Having trouble viewing this email? View it in your browser.

Office of Audit, Compliance & Privacy

Case in Point:
Lessons for the proactive manager

June 2018
Vol. 10 No. 06
Quotable...
“Once you've lost your privacy, you realize you've lost an extremely valuable thing.”

-- Billy Graham

You've probably noticed an increase in privacy notice boxes popping up as you navigate the internet the past few weeks. If you've wondered why these have increased lately, it's partially due to a new regulation out of Europe called the General Data Protection Regulations (GDPR). GDPR certainly will impact all of us in some way so I've asked Robert Gottesman, AU's Director of Compliance & Privacy, to discuss the background on this regulation along with some implications.

*************

Concerned with the growing amount of citizen's data maintained in databases on its computer systems, an advisory committee of the U.S. Department of Health, Education, and Welfare (HEW) published a report entitled Records, Computers and the Rights of Citizens in 1973. The report was intended to have Congress codify a set of Fair Information Practices Principles (FIPPS). The following year Congress passed the Privacy Act and the Federal Educational Rights and Privacy Act (FERPA). The FIPPS contained best-practice guidance for data collection, use, and dissemination of personally identifiable information (PII):

  • Transparency: Individuals should know what data is being collected about/from them, how it is used and disseminated;
  • Individual Participation: Wherever practicable, consent should be obtained prior to collecting data from/about individuals;
  • Purpose Specification: Articulate the authority that permits the collection of PII and the purpose for the collection;
  • Data Minimization: Only collect PII (or any data) that is relevant and necessary to accomplish the specified purpose(s) and only keep data for as long as necessary;
  • Use Limitation: Only use the PII for the purpose that it was collected and/or consent was granted;
  • Data Quality & Integrity: Organizations should work to ensure that PII is accurate, relevant, timely, and complete;
  • Data Security: Organizations should protect PII through appropriate security safeguards;
  • Accountability & Auditing: Organizations need to be accountable for complying with these principles and provide training to those who use or access the data.

These FIPPS continue to guide the development of policies and laws across the globe. As you no doubt noticed, on May 25, 2018, most of the companies with whom you have conducted e-commerce with, or provided information to, updated their Privacy Notices. These organizations wanted to make sure that you were aware of these changes, and you probably received an inbox full of such notifications. The impetus behind this activity was the enactment of the General Data Protection Regulations (GDPR). GDPR is a European Union (EU) law which was designed to harmonize data privacy laws across Europe. GDPR puts constraints around the collection and processing of PII by organizations located in the EU and by any organizations who collect or process personal data of individuals located within the EU. These constraints all draw upon the HEW FIPPS drafted in 1973.

Most major research institutions within the U.S. actively recruit students within the EU (by sending admissions material or officers to the EU or through their public-facing websites); receive applications for admission and employment from individuals within the EU; provide study-abroad experiences for students and faculty; solicit development funds from individuals in the EU; conduct research involving EU individuals or sites; and enter into contracts with entities located in the EU. While the penalties for non-compliance with GDPR can be steep, it is the protection of our reputation within the EU which will drive us to take this new law seriously.

With the recent Facebook/Cambridge-Analytica scandal and the most recent revelation that Facebook has (or had) data-sharing partnerships with many device makers giving them broad access to user data, policy makers are engaged in discussions which may very likely lead to additional U.S. legislation mandating the FIPPS-principles when organizations are engaged in the collection and processing of PII. As proactive managers, we should all be helping identify areas where our own data collection and processing practices could be improved.

*************

Thanks, Robert, for this great information and background on GDPR. Data stewardship and privacy are vital topics for us to keep in mind in the University environment and ones we will continue to monitor. We again invite you to review the events of the prior month with an eye toward proactive risk management for your area of influence. As always, we welcome your comments and feedback.

