1 / 18

Scared Straight: The Need for Change

Scared Straight: The Need for Change. Beth Cate Associate General Counsel, Indiana University. Lawsuits Regulatory Enforcement Actions by government agencies Contract-based Penalties Harm to Reputation. Resource diversion Loss of Confidence and Support from Financial Supporters

avari
Download Presentation

Scared Straight: The Need for Change

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Scared Straight: The Need for Change Beth Cate Associate General Counsel, Indiana University

  2. Lawsuits Regulatory Enforcement Actions by government agencies Contract-based Penalties Harm to Reputation Resource diversion Loss of Confidence and Support from Financial Supporters Alums/donors Legislatures Increased Regulation “The Scary” (aka External Drivers for Change)

  3. Some scary numbers • From the Privacy Rights Clearinghouse (http://www.privacyrights.org/ar/ChronDataBreaches.htm): • Higher education accounted for 115 of 478 reported data security breaches since Feb. 15, 2005 • 3,817,372 persons’ data compromised (conservative estimate) • Frequency of release of sensitive personal data + associated risks = need to construct authentication and ID management systems very carefully and with eye toward risk minimization

  4. Some grim headlines • “Ohio University: Data Breach Central?” – Martin Bosworth, ConsumerAffairs.com • “UCLA Data Breach Leaves 800K At Risk” – CBS News, Dec. 12, 2006 • “University of Texas probes computer breach—Files illegally accessed; second intrusion in three years” – MSNBC, Apr. 24, 2006

  5. Some (a lot) of state laws • State breach notification laws • 35 and counting • http://www.ncsl.org/programs/lis/cip/priv/breach.htm • State privacy laws, usually specific to data element or sector • And whose law applies anyway? • Many out of state residents – long arm jurisdiction? • What about international students?

  6. And more on the way

  7. And some federal laws • FERPA • According to OFCP, need to limit and track electronic access to student records to avoid violations • Mechanisms for electronic “consent” to disclosure of student records and access to student records must be reasonably secure • Loss of federal funding, injunctions • HIPAA • Privacy and Security Rules require the implementation of systems to manage, limit, and monitor access to PHI • Civil and criminal penalties for violations • GLB • Schools must implement security plan with administrative, technical, and physical safeguards to protect confidentiality of covered financial information • Agency enforcement actions

  8. And probably more on the way • Feinstein bill: “Notification of Risk to Personal Data Act of 2007,” S.239 • Barney Frank (chair, House Financial Services Committee) bill: Predicted….

  9. Periodic call for enactment of Fair Information Practice Principles as broad-based federal legislation, if not enough effective self-regulation Notice Choice/consent Access Integrity/Security Enforcement Private right of action (lawsuits) Civil/criminal enforcement by government agencies

  10. And much use of resources • Containment and implementing fixes • Ohio University: between $5.5 and 8 million) • Investigation • Notice (individuals, credit bureaus, state agencies) • Further communications with individuals/media • UCLA incident: 8,500 calls to hotline within first few days • Any reimbursement of costs incurred by individuals undertaken by institutions

  11. And private contract-based penalties • PCIDSS – Payment Card Industry Data Security Standards • Require strong access control and tracking measures re: credit card data • Penalties for noncompliance: • Fines • Loss of approval to accept credit card payments • Enhanced audit requirements

  12. And loss of confidence by donors • Ohio University: • “’It was my intention to leave a sizable endowment to OU, but not any longer,’ announced one [alumnus]. • Another signed off his May 3 e-mail with, ‘You incompetent f---ing a--holes. I will never donate a penny to you.’" • (“OU has been getting an earful about huge data theft,” The Athens News (6/12/06)).

  13. Or, as they say on the commercial side… • “TJX, in public relations terminology, is in hell,” said Geri Denterlein, a Boston ‘crisis management’ expert. • (“Bank reissues cards as TJX sued over cyberscam,” Boston Herald (1/30/07)).

  14. And heads rolling • Ohio University: • CIO resignation • Director of communication network services fired • Manager of internet and school systems fired • Dept. of Veterans’ Affairs Chief Information Security Officer resigned after data breach involving data of 26 million vets • AOL Chief Tech Officer resigns, and two company researchers fired, after breach involving 650,000 subscribers’ data

  15. And the possibility of criminal penalties • E.g., Indiana Code 4-1-10 (disclosure of SSNs) • Personal criminal liability for negligent, knowing, reckless, and intentional disclosures • Felony convictions punishable by up to 3 years’ imprisonment and $10K fines

  16. And the specter of litigation • E.g., Ohio University alumni/class action suit • Seeks costs of credit monitoring; less clear about actual damages and “anxiety” • May be difficult for plaintiffs to win on negligence, invasion of privacy theories • BUT still incur costs of defense, which can be considerable • ** insurance/credit monitoring services – Louisiana state arrangement with Equifax (free daily credit monitoring, $2,500 identity theft insurance)

  17. Legislative requirements can set standards for negligence/common law invasion of privacy actions E.g., proposed Federal Agency Data Privacy Protection Act, H.516 All sensitive data in federal agencies must be secured by most secure encryption standard recognized by National Institute of Standards and Technology (and must be updated every 6 months) No access by anyone without security clearance and financial disclosure; no offsite transport w/o agency IG approval Flow down of requirements to govt contractors

  18. So, to summarize… There are many, and increasing, external drivers for well constructed and managed authentication and identity management systems

More Related