Having trouble viewing this email? View it in your browser.

Office of Audit, Compliance & Privacy

Case in Point:
Lessons for the proactive manager

October 2020
Vol. 12 No. 10
Quotable...
“The only thing necessary for the triumph of evil is for good men to do nothing.”

-- Edmund Burke

Each month we bring you this publication with one purpose: to encourage the proactive management of risk at colleges and universities. We began this as an Auburn University effort but it has grown to reach a worldwide audience in the higher education industry. We hope that we help you and your institution become a little better at proactively managing risk each month.

One other thing we do here at AU is educate all new full-time employees on this principle during employee orientation (regardless of their role). One slide I use in this presentation has the title, ''The World Has Changed.'' On this slide are headlines from issues, scandals, and crises from our industry. The point I make on this slide is that we need everyone's help to avoid becoming a headline and enduring some negative event that would not only impact our institutional reputation, but most likely cost us scarce resources.

Simply speaking up when you see an issue is one of the most important things our employees can do to assist in proactively managing risk. Managing risk is not a job title or duty, it's a responsibility inherent to all employees of a college or university. Developing this culture is critical for all institutions.

One headline that has been on my orientation slide for a couple of years reads ''Lauren McCluskey's parents file $56 million lawsuit against the University of Utah.'' I added this headline when the case first became public. This month the Salt Lake Tribune reported that the case had settled as you read below:

''Acknowledging for the first time that the on-campus murder of track star Lauren McCluskey was ''preventable,'' the University of Utah agreed Thursday that it could have better protected her and failed — and it will pay out $13.5 million to her parents as part of a legal settlement.''

A tragic story for sure. I won't go into details of the apparent failure here, but I want to point out that we've passed the time in higher education where doing nothing is an option. So while this story is awful, it provides a lesson that all of us in higher education can learn from, and in doing so, help prevent the next Lauren McCluskey case from occurring. As the father of a daughter in college, I think we owe that to our students, to my daughter, and to all the people who come to our campus. The question is will we? Will you?

We again invite you to review the various events that have occurred in our industry with a view toward proactive risk management. As always, we welcome your comments and suggestions.

M. Kevin Robinson, CIA, CFE
Associate Vice President
Office of Audit, Compliance & Privacy
Follow us onTwitter



Information Security & Technology Events

Oct 20: Breach: Hackers carefully considered the timing of the Oct. 5 cyberattack on Heartland Community College. ''We could see that there was heavy activity starting at about 1 a.m., so it was intended and targeted to be disruptive,'' said Heartland Chief Information Officer Scott Bross. The college started seeing systems problems at the beginning of the business day, 7-8 a.m. He said there were multiple tools used to crash systems and equipment, and even some encryption of data, a common tactic for those who try to pry ransom money out of institutions in return for access to their own data. Forensic examinations have yet to show any student or staff data was taken away. (link)

Oct 19: Breach: Software that helps monitor university students taking exams has been shut down after the developer detected a security breach. New York-based Verificient Technologies is the developer of Proctortrack, a program that watches students while they take online exams to ensure they are not cheating. Last week, Verificient revealed in a release that it had detected a security breach at one of its servers, and that a malicious actor managed to log into one of the company's servers in Europe and sent fraudulent emails. The malicious actor even ''played around with some files,'' (link)

Oct 17: HIPAA Breach: Michigan Medicine is notifying 1062 patients about an email that may have exposed their email addresses and health information to others. Emails containing information about an Inflammatory Bowel Disease event were sent to patients in late September without the blind copy function being used to hide email addresses, so patients' email addresses were visible to all recipients. (link)

Oct 15: Identity Theft Risk: With all the turmoil that COVID-19 has created on college campuses, protecting themselves from identity theft probably isn't top of mind for students. However, even in normal times it's not a concern to many of them. A study by the Identity Theft Resource Center found that 64 percent of college students weren't very worried about becoming the victim of fraud. And they're the least likely demographic group to detect fraud on their own. (link)

