Quotable... |
“When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else.”
-- David Brin
|
|
We are pleased to begin our ninth year of Case in Point: Lessons for the pro-active manager. We usually begin each year with a look at trends and statistics from the prior year, but because January included ''Data Privacy Day''(January 28), we thought this would be a good time to focus on the important issue of privacy. I've asked Robert Gottesman, Director of Institutional Compliance and Privacy, to share some thoughts.
Higher education has experienced a tremendous growth of the amount of data it collects to fulfill its mission. Applications to improve the management of various higher education units have a voracious appetite for data. Applications are developed and implemented with the idea that no amount of data is too much, whether it is related to prospective students, enrolled students, employees, alumni, volunteers, or other stakeholders. This data may be stored in a campus-based or cloud-based vendor's data center. These applications give authorized users the ability to search and report on individuals, as well as entire groups.
January 28th was designated Data Privacy Day 2017 by the National Cyber Security Alliance (NCSA) to ''create awareness about the importance of privacy and protecting personal information.'' As individuals, the NCSA recommends that we ''Share with Care.'' Once something is posted to a social media site, it is nearly impossible to remove. ''Personal Information is like money,'' and there are individuals and companies harvesting information for both nefarious and financial purposes. Additionally, we should familiarize ourselves with the privacy and security settings available on each of the websites we use. Remember that even if we restrict access to social media content to our friends, we cannot control how these friends use and share our information.
Security settings are an important tool to protect our privacy. However, no amount of security will protect our privacy if individuals or businesses entrusted with our data do not act in good faith.
As university employees, we have an obligation to handle confidential data in a manner that seeks to protect the privacy of the individual who has directly or indirectly entrusted us with their data. While there are laws and regulations that mandate data privacy and security, a few basic guidelines and common sense should always be considered when handling confidential data:
- Make sure you need it before you collect it. Does the application or process under consideration need to collect or store confidential information? If an application contains a unique student username, does it also need to have access to their Social Security Number? If the process calls for payment, does the credit card number of the payee need to be stored for future use? Just because an application or form has a field for a particular piece of confidential information, it does not mean that the process requires this information.
- If you collect it, protect it. Once a decision is made to collect data, there must be a plan in place to protect this data from unauthorized access and release. University policy (in addition to various Federal and state laws and regulations) will often speak to the requirements necessary in order to store and/or share information. For example, the Family Educational Rights and Privacy Act (FERPA), as well as University policy, addresses when, and by whom, student directory information may be released.
- Be open and honest about how you collect, use, and share personal information. If information is collected for a specific stated purpose, it should only be used for that purpose.
- Create a culture of privacy. Stress to employees the importance of maintaining privacy. Just because an employee has authorized access to a dataset of student information, does not mean the employee should peruse this dataset and look up information about acquaintances. Confidential data should only be accessed when there is a job-related need to access the information.
- Conduct due diligence and maintain oversight of partners and vendors. The decision to store University data with a third party or in the cloud should only be made by individuals with University contract authority, and only after careful evaluation of the vendor's security posture and contractual obligations.
As you go about your daily job responsibilities, we urge you to be proactive, evaluate your processes, and look for ways you can reduce risk related to the collection, storage, and transmission of confidential and sensitive data.
Robert Gottesman, CCEP, EnCE, CISA Director, Institutional Compliance & Privacy
Thank you, Robert for those important guidelines regarding privacy. We must remain vigilant with respect to protecting our data along with the many other issues in higher education. We again invite you to review the events from the prior month with a view toward how you can proactively manage risk.
