Impact of Legal and Regulatory Compliance on Higher Education Information Security Management. Dan Han Virginia Commonwealth University

Transcription

1 Impact of Legal and Regulatory Compliance on Higher Education Information Security Management Dan Han Virginia Commonwealth University

2 A little about me Worked in IT for close to 15 years, with 12 years focusing on Higher Education and Healthcare, and over 7 years in security practice and management Took a heavy interest in cyber law in grad school after studying the ChoicePoint data breach, but didn t really want to be a lawyer Conducted research in legal and regulatory compliance in IT and information security management with PhD candidates

3 Apologies

4 Higher education is like a

5 Educate students

6 Provide Financial Services

7 Conduct research

8 Provide healthcare services

9 Provide other goods, services, and living essentials

10 STUDENT ID NUMBERS DISABILITY STATUS NON-PUBLIC PERSONAL INFORMATION ACADEMIC STANDING HEALTH RECORDS PINS CARD HOLDER INFORMATION GRADES DEMOGRAPHICS PERSONALLY IDENTIFIABLE INFORMATION GPA CLASS SCHEDULE EDUCATION INFORMATION HEALTHCARE SOCIAL SECURITY NUMBERS CARD NUMBERS FINANCIAL SERVICES OPERATION RESEARCH DIAGNOSIS TREATMENT INFORMATION EXPORT CONTROL INSURANCE INFORMATION PROTECTED HEALTH INFORMATION MEDICAL RECORDS NUMBERS SPONSORED RESEARCH GENETIC INFORMATION MENTAL & MEDICAL HISTORY INTELLECTUAL PROPERTY CHILDREN S INFORMATION

11 GLBA HIPAA GINA HITECH FERPA Intellectual Property PHI USML ITAR PCI-DSS PII REGULATED INFORMATION SER FOIA Red Flag Rule OFAC-ETS CCL NPI Card holder Data EAR PPRA FTC Act Section 5 COPPA DMCA Safe Harbor

12 Regulations may include But are not limited to Federal Education Rights and Privacy Act (FERPA) Payment Card Industry Data Security Standard (PCI-DSS) Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health Act (HITECH) Genetic Information Nondiscrimination Act (GINA) Children s Online Privacy Protection Act (COPPA) Protection of Pupil Rights Amendment (PPRA) Federal Information Security Management Act (FISMA) State Information Privacy Laws (46 States and 4 U.S. Territories) Export Control Laws (ITAR, EAR, OFAC-ETS) EU Directive 95/46/EC / Safe Harbor Privacy Principles Federal Trade Commission Act Section 5 (FTC Act) Digital Millennium Copyright Act (DMCA) Freedom of Information Act (FOIA) FTC Red Flag rule Wiretap Act / Electronic Communications Privacy Act (ECPA)

13 FERPA Federal Education Rights and Privacy Act Protection of Student Educational Records Protection of non-directory information from disclosure without written consent (Some exceptions apply) Directory Information is usually classified by an educational institution and can be generally be disclosed without prior consent Disclosure of Student Educational Records to School officials is permitted as long as they have a Need to know Student health information is covered under FERPA! Privacy of student financial aid data is covered under FERPA! Enforced by Department of Education Maybe applicable to student information related to education and research

14 GLBA Gramm-Leach-Bliley Act Safeguard Rule: Protect the confidentiality of customer non-public personal and financial information (NPI) held in possession of covered financial institutions Ensure confidentiality of these information Protect against unauthorized access Protect against anticipated threats or hazards Requires formalized security program Enforced primarily by FTC Affects student financial aid records, processing of financial loans or other financial services

15 PCI-DSS Payment Card Industry Data Security Standard Protect the confidentiality of Card Holder Data stored, transmitted, and processed by entities involved in payment card processing Recommends network segmentation and scoping Includes minimum standards on administrative, physical, and technical controls, including testing and audits Consist of 4 levels with varying auditing and compliance requirements External and internal assessment may be needed depending on qualifying level Enforced by PCI Counsel and banks Affects physical and web store fronts, dining services, athletics, housing and any other areas that may process credit cards

16 PCI-DSS 3.0 PCI-DSS 3.0 is right around the corner, designed to focus on several new areas: Education and Awareness Passwords and Authentication Methods Third party business partners Emerging technologies such as e-commerce, mobile processing, and cloud processing Consistent and verifiable security management with heavy focus on documentation