Oct 01: Ransomware OFAC Warnings: Companies victimized by ransomware and firms that facilitate negotiations with ransomware extortionists could face steep fines from the U.S. federal government if the crooks who profit from the attack are already under economic sanctions, the Treasury Department warned today. In its advisory (PDF), the Treasury's Office of Foreign Assets Control (OFAC) said ''companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.'' (link)


Fraud & Ethics Related Events

Oct 27: Research Ethics: inewsource has uncovered another example of UC San Diego not telling vulnerable research subjects that their private information was exposed and that the university's mistake may have put them at risk. The privacy breach involves California prison inmates who were part of a UCSD behavioral study. Their taped conversations, including comments criticizing prison guards, were wrongly shared with the officers. The study, which examined the effects of art on incarcerated men, was ultimately terminated in 2018 following that "intentional breach of trust," according to records obtained by inewsource. (link)

Oct 24: Misconduct Reporting: A financial consulting firm hired by Liberty University to investigate allegations of wrongdoing by former president Jerry Falwell Jr. has launched a website for employees to confidentially report evidence of misconduct. The launch of the website represents the first public phase of an independent and wide-ranging investigation by Baker Tilly US into Falwell's tenure as president. Liberty's board retained the Chicago-based firm in late August after Falwell resigned following a string of scandals, including allegations of self-dealing. (link)

Oct 09: Embezzlement: A former band director at Southern University in Louisiana has pleaded guilty to embezzling $30,000 from the school by submitting fraudulent expenses. A report released last year by Louisiana Legislative Auditor also said the band director pocketed more than $293,000 from public funds owed to the school, and set up a collection system with an unauthorized third party to collect the money. (link)

Oct 02: Imposter Fraud: Montgomery College lost $2.8 million in a fraud scheme last year, according to a financial audit released Thursday afternoon. In September 2019, the college announced it had fallen victim to and lost money in a fraud scheme, but released few other details, citing an ongoing federal investigation. (link)


Compliance/Regulatory & Legal Events

Oct 29: Privacy & Breach of Contract Lawsuit: With the help of the Liberty Justice Center, four undergraduate Indiana University Bloomington campus students are suing the university and its President Michael McRobbie over privacy violations and breach of contract. The suit stems from a 2018 university investigation during which the university searched the student ID card swipe data of students Cameron Gutterman, Dale Nelson, Hunter Johnson and Brian Hiltunen. Using the data, Indiana University tracked the on-campus movements of the four students, freshmen at the time, without warrants and without permitting a neutral third party to challenge their action. (link)

Oct 29: Sexual Misconduct: A former University of Michigan professor could be facing up to 15 years in prison after being charged with two counts of transporting a minor girl across state lines with the intent to engage in sexual conduct. Stephen Shipps, 67, was arrested Thursday morning in Ann Arbor, according to a release from the U.S. Attorney Matthew Schneider. Shipps was employed by the UM School of Music, Theatre and Dance as a violin professor. He retired in February 2019, the release said. (link)

Oct 27: NCAA Violations: The NCAA is stripping the University of Massachusetts women's tennis team of three years of victories, including the 2017 Atlantic 10 championship, over the improper reimbursement of a $252 phone bill. The governing body concluded the Amherst school provided impermissible financial aid benefits that exceeded the full cost of attendance to two women's tennis and 10 men's basketball players. The basketball team will vacate 59 wins as a result of the sanctions. (link)

Oct 28: Diversity Training Executive Order: The University of Memphis has recommended that all diversity training scheduled for the fall semester be suspended, citing a recent executive order by President Donald Trump. Signed in late September, the "Executive Order on Combating Race and Sex Stereotyping" takes aim at trainings that are "rooted in the pernicious and false belief that America is an irredeemably racist and sexist country; that some people, simply on account of their race or sex, are oppressors; and that racial and sexual identities are more important than our common status as human beings and Americans." U of M said the order is applicable to the university because it is a federal contractor and receives federal funding. (link)