M. Kevin Robinson, CIA, CFE
Associate Vice President
Office of Audit, Compliance & Privacy
Information Security & Technology Events
Jan 25, 2017: As the challenge of keeping personal information out of the hands of cybercriminals becomes more complicated, the Penn State Privacy Office is encouraging students, faculty and staff members to follow best practices for storing and sharing online data in recognition of Data Privacy Day on Jan. 28. Hackers have varying motivations, and for some, stealing and selling personally identifiable information (PII) -- which includes any data that can be used to distinguish or trace a person's identity -- has become big business, according to Holly Swires, privacy officer and interim deputy chief information security officer at Penn State. (link)
Jan 24, 2017: Give us your money, or your files get it. Imagine turning on your computer only to be greeted by that message. The computer has been infected with ransomware, a type of malware that locks users out of their data and threatens to make it unusable -- either by deleting or encrypting it -- unless the college that has been hacked agrees to pay a ransom. The clock is ticking. Do you pay up? Los Angeles Valley College did. (link)
Jan 20, 2017: A malware infection is to blame for a security breach that could put the personal information of up to 4,611 clients of the Ohio State Veterinary Medical Center at Dublin in jeopardy. Clients were alerted of the possible threat that could put their bank account information, credit card numbers, driver's license and their social security numbers at risk, but OSU spokesman Ben Johnson said in a statement that there is "no current evidence that confidential information was viewed or removed from the server." (link)
Jan 19, 2017: The University of Iowa is investigating a "handful" of possible cases of cheating -- and warning the entire campus community to change their HawkID passwords -- after a faculty member discovered a student's grade had been changed without authorization. The suspects obtained the account information by secretly attaching physical devices to university computers in classrooms and computer labs. "The investigation shows someone attached unauthorized devices to university instructional computers to capture instructor IDs and passwords," according to UI spokeswoman Anne Bassett. "A few students appear to have then used the passwords to change their grades in select courses." (link)
Jan 18, 2017: Students and parents are raising concerns after pro-Nazi fliers appeared on printers around UC Berkeley campus that also championed the day that Donald Trump is sworn in as president. In an email on Tuesday, UC Berkeley spokesman Roqua Montez said there is no credible threat at this time, and a UC Berkeley police sergeant said detectives are following up on the issue. How many fliers were found and on how many printers has not been revealed. He added that the university does not consider this a case of hacking and there is "no actual crime being committed," as the sender is "exploiting open source printers and fax machines that are being legally access via the Internet." (link)
Jan 17, 2017: Printers at Vanderbilt University started inexplicably printing anti-Semitic fliers on Monday in an incident that officials said could be linked to a round of hacking that targeted printers at several universities last year. University police are investigating the incident, which occurred "in a handful of offices on campus," according to an email from university spokeswoman Princine Lewis. The university also notified federal authorities. (link)
Jan 17, 2017: Indianapolis-based American College of Education fired its information technology employee last year, according to court documents, but not before an administrative password was changed. The online college then asked the man to unlock the Google account that stored email and course material for 2,000 students, according to a lawsuit filed by the college. The man said he'd be willing to help -- if the college paid him $200,000. Welcome to the new frontier of tech concerns in a business world that has come to depend on the cloud. (link)
Jan 07, 2017: The Los Angeles Community College District paid nearly $30,000 to regain access to computer systems seized by a ransomware infection that was discovered as students showed up for the first day of classes, educators said this week. Roughly 1,800 teachers and staff of Los Angeles Valley College found themselves unable to access campus computers Tuesday, the start of the semester, due to being targeted by what District Chancellor Francisco Rodriguez described as "malicious cyber activity," Los Angeles Daily News reported this weekend. (link)
Fraud & Ethics Related Events
Jan 23, 2017: The former University of Arizona professor accused of stealing more than $200,000 from the school has been sentenced. John A. Marchello, 80, was sentenced to probation for six months and ordered to pay $83,000 in restitution to the U of A. He will not have to submit to drug or alcohol testing nor will he have to complete any counseling. Authorities said from January 2013 to November 2014, Marchello stole more than $220,000 from the student-run meat market on Campbell Road in Tucson. (link)
