Data Protection, Privacy and the Law. Presented for Data Privacy Month 2013 Presented by Tim Gurganus, OIT And Clifton Williams, OGC

Transcription

1 Presented for Data Privacy Month 2013 Presented by Tim Gurganus, OIT And Clifton Williams, OGC

2 Payment Card Industry Data Security Standard (PCI-DSS) Protection of card holder data processed, stored or transmitted for University merchants and system integrity of payment applications and connected systems used by the University Mandates over 280 security controls, processes and policies There are two kinds of PCI requirements: Technology and Process Security technology consists of software, hardware and third-party services used to implement purpose-built applications that protect cardholder data from various threats. Security process is a specific set of operational procedures used to implement and maintain protection, which may or may not require a particular type of security technology.

3 Payment Card Industry Data Security Standard (PCI-DSS) University Merchants must report compliance annually to our merchant bank NCSU has around 120 Merchant organizations accepting credit and debit cards for payment including: Athletics University Dining Transportation Ticket Central Online Giving

4 Payment Card Industry Data Security Standard (PCI- DSS) The standard is composed of 6 major areas of security Build and Maintain a secure network Protect Cardholder data stored and transmitted Maintain a Vulnerability Management Program Implement strong access control measures Regularly monitor and test networks Maintain an information security policy Standard is written and maintained by PCI security standards committee which is composed of security and audit professionals from: Visa MasterCard American Express Discover card Japanese Credit Bank Others

5 Payment Card Industry Data Security Standard (PCI-DSS) There are some non-ncsu merchant ID holders including: Food trucks Gopack.com Compliance is required by chain of contracts from Card Brands to Merchant Bank to Acquirer to State of NC OSC to NCSU Controllers Office to Merchant One of the principles in the PCI-DSS is segmentation building separate networks, servers, workstations, firewalls, etc. for credit card payment applications only. The University has plans to build out such separate systems. As such, not all campus IT services are suitable for payment transactions such as Nomad wireless, building VLAN networks, and VoIP telephone system.

6 Payment Card Industry Data Security Standard (PCI- DSS) If there is a breach of credit card data, the University is required to disclose this to our merchant bank and the card brands as part of the required PCI-DSS incident response plan. Members or merchants are subjected to fines up to $500,000 per incident if there is a compromise on their network resulting in the loss or theft of cardholder information, and the network was subsequently found to be non-compliant at the time of the compromise. Also, if a member or merchant fails to immediately notify credit card companies of suspected or confirmed loss or theft of transaction information, the member or merchant will be subject to a penalty of $100,000 per incident Related University regulation: REG Payment Card Merchant Services

7 Defense Federal Acquisition Regulations (DFAR) Security Clauses Research projects using unclassified data obtained from the Department of Defense, DoD, will need to protect the data and meet specific security standards still being developed. Campus researchers required to meet this standard will likely require special protection of the computer network used by the project as well as specific security controls on the computer systems storing and processing the data. Desktop computers and personal electronic devices that individual researchers use under a covered contract would have to be inventoried and assessed to ensure that they are utilizing the appropriate FISMA-compliant technologies The proposed standard will also likely mandate the use of encryption software and additional systems/network monitoring on the computers used in the DoD, NSF or DoE research.

8 Health Insurance Portability and Accountability Act (HIPAA) U.S. federal law enacted in 1996 HIPAA protects patients rights regarding personal health information (PHI). HIPAA applies to covered entities providing health care treatment and storing Protected Health Information NCSU Covered Entities include: Athletics sports medicine Student Health center Counseling center

9 Health Insurance Portability and Accountability Act (HIPAA) Related University Regulation REG Privacy/Confidentiality, Release and Security of Protected Health Information HIPAA fines for non-compliance - Failure to comply with the HIPAA can result in civil penalties of $25,000 per individual per violation per year and criminal penalties of a quarter million dollars and 10 years imprisonment.

10 Health Insurance Portability and Accountability Act (HIPAA) HIPAA mandates: -Privacy protection -Plans for handling PHI and incidents of unintentional disclosure -Use of encryption for transmitting and storing PHI -Audit

11 Health Insurance Portability and Accountability Act (HIPAA) Three components: Protection for the privacy of Protected Health Information (PHI) Protection for the security of Protected Health Information Standardization of electronic data interchange in healthcare transactions HIPAA PRIVACY RULE Key Elements Individually Identifiable Health Information Name Birth date All geographic subdivisions smaller than state Telephone/Fax numbers addresses Medical Record Number Account Number Vehicle identifier/serial number Uniform Resource Locators (URLs) Biometric identifiers Social Security Number Health Plan Number Certificate / license number Device identifier/serial number IP addresses Photos Other unique characteristics Full face photograph

12 Health Insurance Portability and Accountability Act (HIPAA) The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. PHI PHI stands for protected health information, or any confidential information that identifies you. PHI may be oral or recorded in any form or medium a health care provider, health plan, public health authority, employer, life insurer, school, university, or health care clearinghouse creates that relates to past, present or future payment for the provision of health care to an individual.