Oct 27: Sexual Crimes Against Minors: A former officer at Winthrop University has been charged after being accused of committing sexual crimes against minors, according to a release. Agents from the SC Law Enforcement Division announced 48-year-old Charles Eugene Price was arrested and served 49 additional warrants. (link)

Oct 27: NCAA Violations: The University of Arizona has been served with nine allegations of misconduct, including five Level I allegations, the most serious under NCAA rules, following a multiyear investigation of its men's basketball program, sources confirmed to ESPN on Sunday. The Athletic, which first reported the number of allegations, also reported on Sunday that Arizona has been charged with lack of institutional control and failure to monitor, and Wildcats coach Sean Miller has been charged with lack of head coach control. (link)

Oct 26: Open Records Request Denial: Cal State Fullerton is withholding all financial records of the past five years from the Department of Extended Education following the Orange County District Attorney filing charges of embezzlement against a CSUF former employee. (link)

Oct 22: Foreign Funding: Harvard has received over $1.1 billion in foreign funding since 2012, per an initial Department of Education report. The DOE examined Harvard and other universities' compliance with foreign funding criteria. Its release comes as department officials are investigating Harvard's funding from contracts or gifts connected to the governments of China, Iran, Russia, Qatar, and Saudi Arabia. Harvard is one of 12 institutions currently under investigation. The Department is also examining funding practices at MIT, Yale University, Stanford University, Georgetown University, University of Texas, Cornell University, Texas A&M University, Rutgers University, University of Maryland, Case Western Reserve University, and Fordham University. (link)

Oct 21: Negligence Lawsuit: A photographer is suing the owners and handlers of the University of Texas' live mascot for negligence, saying he suffered permanent neck and back injuries when the longhorn steer charged out of its pen and plowed into several people at the 2019 Sugar Bowl. According to the petition, Wagner was on one knee shooting photos of Georgia's English bulldog mascot, Uga X, before the Texas-Georgia game at the New Orleans Superdome on Jan. 1, 2019, when the steer, Bevo XV, charged at the dog. (link)

Oct 19: TItle IX: William & Mary has reinstated women's swimming, gymnastics and volleyballs teams after being threatened with a Title IX lawsuit. The university announced the decision to the student-athletes via Zoom Monday. ''This is a major victory for gender equity, everyone at William & Mary, and all who care about fairness and the law,'' Arthur Bryant, attorney at Bailey & Glasser LLP, who represented the women's sports teams, said in a prepared statement. ''The school has decided to do the right thing: reinstate the women's gymnastics, swimming, and volleyball teams; create a detailed plan to ensure gender equity; and commit to get into compliance with all aspects of Title IX in two years.'' (link)

Oct 19: Clean Air Act Lawsuit: A judge denied the University of North Carolina's motion to dismiss nine out of 10 allegations that the campus's coal plant violated the Clean Air Act, according to the Center for Biological Diversity, one of the plaintiffs in the lawsuit. The court refused to dismiss claims numbered two through 10, which allege UNC had air-permit violations regarding pollution control, pollution monitoring and noncompliance reporting requirements, the center said in a press release. (link)

Oct 19: Civil Rights Compensation Demand: The University of Iowa said it would not pay a demand from eight Black former football players for $20 million in compensation for alleged racial discrimination they faced while playing for the Hawkeyes. The university general counsel's office released its response Sunday to a 21-page certified letter dated Oct. 5 from civil rights attorney Damario Solomon-Simmons of Tulsa, Oklahoma, who is representing the players. (link)

Oct 15: Failure to Report Title IX complaint: A former Texas A&M Central Texas University police Officer was arrested Tuesday with the assistance of the U.S. Marshals Service Lone Star Fugitive Task Force. He's held in lieu of bonds totaling $105,000 charged with stalking and harassment. The arrest stems from an ongoing investigation of allegations a student's harassment complaints against a university employee went unreported. The investigation started on March 11 when police received information that Charles Edward Rodriguez, while serving as chief of the campus police force at A&M Central Texas, failed to report Title IX violations as required by law after the student made the complaint against a former university employee. (link)