Jan 18, 2017: Former University of Wisconsin-Oshkosh Chancellor Richard Wells is accused of overseeing the illegal transfer of more than $11 million in university funds to support five Oshkosh-area building projects. A lawsuit filed Wednesday in Dane County by the UW System claims Wells and Tom Sonnleitner, retired UWO vice chancellor of administrative services, made illegal financial guarantees between 2010 and 2014 to secure backing for high-profile building projects on and around the Oshkosh campus and later used university funds to support foundation projects, which is prohibited by state law. (link)
Jan 11, 2017: The woman formerly in control of making "change" at University Hospital dining areas who was charged in the theft of $1.1 million was sentenced Tuesday to 18 months in federal prison. Kyejuana Avery also was ordered by U.S. District Court Judge Scott Coogler to pay restitution to UAB and once she has served her sentence to serve three years of release under the supervision of the U.S. Probation Office. The amount of restitution was not listed in court records on Tuesday. Between 2007 and 2013 Avery was employed as a financial account representative at the University of Alabama at Birmingham's Hospital Food and Nutrition Services Department, according to the plea deal. That department sells food and beverages at locations around University Hospital. (link)
Compliance/Regulatory & Legal Events
Jan 30, 2017: A Baylor University graduate who says she was raped by football players in 2013 sued the university Friday. Her lawsuit includes an allegation that 31 Baylor football players committed at least 52 acts of rape, including five gang rapes, between 2011 and 2014 -- an estimate that far exceeds the number previously provided by school officials. The woman, identified in the suit by the pseudonym Elizabeth Doe, reports being gang raped by then-Baylor football players Tre'Von Armstead and Shamycheal Chatman after a party on April 18, 2013. The woman, a 2014 graduate of Baylor, is now suing the university for Title IX violations and negligence. (link)
Jan 29, 2017: A state Senate bill would require New York colleges to compile reports on foreign-born students. The bill, which is sponsored by Senate Higher Education Committee Chairman Kenneth LaValle (R-Suffolk County) and a number of other Senate Republicans, would for the first time require private and public colleges and universities to compile statistical data regarding the number of foreign students on their campuses and the programs they are enrolled in. Such information, under the bill, must contain countries of origin, but wouldn't contain any personal identifying information like the student names. (link)
Jan 27, 2017: The Texas Supreme Court on Friday ruled that University of Texas System Regent Wallace Hall can't access admissions records and other student documents he has fought to obtain for years, probably putting an end to Hall's battles with university leaders. The court ruled in favor of UT System Chancellor Bill McRaven and said that Hall didn't have cause to sue the chancellor and that McRaven was within his rights to deny Hall access to the documents. The court decision from Justice John Devine said there "are concrete limits on Hall's claimed right to complete access," but these limits are set by the Board of Regents as a whole and not by McRaven as an individual. Hall, who is from Dallas, sued McRaven. (link)
Jan 25, 2017: The University of Louisville has formally disputed one of the four allegations levied against its men's basketball program and challenged three elements of another charge, according to the school's response to the NCAA released Wednesday. As expected, U of L contested the NCAA's fourth allegation, which stated that Cards head coach Rick Pitino "violated NCAA head coach responsibility legislation" as a result of infractions committed by former director of basketball operations Andre McGee from 2010-14. (link)
Jan 25, 2017: Syracuse University is under a second Title IX investigation, stemming from a complaint filed by a graduate student with the Department of Education's Office for Civil Rights, the university announced Wednesday. The student alleges that she has been subject to a hostile work environment in her academic department.The university was notified of the complaint this week while the OCR was visiting campus as part of a separate investigation, Interim Associate Vice President and Chief Equal Opportunity Officer Sheila Johnson-Willis said in a statement. (link)
Jan 24, 2017: A Kentucky judge has ruled in favor of the University of Kentucky in an open-records case involving its campus newspaper's pursuit of documents regarding a sexual harassment investigation of a former professor. Fayette Circuit Court Judge Thomas Clark reversed a state attorney general's opinion that said UK violated the state's open-records law by refusing to release documents on the professor's case to the student newspaper, the Kentucky Kernel. In his ruling made public Tuesday, Clark said the documents are "educational records" protected from disclosure by a federal student privacy law. (link)
Jan 23, 2017: A former Springfield College student is suing the school in federal court, arguing he was improperly expelled over drugs that weren't his -- and, beyond that, weren't even drugs. Zachary Wekilsky, a New Jersey resident, was a junior in good academic standing and a starting offensive guard on the Springfield College football team when he was bounced from the institution in December, according to a lawsuit filed in U.S. District Court. Residential staff found a white substance in his dorm room and administrators said it tested positive as cocaine, the complaint states. (link)