M. Kevin Robinson, CIA, CFE
Associate Vice President
Office of Audit, Compliance & Privacy



Information Security & Technology Events

June 28, 2018: California has passed a digital privacy law granting consumers more control over and insight into the spread of their personal information online, creating one of the most significant regulations overseeing the data-collection practices of technology companies in the United States. The new law grants consumers the right to know what information companies are collecting about them, why they are collecting that data and with whom they are sharing it. It gives consumers the right to tell companies to delete their information as well as to not sell or share their data. Businesses must still give consumers who opt out the same quality of service. (link)

Jun 25, 2018: About 4,500 Arizona State University students received unexpected, erroneous charges on their university billing accounts last week. Students who received merit-based scholarships in the 2017-18 school year were accidentally billed for part or all of the scholarships. ASU's computer system glitched, causing documentation of students' merit-based scholarships to be removed, the university said. That, in turn, caused the accounts to show a balance due. (link)

Jun 15, 2018: A Jeopardy! champion and former Adrian College professor who hacked college email accounts pleaded guilty to a felony this week. She admitted on Wednesday, June 13, to unauthorized access to a computer, program or network, punishable by a maximum of five years in prison and a large fine. Jass had taken advantage of a campus-wide password reset in the spring of 2017 to see messages sent to or received by President Jeffrey Docking and outgoing Vice President Agnes Caldwell, according to a Michigan State Police report. (link)


Fraud & Ethics Related Events

June 25, 2018:Silicon Valley artificial intelligence company MedWhat has filed a lawsuit against their investors Stanford University, Stanford-StartX Fund, and Marc Tessier-Lavigne president of Stanford University, Susan Weinstein VP of Stanford, Suzanne Fletcher StartX fund manager, in the Superior Court of California County of San Francisco. MedWhat alleges that Stanford University and their venture capital fund is full of conflict of interests with Stanford University members and other Silicon Valley venture capitalists, with unethical behavior, lying, and fraud. According to MedWhat, there's a fundamental lack of transparency, honesty, and fair play at Stanford University and their startup accelerator StartX's Stanford-StartX Fund. (link)

Jun 01, 2018: A biology lecturer at Medgar Evers College, a part of the City University of New York, pleaded guilty on Thursday to one count of federal wire fraud for teaching unauthorized health care classes and selling students bogus course-completion certificates. Mamdouh Abdel-Sayed, a full-time tenured lecturer, admitted in Federal District Court in Manhattan that he had "abused his position on the CUNY faculty to enrich himself," said Geoffrey S. Berman, the United States attorney for the Southern District of New York, whose office prosecuted the case, alongside the New York State inspector general and the federal Education Department's Office of the Inspector General. (link)


Compliance/Regulatory & Legal Events

Jun 26, 2018: The University of North Carolina at Chapel Hill violated federal law in its handling of sexual harassment and sexual violence complaints, the Office for Civil Rights of the Department of Education found. The United States Department of Education notified on Monday four former students and a former administrator who had filed a federal complaint more than five years ago, alleging UNC had failed to maintain compliant policies and grievance procedures that provided for the prompt and equitable resolution of sexual harassment and sexual violence complaints, and that the University failed to equitably respond to complaints of sexual harassment and sexual violence. (link)

June 24, 2018 Allegations of sexual abuse carried out over decades by team physicians at Michigan State and Ohio State are sending ripples through university athletics departments, with some schools exploring whether more oversight is needed for figures in such powerful positions. The scandals involving former Michigan State team doctor Larry Nassar, who was also a physician for USA Gymnastics, and Richard Strauss, a former Ohio State doctor, reveal how the trust and intimacy granted to team physicians can also provide cover for sexual predators. (link

Jun 22, 2018: A former pension manager barred by the Securities and Exchange Commission helped convince his former colleague -- the man who oversees the University of Michigan's endowment -- to pour nearly $100 million into funds he represented. U-M's entanglement with the unregistered broker, which has not previously been reported, is seen by some critics as an example of what has long worried the university's watchdogs: a lack of sufficient oversight and robust due diligence to avoid conflicts of interest at one of the nation's largest college endowments. (link)