17 State Data Security and Privacy Laws Designed to protect the privacy and security of State residents personally identifiable information (PII) Based off of the CA SB 1386, 46 States and 4 U.S. Territories have laws applicable to residents PII usually include First Name or First initial and Last Name plus SSN, State ID / Driver s License Numbers, Card numbers and other financial information Can also include health care information May affect student / employee PII, may include information from HR, Registrar s office, Student Health, Campus Police, ERP systems, and other administrative and academic units

18 State Data Security and Privacy Laws Issues: Applicability Some laws apply to any entity with data on residents Others apply to entities operating in the State or territory Varying definitions Personal Information (Some include Health Information) Risk of harm assessment requirement Breach notification time limit Notification methodology and Police / AG notification requirement Requirement to encrypt data in transit Extremely confusing

19 Safe Harbor Privacy Principles Established by U.S. Department of Commerce to certify organizations that handle EU resident s personal data. Based off of the EU Data Protection Directive (95/46/EC) EU companies prohibited from transmitting personal data to countries that do not meet EU adequacy standard for privacy protection Voluntary certification for U.S. organizations, certified organizations will be deemed adequate by EU standards Requires 7 elements and annual certification May apply to collaborative research projects involving EU companies and / or the personal data of EU citizens.

20 Copyright Laws Patent Act Grants exclusive rights of making, using, or vending of useful or important inventions Copyright Act Grants exclusive rights to reproduce, create derivative work, distribute, perform, or display original works of authorship Digital Millennium Copyright Act Protects copyright information and prevent the circumvention of technological measures that effectively controls the access to copyrighted materials. ISP exemption given diligence in handling violation reports May apply to University computer and network resources used by faculty, staff and students, as well as research intellectual property (ownership)

21 Other laws and regulations Freedom of Information Act (FOIA) Allows public inspection and disclosure of public records in the custody of public body or its officers and employees May affect data retention and disclosure of potentially sensitive data Data Retention Schedules (Commonwealth, Federal) Defines the retention and removal requirements for various types of data such as administrative records, educational records, etc. May apply to data storage and retention Computer Fraud and Abuse Act (CFAA), Wiretap Act, and Electronic Communication Privacy Act (ECPA) Applicable to , telephone conversations and security of devices and data that is electronically transmitted through devices May apply to monitoring and forensic investigations (if no authorization or contractual provisions such as an AUP is established)

22 Other laws and regulations Federal Trade Commission Act Section 5 Prohibits Unfair or deceptive acts or practices in or affecting commerce Promotes privacy framework including Privacy by design, Simplified choice, and transparency Ensures organizational actions are consistent with their policies. FTC Red Flag Rule Requires a written identity theft protection program that detect, prevent, and mitigate identity theft Need to define the red flags Create policy, procedures, and practices to detect and respond to red flags

23 PHEW

24 And if that wasn t enough let s talk about Research

25 There are a plethora of laws and regulations that may apply to your research environment!

26 PPRA Protection of Pupil Rights Amendment Protection of minor student s personal information Written consent from parents is needed before the collection of the following information from minor students in any U.S. Department of Education funded survey, analysis, or evaluation: Political affiliations Mental and psychological problems that can embarrass Sex behavior and attitudes Illegal, anti-social, self-incriminating and demeaning behavior Critical appraisals of other individuals with whom respondents have close family relationships Legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers Religious practices, affiliations, or beliefs of the student or student's parent*; or Income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program.) Applicable to information related to under-age research subjects in DoE funded projects.

27 COPPA Children s Online Privacy Protection Act (COPPA) Provide parents with control over the information that is collected from their young children (<13) online. Need verifiable parental consent to collect information Must contain accurate privacy statement with specific content Provide parents with the control over the use and disclosure of their children s information Prohibits the collection of unnecessary information Applicable to information related to research projects

28 How do you get verifiable consent? UETA and ESIGN Uniform Electronic Transactions Act and Electronic Signatures in Global and National Commerce Act Guarantees the legality of electronic signatures So click-through agreements and EULAs are legal and binding contracts!

29 FISMA Federal Information Security Management Act (FISMA) Follows NIST SP security requirements Standard practice for HHS, DHS, DOD, DOE, NSF and other federal government agencies Fed sponsored research programs will see these requirements in grants, contracts, and data use agreements Three levels of risk, depending on data sensitivity In some cases requires FISMA certified data processing and storage facilities depending on risk level May apply to federally funded research projects, and may appear in the form of data management plans.

