1. 1 Protecting Privacy Challenges for Higher Education Educause Western Regional Conference - April 26, 2006

2. 2 Outline  California Office of Privacy Protection  Defining Privacy  Privacy Laws  Privacy Practices

3. 3 California Office of Privacy Protection  CA is 1st state with such an agency  Created by law passed in 2000  Mission: protect the privacy of individuals’ personal information in a manner consistent with the California Constitution by identifying consumer problems in the privacy area and facilitating…fair information practices

4. 4 COPP Functions  Consumer assistance  Education and information  Coordination with law enforcement  Best practice recommendations

5. 5 Why People Contact COPP 11/01-12/05

6. 6 Defining Privacy

7. 7 Classic Definition 1  The right to be let alone. "The makers of the Constitution conferred the most comprehensive of rights and the right most valued by all civilized men—the right to be let alone." Brandeis & Warren, 1890

8. 8

9. 9 Classic Definition 2  The right to control one’s personal information. “…the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.” Alan Westin, 1967

10. 10

11. 11 Privacy & Security  Information Security: protecting data from unauthorized access, use, disclosure, modification, destruction.  Information Privacy: providing individuals with level of control over use and disclosure of their personal information  No privacy without security

12. 12 Privacy Values  Privacy – the right to control one’s personal information – is essential to protect other important values. Confidentiality Anonymity Seclusion Fairness Liberty

13. 13 Current Privacy Issues

14. 14 Current Privacy Issues  Security vs. Privacy  Public Records & Privacy  Data Brokers  Ubiquitous Surveillance  Persistence of Data  Identity & Authentication  Identity Theft

15. 15 Security vs. Privacy  “They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” Benjamin Franklin, 1759  A zero-sum game?

16. 16 Public Records & Privacy  Loss of “practical obscurity” – from the county courthouse to the World Wide Web  Open government – Can we keep an eye on our government without spying on individual citizens? Limit access to sensitive data to certain purposes  Data brokers digitizing public records “Enriched” data resold to government and businesses

17. 17 Ubiquitous Surveillance  Digital trails created by financial transactions, digitized public records, FasTrak, security cameras, building cardkeys, Web searches, electronic health records…

18. 18

19. 19 The Persistence of Data  Internet archive  Online communities – MySpace.com, Facebook.com  Loss of “social forgiveness” in society of digital dossiers

20. 20 Identity & Authentication

21. 21 Identity Theft  Causal factors in identity theft Electronic databases Instant credit Remote transactions Over-reliance on inadequate identification system

22. 22 Identity Theft  Obtaining someone’s personal information and using it for an unlawful purpose Penal Code § 530.5  Types of identity theft Financial – existing account, new account Government benefits – employment “Criminal”

23. 23 Incidence of Identity Theft  Rate steady at about 9 million/year for past 3 years 4% of adults Including 1 million Californians Source: BBB/Javelin, 1/06

24. 24 How ID Thieves Get Your Info Source: BBB/Javelin, 1/06 Organizations in control 16% Consumers in control 27% Don’t know 57%

25. 25 Impact of ID Theft on Victims  Out-of-pocket costs Average $422  Time spent recovering Average 40 hours Source: BBB/Javelin, 1/06

26. 26 Impact of ID Theft on Economy  Total cost of identity theft in U.S. in 2005 $56.6 Billion Source: BBB/Javelin, 2/06

27. 27 Protecting Personal Information State and Federal Privacy Laws and Regulations

28. 28 Approaches to Data Protection  U.S. takes sectoral approach Laws protect personal information in certain industry sectors (financial, health care, video rental records)  EU, Canada, APEC take comprehensive approach Laws treat privacy as fundamental human right

29. 29 Major Sectoral Privacy Laws  Credit Reporting  Government Privacy  Financial Privacy  Health Information Privacy  Educational Records  Information Security  Commercial Communications  Identity Theft  Other

30. 30 Privacy Laws for Higher Ed  Federal Laws FERPA – Privacy of educational records GLBA – Financial privacy & security HIPAA – Health information privacy & security  State Laws IPA & other state government privacy laws (public institutions) Online privacy (CA) Information security SSN confidentiality Breach notice

31. 31 California #1 in Privacy Protection  California ranks highest in protecting its citizens against invasions of privacy. Privacy Journal  All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy. California Constitution, Article 1, § 1