Jun 21, 2018: A former part-time Angelo State University adjunct instructor pleaded "no contest" Wednesday, June 20, 2018, to charges he solicited prostitution after answering a personal ad on the website Backpage. In January, Michael Edward Hettick, 56, and two other men were arrested on suspicion of Class B misdemeanor solicitation of prostitution, punishable by up to 180 days in jail and a fine up to $2,000. (link)

Jun 18, 2018: The University of Washington has settled a lawsuit with the UW College Republicans club over $17,000 in security fees the university planned to charge the club for holding a rally Feb. 10 with the conservative group Patriot Prayer. The College Republicans argued that the security fee unconstitutionally infringed upon their First Amendment freedom of speech rights by making it unaffordable for them to host events that could lead to violent protests. (link)

Jun 18, 2018: The University of Michigan is pushing back against a lawsuit challenging the constitutionality of the school's "Bias Response Team" and policies that allegedly chill campus speech. In a court filing on Friday, the university said the lawsuit, filed last month by the watchdog group Speech First, presented a "false caricature" of school's conduct code and how it is implemented. (link)

Jun 15, 2018: Harvard consistently rated Asian-American applicants lower than others on traits like "positive personality," likability, courage, kindness and being "widely respected," according to an analysis of more than 160,000 student records filed Friday by a group representing Asian-American students in a lawsuit against the university. Asian-Americans scored higher than applicants of any other racial or ethnic group on admissions measures like test scores, grades and extracurricular activities, according to the analysis commissioned by a group that opposes all race-based admissions criteria. (link)

Jun 15, 2018:The Department of Homeland Security (DHS) is investigating an alleged identity theft ring run out of a home in Rancho Penasquitos. A federal search warrant obtained by NBC 7 shows the Chinese National living there was paid thousands of dollars to get Chinese students admitted into California Universities. According to the search warrant filed in federal court Wednesday, the subject of the investigation helped Chinese students get into the U.S. illegally and enroll into state schools by having imposters with fake ID's take entrance exams for them. (link)

Jun 15, 2018: A federal judge has ordered the University of Michigan to "immediately" release to a student his transcripts pending the outcome of a sexual assault investigation. U.S. District Judge Arthur Tarnow issued the order Thursday, 10 days after the engineering student sued U-M, claiming the university is interfering with his future by placing a hold on his transcripts while it investigates claims that he sexually assaulted a female student in his dorm room last fall. (link)

Jun 15, 2018: An Elon University student is suing the university alleging unfair treatment when it suspended him over a fight with the son of a major donor who, the suit says, got a much lighter punishment. The suit was filed this week in Alamance County Superior Court by Elon student Samuel Shaw. Shaw is suing the university for breach of contract and is seeking at least $25,000 in damages. (link)

Jun 13, 2018: A university teaching assistant who gained prominence after being disciplined for showing students a TV clip of a controversial professor discussing gender-neutral pronouns is suing the school. In an unproven statement of claim filed this week, Lindsay Shepherd says Wilfrid Laurier University behaved negligently, leaving her unemployable in academia. The suit, not tested in any court of law, names the school in Waterloo, Ont., two professors, and a manager of the university's diversity and equity office. It seeks a total of $3.6 million in various damages. (link)

Jun 12, 2018: A UC San Diego Computer Science and Engineering (CSE) professor is receiving backlash for humiliating a student and releasing the student's private information on a public question-and-answer forum this past weekend. Rundong Zhong, an international student and Math/CS major, posted a question on Piazza, a commonly-used forum that allows classmates and professors to address questions students may have. Zhong asked if he could put "funny stuff" on a website project for the class. In response, CSE Professor Susan Marx said that she would reprimand the tutor who approved of Zhong's cat homepage idea. She also publicly revealed his academic status and devalued the community college he previously attended. (link)