30 HIPAA / HITECH Health Information Portability and Accountability Act (HIPAA) Title II: regulates the privacy, security, use, and distribution of Protected Health Information Protected Health Information Health Information with 18 HIPAA identifiers from or to a Covered Entity Covered Entity Healthcare provider, insurance provider, or clearing house Two sets of rules under Title II Privacy rule: Use and distribution of PHI Security rule: Defines Required and Addressable security safeguards

31 HIPAA / HITECH Requirements Must safeguard PHI from unauthorized access, modification, or deletion Required and addressable safeguards Administrative Security policy, training, Business Associates Agreements Physical Secure facility, monitored physical access control PHI Technical Encrypted transmission, partner authentication, data integrity Cannot sell, use, or share PHI without appropriate consent or approval

32 HIPAA / HITECH Health Information Technology for Economic and Clinical Health Act (HITECH) Part of ARRA in 2009 Final Omnibus rule released this year, with compliance date of September, 2013 Strengthens HIPAA with stringent Enforcement rule Requires modified and more stringent privacy policies by Covered Entities Places more requirements on Business Associates New Breach notification rule that eliminates the No harm, no foul loop hole The 500 records rule

33 HIPAA / HITECH How do I know if I am covered? If you collect health information on behalf of a covered entity If you collect health information from a covered entity If you collect health information on behalf of the covered unit of a hybrid entity The conundrum of a hybrid entity Even when HIPAA is not applicable Many state laws will cover health information May be applicable to research projects and healthcare components in the University

34 GINA Genetic Information Non-Disclosure Act Prohibits discrimination in health coverage and employment based on genetic information Genetic information is considered PHI and same HIPAA safeguards and ramifications apply under GINA

35 Export Control Laws Export Administration Regulations (EAR) Regulates items and services specifically designed for military applications 10 categories of sensitive commercial and dual-use goods, software, technology listed in the Commerce Control List (CCL). These Include: nuclear, chemical, electronics Information security, telecommunications lasers and sensors, avionics and navigation marine, propulsion systems and space vehicles related equipment, software, and technology. Specific license and registration is required from Commerce Department for export Assets must be handled by U.S. Persons otherwise

36 Export Control Laws International Traffic in Arms Regulation (ITAR) Regulates import, export and re-export of Defense Articles and Defense Services Applicable to items and services enumerated on U.S. Munitions List (USML) Also controls other items and services that has been specifically designed, developed, configured, adapted or modified for military and does not have predominant civil applications Authorization is needed from State Department Directorate of Defense Trade Controls (DDTC) Assets must be handled by U.S. Persons otherwise Cannot export to proscribed countries under U.S. Arms Embargos

37 Export Control Laws Economic and Trade Sanction Regulations regulated by Treasury Department s Office of Foreign Assets Control (OFAC) Applicable to non-friendly countries, goods, investments, transactions and services exported or reexported to or imported from these countries Also applicable to entities and individuals in the SDN list that includes agents of sanctioned countries, terrorism sponsoring organizations, international narcotics traffickers, weapons proliferators or otherwise engage in activities that threaten the security of the United States

38 So what now?

39

40 While there are some differences among these regulations

41 The commonalities Ambiguity in requirements Encryption safe harbor Requirements of being a good data steward Risk based security management programs Administrative, physical, and technical controls for detection, prevention, and treatment of threats Prevention, detection, response, and remediation of threats Formalized data sharing and usage processes Transparent self-regulation Breach reporting requirements and regulations Adequate and proportionate security and privacy policy and programs Enforce and follow the policies and programs

42 Recommendations Know what regulation is applicable to your environment Classify your information based on risk and impact Be transparent, clear and concise about acceptable use, information collection, usage, and management. Take applicable laws and regulations into consideration when classifying your data Document policies, procedures, and controls regarding data protection and management Establish and maintain data governance structure with clearly defined stewardship responsibilities

43 Recommendations Encrypt your regulated data in transit and at storage based on risk, take advantage of the encryption safe harbor Ensure you have data sharing / use agreements or business associate agreements with third party Minimize the scope of coverage as much as possible (You can t lose what you don t have, it is not applicable if it is not covered) Consider risk transference by use of cyber liability insurance Do not be disingenuous and do not sweep things under the rug

44 Resources PTAC FERPA Privacy and Security Toolkit HIPAA Omnibus rule summary %20of%20New%20HIPAA%20Rules%20by%20Elizabeth%20Johnson %20Jan% pdf HITRUST (HIPAA + PCI + State reqs.) Cloud Security Alliance Red Flag Rule FTC Privacy Framework Mintz State Data Breach Law summary /state_data_breach_matrix.pdf

45 Thank you Questions?