Jan 22, 2017: Ball State University presented the Indiana House Ways and Means Committee with a list of more than 100 government regulations it must comply with at an estimated cost of 11 percent of the school's operating budget. The list starts with affirmative action (requiring employers to attract and recruit minorities, women, persons with disabilities, and veterans) and ends with the Visual Artists Rights Act (granting rights to authors of art). "Some studies would say regulations account for about 11 percent or more of the operating budgets of higher education, which seems to be true in our case as well," BSU Interim President Terry King told lawmakers Jan. 18. (link)
Jan 19, 2017: Officials at most of Ohio's public and private colleges have decided the best action regarding a new state law allowing permit holders to carry a concealed firearm on campus is no action. Senate Bill 199, signed by Gov. John Kasich on Dec. 19 lifted the blanket prohibition on firearms but only if a college's board of trustees agreed to allow concealed carry on campus. Kasich's action occurred as Ohio's colleges emptied for winter break. Officials did not have a chance to discuss the law and address any concerns until recently. (link)
Jan 18, 2017: Open government advocates and Iowa's state universities are poised for a fight over whether federal copyright laws pre-empt state laws requiring government agencies to provide public access to state-generated documents and materials. The staff of the Iowa Public Information Board has found the University of Iowa broke Iowa's public records law by refusing to share its photos and video from the historic 2008 floods with a Cedar Rapids documentary filmmaker. (link)
Jan 18, 2017: Kellogg Community College violated the constitutional rights of a student who was arrested for trespassing while handing out U.S. Constitutions, a federal lawsuit says. The lawsuit follows similar legal action against Grand Valley State University. Students at both schools have complained that administrators have tried to limit free speech on campus by designating areas for free speech and requiring school permission before holding gatherings. (link)
Jan 13, 2017: Two prominent Republican lawmakers said they hope their party's majority can limit the Department of Education's role on campuses. Senator James Lankford, the chair of the Regulatory Affairs Committee, and Representative Virginia Foxx, the chair of the House Education Committee, expressed their desire to lessen the role of the department on K-12 and college campuses in separate statements to The College Fix. (link)
Jan 13, 2017: Former Idaho State University Museum of Natural History employee Kelly Pokorny has settled her sexual harassment lawsuit against ISU for $170,000. Pokorny claimed that she was sexually harassed by former museum director Herb Maschner and then punished by the university for reporting the harassment. The turmoil began on Oct. 25, 2013, when Pokorny claims Maschner followed her into her office, closed the door and forcibly kissed her and grabbed her buttocks. When she protested, Maschner left her office, according to Pokorny. (link)
Jan 12, 2017: An email sent out on Tuesday did more than just inform students about their academic status. Students who earned a GPA below 2.0 were notified in December about their academic progress, and on Jan. 10, another email was intended to inform students about ways to improve their GPAs. But university spokesperson Joan Todd confirmed that the university retention office sent emails to students on academic probation containing the names of other students on academic probation. To comply with the Family Educational Rights and Privacy Act (FERPA), schools can generally not disclose "personally identifiable information from an eligible student's education records to a third party" without written consent from the eligible student. (link)
Jan 11, 2017: Two and a half years after a fellow student accused him of rape, University of Miami graduate David Jia has filed a lawsuit against the student, the university and two former UM employees. In the lawsuit, filed last week in federal court, Jia argues that the rape allegations were false and that the university's investigation was "flawed and discriminatory," resulting in Jia being suspended for a semester. "From the very beginning, David Jia was treated unfairly as the guilty party because of the complete disregard to his side of the story or his witnesses," the suit states. (link)
Jan 10, 2017: The first of 37 defendants in a 2013 fraternity hazing death of a Baruch College student in Pennsylvania's Pocono Mountains to go on trial pleaded guilty Tuesday in Monroe County Court of Common Pleas in Stroudsburg, Pennsylvania. Ka-Wing Yuen, 25, of Brooklyn, N.Y., pleaded guilty to charges of conspiracy to hinder apprehension by evidence tampering, a third degree felony, and conspiracy to commit hazing, a misdemeanor. Three other felony charges were dropped. (link)