13 Health Insurance Portability and Accountability Act (HIPAA) Technical Requirements of HIPAA Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-phi). Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-phi. Integrity Controls. A covered entity must implement policies and procedures to ensure that e-phi is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-phi has not been improperly altered or destroyed. Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-phi that is being transmitted over an electronic network.

14 Health Insurance Portability and Accountability Act (HIPAA) Minimum Necessary. A central aspect of the Privacy Rule is the principle of minimum necessary use and disclosure. A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request. Data Safeguards. A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure. For example, such safeguards might include shredding documents containing protected health information before discarding them, securing medical records with lock and key or pass code, and limiting access to keys or pass codes.

15 Health Insurance Portability and Accountability Act (HIPAA) Civil Money Penalties. HHS may impose civil money penalties on a covered entity of $100 per failure to comply with a Privacy Rule requirement. That penalty may not exceed $25,000 per year for multiple violations of the identical Privacy Rule requirement in a calendar year. Criminal Penalties. A person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA faces a fine of $50,000 and up to one-year imprisonment.89 The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to ten years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm. Criminal sanctions will be enforced by the Department of Justice.

16 Health Insurance Portability and Accountability Act (HIPAA) Related University Regulation: Some excerpts: 4. SECURITY REQUIREMENTS AND PROCEDURES FOR ELECTRONICALLY-MAINTAINED PHI a Protect against malicious software b Monitor log-in attempts c Creation and management of passwords Develop guidelines on the encryption of Electronic Health Records (EHR) Audit Controls: record and examine activity on information systems that contain or use EHR

17 Red Flag Rule The Federal Trade Commission (FTC) regulates financial transactions at NC State University. The FTC has defined NC State as a creditor. The FTC has determined that all creditors must comply with the Red Flags regulation and by law must train certain respective employees that could come in contact with a Red Flag. Red Flag is an indication or warning that a fraudulent transaction or event could be occurring as a result of identity theft. Some NCSU employees have to get Red Flag Rule training

18 Red Flag Rule By law, we must be able to do the following: Identify areas of exposure to ID theft and what types of events within those areas could be interpreted as Red Flags what to look for Detect when these Red Flag indicators might be present Reduce the exposure of financial or personal loss to the University and to the customer who might have been a victim of ID theft by investigating the detected Red Flags for actual fraud and responding quickly and appropriately if fraud does indeed exist Train our employees on how to accomplish all of this

19 Red Flag Rule The following University Units have been identified by the University Red Flag Rules Committee as having covered accounts : Student Accounts The AllCampus Card Short Term Student Loans For individuals, covered accounts include any account that allows individuals to make multiple payments to pay off an obligation.

20 Red Flag Rule Red Flags come in 5 categories: 1. Notifications and Warnings from Consumer Reporting Agencies 2. Suspicious Documents 3. Suspicious Personal Identifying Information 4. Suspicious Covered Account Activity 5. Alerts from Others Example Red Flags: Documents provided for identification that appear to be altered or forged Photograph on ID does not match the appearance of the individual or does not look like the individual Information on ID does not match the information provided by the person opening the account A suspicious address is supplied, such as a mail drop or a prison A phone number associated with pagers or answering service is given You notice a drastic change in payment patterns, use of available credit, or spending patterns on an account A request for withdrawal (drop all classes) when a refund is required shortly after a change of relevant information

21 Section V Privacy Gramm Leach Bliley Act (GLBA) Actual GLB Act Total of 7 sections Title I. Facilitating affiliation among banks, securities firms, and insurance companies Title II. Functional regulation Title III. Insurance Title IV. Unitary savings and loan holding companies Title V. PRIVACY Title VI. Federal home loan bank system modernization Title VII. Other provisions

22 Gramm Leach Bliley Act (GLBA) The GLBA states that an entity must develop, implement, and maintain a comprehensive information security program. The Objectives of the Program are: 1. Insure the security and confidentiality of customer information 2. Protect against any anticipated threats or hazards to the security and integrity of the information 3. Protect against unauthorized access to or use of the information

23 Gramm Leach Bliley Act (GLBA) The following items are deemed as non-public identifying data and are therefore protected under the GLB Act and must be safeguarded from unauthorized access and transfer. Phone number (unless it can be proved that the number is available in a phonebook and is not unlisted ) Date of Birth Social Security number Passport number Bank information Bank Routing information (even though bank routing information is actually public information for each bank, what we need to safeguard is the routing information as it pertains and is associated with each individual account so as to not let it be compromised) Credit Card / Debit card information Credit Card number/ Debit card number Loan Balances and Payment Schedules Credit History information including previous addresses Tax returns Asset statements

24 Basic Safeguarding Rules Gramm Leach Bliley Act (GLBA) Many of the processes surrounding the safeguarding of data are general common sense business best practices such as: Limit access where not needed Do not leave non-public identifying data unattended on a desk or overnight Ensure that any documents containing non-public information are locked when stored with limited access Ensure your computer system has a screen lock function and it is activated when not at or with your computer, especially your laptop Never share your password with anyone Never allow someone else to utilize your account. Change passwords periodically Change your password immediately if you think anyone else knows your password Turn your computer monitor away from public view or Use a privacy screen