Oct 09: Lawsuit: University Professor Charles M. Lieber filed a complaint against Harvard in Middlesex County Superior Court Friday morning, alleging that the University broke its contract by refusing to indemnify him for his criminal defense. In January, Lieber was arrested on federal charges of making fraudulent statements to U.S. government officials who were investigating his funding sources. Federal officials alleged he misrepresented his affiliation with the Thousand Talents Program and failed to disclose funding from the Chinese government. (link)

Oct 09: Sexual Assault: A former Idaho State University student has pleaded guilty to filming himself sexually assaulting an 8-year-old boy in a campus bathroom. Andrew John Jemmett, 20, reached a plea agreement on Thursday. Jemmett agreed to plead guilty to a federal felony sexual exploitation of a child charge in exchange for prosecutors not seeking any additional charges against him. The agreement also holds federal prosecutors to recommend sentencing outlined by the United States Sentencing Commission Guidelines. (link)

Oct 08: Research Theft: An ex-professor at Stony Brook University will spend time in prison after admitting to stealing state and federal funding that was earmarked for cancer research. Acting U.S. Attorney Seth DuCharme said that between December 2013 and December 2017, the professor created two sham companies that purportedly provided research items and equipment for his cancer-related research projects. (link)

Oct 07: Pay Discrimination: A U.S. Department of Labor review of salaries between 2012 and 2014 found the women were being paid less than male professors at Princeton with the same jobs, experience and credentials. After years of contesting the findings of the federal pay discrimination investigation, Princeton University has agreed to pay nearly $1.2 million -- including $925,000 in back pay and at least $250,000 in future salary adjustments -- to female professors. (link)

Oct 05: Double Jeopardy?: Cardiology professor Michael Simons MED '84 can move forward in his case alleging that the University discriminated against him because he is a man by punishing him twice for the same sexual harassment offense, a judge ruled last week. Simons, who is still a University employee, was found guilty of sexual harassment in 2013. At the time, he was the chief of cardiology at the School of Medicine and chief of cardiovascular medicine at Yale New Haven Hospital. He also held the Robert W. Berliner endowed chair. When Berliner's daughter objected to Simons' chairship, the University transferred him to the Waldemar von Zedtwitz professorship. But after backlash from students, faculty and alumni, the University removed him from the position. (link)

Oct 02: Hazing Lawsuit: A Bucknell University sophomore filed a lawsuit last week against the university and Kappa Delta Rho (KDR) fraternity on grounds that he has suffered permanent damage after a ''brutal hazing'' earlier this month. The lawsuit names both Bucknell University and the fraternity as defendants and alleges both failed to keep instances from happening. (link)

Oct 02: Tuition Refund Lawsuit: A federal judge on Thursday ruled that Northeastern University didn't promise students in-person learning after the coronavirus pandemic forced the college to switch to remote instruction, denying several students refunds on their tuition. U.S District Court Judge Richard Stearns largely dismissed the class action lawsuit brought by two first-year students after the university moved from on-campus to remote instruction on March 12, noting that the complaint ''does not plausibly establish that the parties' contract included any right to in-person instruction.'' (link)

Oct 02: Tuition Refund Lawsuit: Yale filed a motion to dismiss a class-action lawsuit from a stduent that claims the University should partially refund tuition after switching to online classes for much of the spring 2020 term. Yale's motion was filed in U.S. District Court in Connecticut. In the student's original complaint, he alleged that the University breached its contract and was unjustly enriched by switching to online classes without refunding students' tuition. But in its response, Yale claimed that courts cannot judge the academic experience a school offers. ''Put simply, no breach of contract arises simply because a plaintiff subjectively feels ''that the education was not good enough,'' Yale's response reads. (link)