Jun 12, 2018: Former Colorado State University assistant professor Christina Boucher wants her lawsuit against the university alleging retaliation for reporting sexual harassment to be decided at trial. Boucher said prior to reporting the alleged harassment, she had positive evaluations and feedback from colleagues and collaborators. But after reporting the harassment allegation, she said her evaluations came back negative, and the person accused of harassment was still allowed to evaluate her performance. She alleges that she was then removed from tenure track and forced to leave the university. (link)

Jun 11, 2018: The University of St. Thomas is defending its decision not to issue a campus wide alert after firing a UST Police officer for alleged misconduct. On Friday, Eyewitness News reported that the UST terminated a police officer for possible sexual assault of a young woman after conducting a traffic stop. When we questioned UST officials on why there was no security alert issued, the university responded with a terse statement saying basically the location of the alleged assault means it was not subject to the Clery Act, which requires universities that participate in federal student aide to report crime incidents that happen on or near the campus. (link)

Jun 06, 2018: The woman who made up rape allegations against two Sacred Heart University football players pleaded guilty on Tuesday to lying to police. Nikki Yovino, 19, of South Setauket, N.Y., reportedly made up the allegations in order to gain the sympathy of another student she wanted to date. As part of a plea bargain, the young woman will be sentenced on Aug. 23 to "three years, suspended after she serves one year in prison and followed by three years' probation," the CT Post reported. (link)

Jun 06, 2018: A man who lives near the Santa Fe College Teaching Zoo, from which 11 animals were recently stolen, was arrested Tuesday afternoon in connection with the theft, and the investigation is ongoing. Meanwhile, several of the animals have been recovered and returned to the zoo. They appear to be in good condition. Sedrick Tyrezi Price, 20, is charged with grand theft, according to a SFC Police Department arrest report. The value of the animals was between $10,000 and $20,000. (link)


Campus Life & Safety Events

Jun 26, 2018: A former Pennsylvania State University employee has been charged with filming people inside a bathroom on campus. The State College Area School District says a student reported being filmed at the Bryce Jordan Center during a prom held in May. The student told police a man that he thought was a chaperone led him to a restroom. The student says he later heard the sound of video being recorded and saw a camera pointing in his direction. (link)

Jun 25, 2018: A University of Iowa faculty member has been barred from recreation buildings on campus for six months after he was accused of taking pictures of women during workouts at UI's Campus Recreation and Wellness Center. Jeffrey Nock, a lecturer from the John Pappajohn Entrepreneurial Center, was issued a criminal trespass warning along with a harassment warning notice April 25, according to a University of Iowa Police incident report. (link)

Jun 22, 2018: A twitter page called Texas Tech Students has released a series of tweets from a chat group that displays what Texas Tech has called "racially charged" commentary regarding undocumented immigrants. The chat group was made public by Texas Tech Students Thursday evening and show vulgar statements. Other comments are more driven towards disdain for undocumented immigrants in the United States and thoughts on how to deal with the issue such as "the us govt. can sell permits for legal hunting on the border and we can make a sport of this, can be a new tax revenue stream for the govt." (link)

Jun 21, 2018: University of California campuses at Berkeley, Los Angeles and Davis did not consistently discipline faculty who were subject to multiple sexual harassment complaints, according to a state audit released Thursday. Those campuses also took much longer to discipline members of the Academic Senate, who include tenured faculty, than staff. (link)

Jun 20, 2018: Christopher Adam Strahan, 22, a resident of Corvallis, was indicted Wednesday for threatening a campus shooting at Oregon State University, the U.S. Attorney's Office - District of Oregon reports. The indictment alleges Strahan threatened to shoot classmates at OSU in a series of tweets on February 27, 2018. He is charged with a single count of making threatening communications in violation of 18 U.S.C. ยง 875, the report states. (link)

Jun 12, 2018: The University of Iowa responded Tuesday following hundreds of social media posts from women saying they were sexually harassed online and in person by a man who is a student at the university. A Twitter post Sunday afternoon had a simple request: Retweet, or share, the tweet if you had been hit on by the man. The tweet spawned 1,200 retweets and drew 220 comments, mostly from women sharing screenshots of unwanted, and some overtly sexual, comments they received through social media from allegedly the same man in question. (link)