25 Gramm Leach Bliley Act (GLBA) Basic Safeguarding Rules (cont.) Whenever possible, and within University, State, and Federal regulations, shred any paper data that has non-public information Do not release non-public information to requests via phone or electronic inquiry All inquires for personal information must be forwarded to the Department of Human Resources Do not store confidential physical documents in areas that can not be reasonably secure from disasters such as flood or fire. Any modification of non-public customer information should trigger an automatic notification to the customer Do not repeat credit card numbers over the phone where other unauthorized people can over hear the number

26 Gramm Leach Bliley Act (GLBA) Basic Safeguarding Rules (cont.) Dispose of outdated customer information within record retention policies Electronic Messaging Services ( , Instant Messaging Services, etc.) should NOT be used to send any confidential/sensitive information such as bank or credit card numbers, etc. Ensure that your computer and especially your laptop are running all current University Anti Virus software as indicated by the Office of Information Technology (OIT) Department. This includes access via home computer or mobile device when accessing information that includes non-public information.

27 Records Requests, Subpoenas and Search Warrants What are these? Records Request Court Order Subpoenas vs. Search Warrants (both are types of court orders) Notify OGC for all of these! REG Public Records Request ( REG Providing Expert Witness Testimony ( Suggest private party consultants to provide expert opinion Provide fact knowledge and data as an expert witness; not opinions and un-substantiated ideas

28 NC Identity Theft Protection Act What is this? Designed to protect SSNsin various ways Allows for credit report freezing to deter financial crimes Requires stricter safeguards and security breach notifications for personal information Personal Information = A person s first name (or initial) andlast name and SSN, DL#, checking, savings or credit account numbers, etc. Digital signatures, biometric data, fingerprints, etc.

29 What is this? FERPA Family Educational Rights and Privacy Act (FERPA) Protects education records (more than just educational records) Requires student consent prior to release Requires strict notification requirement if education record is requested by third party Requires procedure to change incorrect records Education Record examples: Any submitted student coursework identifiable to the student Office of Student Conduct (OSC) investigative report Student s medical records shared for non-medical purposes

30 NCSU Computer Use Policy and Regulation Computer Use Policy (POL ) Computer Use Regulation (REG ) Items related to Data Protection and Privacy / Network Data The University may examine personal electronic information stored on or passing over University equipment or networks to: Insure the security and operating performance of its systems and networks. Conduct an audit. Investigate an issue before bringing it to the University Institutional Review Board. Comply with E-discovery rules connected to a subpoena or other court document.

31 NCSU Computer Use Policy and Regulation The University may examine personal electronic information stored on or passing over University equipment or networks to: Enforce University policies or compliance with state or federal law where examination is approved in advance by a dean, vice chancellor, or vice provost, and: There is suspicion a law or University policy was violated, or Examination is necessary to comply with a state or federal law.

32 NCSU Computer Use Policy and Regulation Regulatory Limits: Computer Users should have no expectation of privacy in personal material stored by them on the University computing systems when: There is a reasonable suspicion that a law or University policy has been violated, or Examination is necessary to comply with a state or federal law. If there is information you wish to keep private and personal you should not store it on University equipment. At the very least personal information should be stored in a separate folder and labeled as personal.

33 NCSU Computer Use Policy and Regulation Protecting Data: Security Precautions Users of IT resources must take appropriate security precautions in order to prevent computer virus infections, misuse or data leakage. These precautions include: Ensuring critical vendor-supplied security patches are applied to software products in a timely manner Following the university Antivirus Software Requirements regulation Following the university Administrative Password Standard.

34 NCSU media disposal procedures Covers: University data on storage devices going to surplus Mandates overwriting University data with random information or factory reset of a device to wipe data NC State is obligated to remove confidential data and certain software applications from surplused electronic and computer equipment in order to maintain data security, be compliant with various federal and state regulations, and fulfill licensing agreements. To ensure due diligence, the university has implemented procedures for surplusing computer equipment running Windows, OS X and Unix

35 NCSU media disposal procedures Procedures need to be developed for other storage devices such as: Flash drives Memory cards Fax machines with memory Copiers with hard drives Scanners with hard drives Cell phones Smartphones/PDAs ipads, ipods Video Conferencing systems Printers with hard drives DVRs with hard drives Audio Recorders with solid state data storage

36 How to Set up a Credit Fraud Alert A fraud alert advises creditors to contact you before they open any new accounts or change your existing accounts Should be no charge after revision to NC ID Theft Protection Act You may place this fraud alert on your credit file by contacting any one of the three major credit bureaus listed on the next slide. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your credit file. All three bureaus will then send a credit report to you, free of charge. Additional information and resources are available from the FTC by visiting their Website, Identity Theft helpline at

37 How to Set up a Credit Fraud Alert You may place this fraud alert on your credit file by contacting any one of the three major credit bureaus listed below: Equifax PO Box Atlanta, GA Experian PO Box 9532 Allen, TX TransUnion PO Box 6790 Fullerton, CA

38 Questions? (4H Meeting 1920)