Jan 07, 2017: Legislation that would abolish the University of Louisville's board of trustees and allow Gov. Matt Bevin to appoint a brand-new one for the second time during his first term in office is on its way to the governor's desk. Bevin first reorganized the U of L board last summer using an executive order, which is the target of an unresolved lawsuit brought by Attorney General Andy Beshear. The Senate already approved the U of L legislation earlier this week, so the House's 57-35 vote in favor of the bill on Saturday means the proposal can now be signed into law by the governor. (link)
Jan 07, 2017: Penn State's costs related to the Jerry Sandusky scandal are approaching a quarter-billion dollars and growing, five years after the former assistant football coach's arrest on child molestation charges. The scandal's overall cost to the school has reached at least $237 million, including a recent $12 million verdict in the whistleblower and defamation case brought by former assistant coach Mike McQueary, whose testimony helped convict Sandusky in 2012. (link)
Jan 04, 2017: Already facing the prospect of owing nearly $5 million in an ongoing whistleblower case, Chicago State University has agreed to pay more than $1 million to end a separate lawsuit brought by another former high-ranking administrator. The latest $1.3 million settlement marks the second time in recent years that the university has either lost or settled costly disputes by former employees who claimed they were fired after reporting alleged misconduct by the school's former president, Wayne Watson. (link)
Dec 28, 2016: UNC-Chapel Hill has received a third notice of allegations from the NCAA in the academic fraud case, several weeks after appearing before the association's Committee on Infractions in a rare procedural hearing. The fresh set of charges from the enforcement agency marks yet another unusual turn in a case that has now stretched beyond five years. (link)
Dec 28, 2016: A former College of Charleston student is suing the school and the fraternity that hosted a party in August where she was allegedly disrobed, served drugs and alcohol, and raped while one of her attackers recorded the assault on his cellphone. The lawsuit, filed Friday in the Charleston County Court of Common Pleas, accuses C of C, its Board of Trustees, the Alpha Epsilon Pi fraternity and its Chi Omicron chapter of negligence for failing to "take proper precautions" or "develop adequate policies and procedures" that would have ensured the young woman's safety on the night she was allegedly raped. (link)
Dec 28, 2016: The U.S. Court of Appeals for the Third Circuit has ruled that Montclair State University is an arm of the state of New Jersey, and is therefore immune under the 11th Amendment from liability for an employee's discrimination suit. The decision reverses a ruling holding the university subject to Paula Maliandi's suit in federal court for claims under the Family and Medical Leave Act and under state law after she took leave for treatment of breast cancer and was offered only an inferior position upon her return. (link)
Dec 28, 2016: A Republican lawmaker called for UW-Madison to cancel a planned course on racism and fire its professor for posting tweets the legislator said condoned violence against police officers, warning Tuesday that the class could affect the university's funding in the next state budget. State Rep. Dave Murphy, R-Greenville, said he believes the course in the university's African Cultural Studies department called "The Problem of Whiteness" is inappropriate and a waste of money. Murphy joined Sen. Steve Nass, R-Whitewater, in saying that how the university handles the controversy over the spring 2017 course could have ramifications for its request for new state funding in the 2017-19 budget. (link)
Dec 28, 2016: The battle over whether graduate students at universities can unionize entered a new phase on Friday, when Columbia University filed a challenge with the National Labor Relations Board over the recent vote by its graduate assistants to unionize. The issue has gone back and forth depending on the makeup of the board, which said in August that graduate students at private institutions had a federal right to unionize. That decision overturned a ruling from 2004 that said graduate students at Brown University could not do the same. The rules for public universities are different. There, states can decide if graduate students can unionize. (link)
Dec 20, 2016: The NCAA has issued a notice of allegations to Rutgers football noting seven possible violations. The violations include academic misconduct that occurred under former coach Kyle Flood, who was suspended for three games by Rutgers before being fired in 2015. Flood is accused of providing an extra impermissible benefit to cornerback Nadir Barnwell after Flood directly contacted one of Barnwell's professors asking for Barnwell to receive special consideration in the course. (link)
Campus Life & Safety Events
Jan 30, 2017: A dean of students at Washington University in St. Louis has been indicted on federal child pornography charge, the U.S. attorney's office in St. Louis said Monday. Justin Carroll, 67, of University City, is charged with access with intent to view child pornography. Bond was set at $100,000. Carroll could face up to 20 years in prison if convicted. An indictment said Carroll, using an alias "MOperv," was caught with videos featuring prepubescent boys. U.S. Attorney Richard Callahan said investigators didn't discover any wrongdoing connected to Carroll's university responsibilities. (link)