32. 32 Social Security Number Law  Prohibits public posting or display of SSN Don’t print on ID/membership cards. Don’t mail documents with SSN to individual, unless required by law. Don’t require sending by email or require for Web site log-on (unless with additional password).  Don’t print more than 4 digits of SSN on paystubs – or use employee ID number

33. 33 Online Privacy Protection Act  Commercial Web sites that collect personal info of CA residents must post privacy policy statement Categories of 3rd parties with whom personal information may be shared How consumers may review or remove their PII (if offered) How site will notify consumers when the privacy policy is changed Effective date of the policy  Site operators must comply with policy

34. 34 Online Privacy Practices in Higher Ed  Survey report available from Mary Culnan, Bentley College, mculnan@bentley.edu  236 doctoral universities & national liberal arts colleges in 2004 US News & World Report list  Assessed 3 types of online privacy risks Privacy statement use Data collection forms Cookies

35. 35 Online Privacy Practices in Higher Ed  100% of universities & colleges had at least one instance of Web page w/out link to privacy notice  Nearly 100% had 1or more data collection form without link to privacy notice  Nearly 100% had 1or more data collection forms using GET method  100% had at 1 or more non-secure data-collection page

36. 36 A Few Headlines  Another University Suffers Security Breach UCB, 3/29/05  Tufts warns 106,000 alums, donors of security breach 4/12/05  FBI probes network breach at Stanford 5/25/05  University to Warn of Web Security Breach USC, 7/10/05  7,800 linked to USD told of network security breach 12/3/05  Computer records on 197,000 people breached at UT 4/24/06

37. 37 Security Breach Notice Law  Notify individuals if unauthorized person acquires “unencrypted computerized data,” as defined: Name plus one or more of following: SSN, DL, or financial account number  Notify promptly and without unreasonable delay Time allowed to assess scope; may delay if would impede law enforcement investigation

38. 38 Security Breach Notice Law  Notify individually unless >250,000 or >$500,000 or inadequate contact information  Substitute notice Email if you have address, AND Post on Web site, AND Use mass media.

39. 39

40. 40 Breach Notifications  CA Office of Privacy Protection learns of breaches from individuals, companies, media  Sample includes 101 breaches since 7/03 (not all)  Over 53 million notified (from 100 to 40 MM per incident) Mean 646,723 Median 31,077

41. 41 Where are breaches occurring? n=101

42. 42 Why Universities?  Culture of free flow of information  Distributed IT environment  More responsible about reporting?

43. 43 How are breaches occurring? n=101

44. 44 Types of Information Involved n=101

45. 45 Lessons Learned - Prevention  Review data collection policies Blood bank example: Do we really need SSNs?  Review data retention policies University example: How long?

46. 46 Lessons Learned - Prevention  Remember the mobile workforce! Protect desktops, laptops, other portables  Prohibit downloads of sensitive info to PCs, laptops  Use encryption – State encryption policy BL05-32 at www.dof.ca.gov/html/budlettr/budlets.htm

47. 47 Privacy Practices

48. 48 COPP’s Recommended Practices  Best practice recommendations, not regulations, not legal opinions Social Security Number Confidentiality Security Breach Notice Information-Sharing Disclosure and Privacy Policy Statements

49. 49 Privacy Best Practices  Build in privacy. Design systems and database to limit and protect personal information.  Know where your personal information is. Conduct personal info inventory, including portable computing & storage devices and paper records.

50. 50 Privacy Best Practices  Say what you do with personal information. Post clear notices of privacy practices on Web sites, in offices, and whenever collecting personal info.  Do what you say in managing personal information. Monitor compliance with laws and policies, including content monitoring of Web sites and e- mail.

51. 51 Privacy Best Practices  Limit access to personal information. Use appropriate security measures to prevent unauthorized access, including limiting internal access to need-to-use level.  Develop a culture of respect for privacy. Provide employees and all users with ongoing education and training in requirements and practices.

52. 52

53. 53 “Personal information is like toxic waste – Managing it requires a high level of skill and training.” Phil Agre, U.C.L.A.1997

54. 54

55. 55 Joanne McNabb, CIPP/G Chief, California Office of Privacy Protection 1625 North Market Blvd., Suite N324 Sacramento, CA 95834 www.privacy.ca.gov 866-785-9663