Campus Life & Safety Events

Oct 28: Free Speech Lawsuit: A lawsuit challenging the University of Texas over policies relating to speech can move forward after a federal appeals court held that a national free speech group has legal standing to pursue the case. Speech First, a Washington, D.C.-based group that offers to sue schools over censorship issues, filed suit against UT in late 2018 over university policies that the group said are restrictive and violate students' First Amendment rights to free speech. (link)

Oct 27: Alleged Battery & Disorderly Conduct: Joseph Desmond, a senior in the Krannert School of Management and Purdue Pete, was arrested on multiple charges at McDonald's at 605 W. Stadium Ave around 2 a.m. Oct. 11, according to a probable cause affidavit filed today.The WLPD amp;officer was advised that two men were allegedly fighting in the parking lot, and one hit the other with his vehicle. Desmond is listed in the Purdue Athletics Spirit Roster for the 2019-2020 season. (link)

Oct 26: Attack & Robbery: A longtime LSU football fan was beaten and bloodied during a robbery in a restroom at Tiger Stadium in Baton Rouge, La., on Saturday following a game. Season ticket-holder Daniel "Danny" Dwyer told The Advocate the incident happened after the LSU's win over South Carolina and after the Golden Band from Tigerland, the school's marching band, played its final song. Dwyer said the moments before the attack were very quiet because the usual raucous crowd was not around because of limited seating capacity under the state's coronavirus restrictions, but he did not sense anyone standing behind him before the attack started. (link)

Oct 23: Stay in Place Order: University of Michigan undergraduate students cannot leave their residences, except for a few exceptions, under a two-week stay-in-place order issued Tuesday, Oct. 20, in an effort to curb the rise in COVID-19 cases in Washtenaw County. To enforce the order, the Washtenaw County Health Department and UM Division of Public Safety and Security are taking an “education first” approach rather than penalties and fines. (link)

Oct 21: Chokehold Ban: University of Northern Iowa's Department of Public Safety has updated its ''use of force policy'' to ban chokeholds in most cases and to require officers intervene and report instances of unreasonable force following a summer review compelled by civil unrest and policing protests. UNI recently wrapped its internal review, which studied its campus police operations and policies, mental health incident training for officers, and policing statistics. It found, among other things, that although choke and strangleholds already were not incorporated into officer training and thus “were not a sanctioned use of force tactic,” they also weren't explicitly barred in written policy. (link)

Oct 21: Alleged Structural Racism: The state's top leaders are ordering a review of what they say is the "clear and appalling culture of ongoing structural racism at the Virginia Military Institute," following news reports detailing allegations by Black students and alumni. Writing that the school's values of honor, sacrifice, dignity and service "do not extend to all students," the letter from state officials to VMI's governing Board of Visitors cites reports of "vicious attacks on social media," a sophomore threatening to lynch a fellow underclassman and a professor fondly reminiscing over her family's involvement in the Ku Klux Klan. (link)

Oct 14: Quarantine Violations: Ohio University students who in recent days were ordered into quarantine or isolation by The Athens City-County Health Department could be criminally charged if they leave their assigned residence hall before the date prescribed to them, with few exceptions, according to an agreement students signed within their housing contract. (link)


Other

Oct 23: Fossil Fuel Divestiture: Yale University has formed an expert committee to guide the university as it evaluates its investment policies in relation to companies producing fossil fuels, President Peter Salovey announced Oct. 22. The new committee is charged with recommending a set of principles that will inform Yale's Corporation Committee on Investor Responsibility (CCIR) as it applies the university's ethical investment policy to fossil fuel companies. The CCIR works in consultation with the Advisory Committee on Investor Responsibility (ACIR). (link)


If you have any suggestions, questions or feedback, please e-mail me at robinmk@auburn.edu. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site.

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at gotterw@auburn.edu.

Back to top



© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Office of Audit, Compliance & Privacy is listed as the source.