New Faculty Orientation to Privacy and Security at UF Susan Blair, Chief Privacy Officer Kathy Bergsma, Information Security
Privacy: Not Alphabet Soup … COPPA facta GLBA CFAA HIPAA DPPA ADA ITADA The Privacy Act FERPA TCFAPA ECPA CPNI pcidss REDFLAGS
Restricted Data • Restricted Data: • Information, which if disclosed to unauthorized users, may have very significant adverse operational or strategic impact on an individual, a group or institution. This classification includes, but is not limited to, data restricted by law and legal contracts. • Examples: • Personally Identifiable Information – SSNs, FDLs, financial data • Medical Records • Student Records
Information Highway “Danger Zones” • Family Educational Rights and Privacy Act (FERPA): Student Records • Authorizes Secretary of Education to end all federal funding if a university fails to comply with federal statute • Health Insurance Portability & Accountability Act (HIPAA): Protected Health Information • Civil penalties and DOJ criminal prosecutions, which may result in penalties and up to ten years of jail time • Payment Credit Industry Data Security Standard (PCIDSS): Credit Card Information • Noncompliant entities may be fined $500,000 per incident if cardholder information is compromised, and processing privileges may be revoked
Hazard Number One Failing to complete specific Privacy and Security general awareness trainings. • “Privacy and Student Records in the Sunshine State” • HIPAA General Awareness or HIPAA for Researchers • Security: Restricted Data Training • Security: Cyber Self-Defense
Hazard Number Two • Being a Faculty member does not entitle you to any and all student information. • Share student records with individuals who have official need-to-know • Grades, UFIDs, Student photos • Letters of Recommendations
Hazard Number Three • Beware of including restricted data in unsecure emails systems. Do not use personal email accounts (hotmail, gmail, yahoo, etc.)to receive or transmit restricted data. • Adhere to UF’s Social Media Guidelines; do not disclose restricted information or talk about work related issues in blogs or on Facebook pages.
Hazard Number Four • Any portable device (i.e., laptop, ipad, pda, cell phone, flash drive) that is used for collecting, storing, or communicating restricted data must be encrypted- no exceptions. • Use of Social Security requires Privacy Office written permission.
Hazard Number Five Identity Theft • Red Flag Rules for credit cards and financial data • Payment Credit Industry Data Security Standards Phishing scams • ALWAYS be suspicious • UF will NEVER ask you for your password • Never share your password with ANYONE • Verify the information in the email by calling the UF Computing Help Desk, 392-HELP • For more tips, visit http://security.it.ufl.edu/
Potholes and Patches • Training Opportunities: • “Privacy and Student Records in the Sunshine State” • Social Security Number Training • Red Flag Rules • HIPAA General Awareness or HIPAA for Researchers • Security: Restricted Data Training • Security: Cyber Self-Defense
Potholes and Patches No antivirus software or software isn’t current • McAfee VirusScan is free for work and home http://software.ufl.edu/mcafee Computer updates are not current • Secunia Personal Software Inspector (PSI) • http://secunia.com/psi
Potholes and Patches Portable devices and media • Encryption • McAfee Endpoint Protection http://software.ufl.edu/mcafee • Loss and theft protection • FrontDoorSoftware http://www.frontdoorsoftware.com/ufl/
When in Doubt … • Privacy: Susan Blair 273-1212 firstname.lastname@example.org • Information Security Kathy Bergsma 273-1344 email@example.com