Jan 29, 2017: University of Southern Mississippi police officials investigated an allegation of sexual battery, issued a citation for providing alcohol to a person under 21 and issued a Community Alcohol Violation for serving a drink called "Jungle Juice" after the Sigma Alpha Epsilon fraternity held a homecoming party Oct. 29. The university has taken disciplinary action against the approximately 30-member fraternity in connection with the party, barring it from hosting social events and placing it on disciplinary probation through spring semester 2018. There are also ongoing investigations and the possibility of more sanctions, the details of which university legal personnel said cannot be divulged under federal law. So far, no criminal charges have resulted from the campus police investigation. (link)
Jan 26, 2017: The FBI says scam artists post jobs looking for students for administrative positions. They say they receive counterfeit checks in the mail and are then asked to deposit them in their personal accounts. From there, the scammer directs students to withdraw funds from their account, send a portion via wire transfer to another person for materials or software deemed vital for the job. However, the checks are then determined to be fraudulent by the bank. "Don't accept a job that requires you to deposit checks into your own account, or where you would be wiring a portion of money from your account," says FBI spokesperson Todd Lindgren. (link)
Jan 23, 2017: A Kansas State student accidentally shot himself on Sunday on campus, and the school police are investigating criminal charges for the 19-year-old man. The man was taken to an area hospital for his injuries and his last known condition was stable, a news release said. Firearms aren't currently allowed in campus buildings or residence halls, although that's on track to change. Starting in July, a Kansas law will allow concealed guns on state college campuses unless a legislative effort to undo the law is successful. (link)
Jan 20, 2017: One man was shot and wounded, several people were hit with paint and officers avoided flying bricks outside the University of Washington's Kane Hall on Friday night, where Breitbart News editor and provocateur Milo Yiannopoulos addressed a crowd on President Trump's Inauguration Day. The 34-year-old shooting victim was in critical condition Saturday morning after undergoing surgery, at Harborview Medical Center, spokeswoman Susan Gregg said. (link)
Jan 19, 2017: A former Notre Dame College student photographer, David Zinram, who stole 656 pair of women's underwear from fellow students, including athletes he photographed, was sentenced to spend 10 days in Cuyahoga County Jail. Zinram's March arrest broke open a case that had puzzled Notre Dame campus detectives for months and struck fear across the campus dorms, Notre Dame College Police Chief Jeffrey Scott said. More than a dozen students in campus dorms filed complaints that their underwear and bras were taken from laundry rooms, and police were preparing to install undercover cameras to catch the thief, Scott said. (link)
Jan 17, 2017: A former university student Amjad "Mark" Hussain, 23, charged pleaded guilty Tuesday in St. Lawrence County Court to sending a note to a SUNY Potsdam professor in 2015 that threatened him and his family on the day his trial for a hate crime was originally scheduled. On April 26, 2015, while a student at SUNY Potsdam, Mr. Hussain said he intentionally harassed Associate English and Communications Professor John D. Youngblood by placing a note in his office that threatened physical harm to him and his family. (link)
Jan 11, 2017: North Carolina Central University police are investigating an apparent armed robbery that occurred near campus Tuesday night, the university said in a crime alert issued to students, faculty and staff. The student told authorities that she was standing in the roadway near the Farrison Newton Communications Building when she was confronted by two unknown men. One of the men walked up to her and took out a black handgun and demanded her purse, she said. The suspect took the purse and fled toward a house near Dupree Street. (link)
Jan 10, 2017: Amherst college is punishing the men's cross country team after an investigation into inappropriate online exchanges among team members. Late Monday night, Amherst College released a statement regarding the team following the investigation that started after an article in the school newspaper alleged a series of inappropriate emails and social media posts were sent around the team. The college called the exchanges "highly inappropriate" and several individuals have been suspended from varsity athletics for periods ranging from three contests, to the rest of their time at Amherst College. (link)
Other News & Events
If you have any suggestions, questions or feedback, please e-mail me at robinmk@auburn.edu. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports,
colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at https://www.auburn.edu/administration/oacp.
If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at gotterw@auburn.edu.
Back to top
|