Jun 12, 2018: William Paterson University is reviewing reports alleging that a sociology professor made biased comments and shared conspiracy theories in class, including telling students that the moon landing was faked. Benny Koval, a student from Fair Lawn, said she raised concerns after the professor, Clyde Magarelli, said things in class that she described as questionable and made her uncomfortable as a Jew. She recorded and shared some of his comments on Twitter. (link)

Jun 11, 2018: Ohio State University's board of trustees approved a resolution last week that would allow some off-duty officers to carry concealed weapons on campus. The resolution applies to officers that, in case of an emergency situation, are likely to be first responders, university spokesman Benjamin Johnson said. The officers would be able to carry a firearm into buildings, events and venues, as long as they follow appropriate protocols and check-in procedures set by the university. (link)

Jun 11, 2018: A Nobel laureate decries the"hate speech." The university president accuses faculty critics of seeking to stifle academic freedom. Professors tar each other as "disingenuous," spreading "baseless lies and accusations." The normally tranquil Orange County campus of Chapman University is in the throes of a bitter controversy -- all due to a $5 million donation from the Charles Koch Foundation. (link)

Jun 09, 2018: A 24-year-old Arizona man is facing federal charges for allegedly threatening to shoot black Harvard University students and bomb the school to "end their pro-black agenda." On May 13, 2017, Nicholas Zuckerman allegedly made the racist and threatening comments on Harvard's Instagram page, according to the Massachusetts U.S. Attorney's Office. (link)

Jun 08, 2018: The University of Oklahoma has returned donations made by a retired professor accused of sexual harassment and banned him from working on campus more than two years after the school first investigated him. The university announced the moves Thursday, a day after about 30 people signed a statement accusing John Scamehorn of sexual harassment and inappropriate behavior while he had access to drama school events as a university donor. Among other things, they accused him of making sexual advances, stalking and coercing them into embarrassing photographs. They said their complaints were ignored by the university. (link)

Jun 08, 2018: Syracuse University suspended 15 members of a fraternity following the release of a video showing pledges using racial slurs and simulating a sexual assault of a disabled person, lawyers for the students said Friday. Video posted by a school newspaper in April showed a group of men laughing at performances punctuated by racist language against blacks, Jews and Hispanics and simulated sex acts. The footage sparked protests on campus and made national headlines. (link)

Jun 04, 2018: A man is facing a felony charge after officers say he threatened to burn down a university. David Dillistone, Jr. is charged with threats of terrorist acts. Charleston Police arrested him Friday. They say on May 31, Dillistone, 38, sent threats via Facebook Messenger that he knew ten other veterans who would help him burn down the University of Charleston. (link)

Jun 01, 2018: Two males have been arrested after police say they committed an armed robbery outside of a University of Iowa residence hall. The Iowa City Police Department released a statement Friday saying officers have arrested two suspects, one adult and one minor, in an armed robbery that happened early in the morning. University of Iowa Police also assisted, the release said. (link)

Jun 01, 2018: Arab Andy, a YouTuber who is known for pulling pranks and livestreaming them on YouTube and other online mediums, was arrested Thursday after he planned a fake bomb scare at the University of Washington in Seattle, Washington, making students scream and run for their lives. The incident which took place at around 5:30 p.m. EDT, was livestreamed by Arab Andy on YouTube Live, Twitch and later uploaded on Neat Clip. In the video Arab Andy was seen walking into a classroom full of students and recording their reactions after a bomb threat was announced on speakers. (link)


Other News & Events


If you have any suggestions, questions or feedback, please e-mail me at robinmk@auburn.edu. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at https://www.auburn.edu/administration/oacp.

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at gotterw@auburn.edu.

Back to top


Office of Audit, Compliance & Privacy
Auburn University
304 Samford Hall
M. Kevin Robinson, Assoc. VP
robinmk@auburn.edu
334.844.4389

© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Office of Audit, Compliance & Privacy is listed as the source.