacy - Updates

45 Marketplace Lender and Service Provider Compliance Challenges
More than one entity with legal terms where the roles of each may not be readily apparent to the consumer Pay particular attention to FDIC/OCC marketplace and third-party guidance Whose legal terms (GLBA, Privacy Policy, Terms of Use, ESIGN) are binding? Are information sharing activities properly disclosed in these documents? Are there any activities that will draw the attention of regulators?

46 Service Providers

47 What the right hand giveth…
“Vendor agrees that personally identifiable information provided by Lender to Vendor shall be confidential information and shall only be used to perform the services set forth in this agreement.” “Vendor agrees to protect confidential information in accordance with applicable federal, state, and local law.”

48 …the left hand taketh away?
“Vendor shall not be liable for direct, indirect, consequential, exemplary, or any other damages.” “Vendor’s liability shall be limited to an amount equal to the fees paid by Lender to Vendor in the six (6) months prior to date of the act or omission from which Vendor’s liability arises.”

49 Questions & Answers Dino Tsibouris (614)

Download ppt "Student Lending Privacy and Data Security"

Similar presentations

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
SERVICE LEVEL AGREEMENTS The Technical Contract Within the Master Agreement.

SERVICE LEVEL AGREEMENTS The Technical Contract Within the Master Agreement.
© 2013 Sri U-Thong Limited. All rights reserved. This presentation has been prepared by Sri U-Thong Limited and its holding company (collectively, “Sri.

© 2013 Sri U-Thong Limited. All rights reserved. This presentation has been prepared by Sri U-Thong Limited and its holding company (collectively, “Sri.
©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.

©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
Silicon Valley Apps for Kids Meetup Laura D. Berger October 22, 2012 The views expressed herein are those of the speaker, and do not represent the views.

Silicon Valley Apps for Kids Meetup Laura D. Berger October 22, 2012 The views expressed herein are those of the speaker, and do not represent the views.
© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.

© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.
Consumers Online: Privacy, Security and Identity Professor Margaret Jackson and Marita Shelly Presentation to the RMIT Financial Literacy, Banking & Identity.

Consumers Online: Privacy, Security and Identity Professor Margaret Jackson and Marita Shelly Presentation to the RMIT Financial Literacy, Banking & Identity.
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
FERPA 2008 New regulations enact updates from over a decade of interpretations.

FERPA 2008 New regulations enact updates from over a decade of interpretations.
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.
Per Anders Eriksson

Per Anders Eriksson
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.

Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
Compliance and Regulation for Mobile Solutions Amanda J. Smith Messick & Lauer, P.C. May 16, 2013.

Compliance and Regulation for Mobile Solutions Amanda J. Smith Messick & Lauer, P.C. May 16, 2013.

Similar presentations

Ads by Google