Insights on the Legal Landscape for Data Privacy in Higher Education
description
Transcript of Insights on the Legal Landscape for Data Privacy in Higher Education
![Page 1: Insights on the Legal Landscape for Data Privacy in Higher Education](https://reader036.fdocuments.us/reader036/viewer/2022062422/568140a7550346895dac6704/html5/thumbnails/1.jpg)
Insights on the Legal Landscape for Data Privacy
in Higher Education
Rodney Petersen, J.D.Government Relations Officer
and Security Task Force CoordinatorEDUCAUSE
![Page 2: Insights on the Legal Landscape for Data Privacy in Higher Education](https://reader036.fdocuments.us/reader036/viewer/2022062422/568140a7550346895dac6704/html5/thumbnails/2.jpg)
IT Policy Framework
Law Constitution, federal & state laws, liability
Values academic freedom
community expectations privacy vs. access
Ethics responsible use stewardship
Morality absolutes
![Page 3: Insights on the Legal Landscape for Data Privacy in Higher Education](https://reader036.fdocuments.us/reader036/viewer/2022062422/568140a7550346895dac6704/html5/thumbnails/3.jpg)
Agenda Topics
U.S. Constitution
Federal Law and Regulation
State Law and Regulation
Contractual Obligations
Emerging Case Law
Emerging Policy Issues
![Page 4: Insights on the Legal Landscape for Data Privacy in Higher Education](https://reader036.fdocuments.us/reader036/viewer/2022062422/568140a7550346895dac6704/html5/thumbnails/4.jpg)
Dimensions of Privacy
Personal Privacy – the right or interest for individuals to keep their personal information, communications, and facts concerning them out of the hands of unauthorized parties.
Privacy Protection – the responsibility or stewardship role of a 3rd party that holds personal data concerning an individual that has been entrusted to them.
![Page 5: Insights on the Legal Landscape for Data Privacy in Higher Education](https://reader036.fdocuments.us/reader036/viewer/2022062422/568140a7550346895dac6704/html5/thumbnails/5.jpg)
Data and the Constitution
14th Amendment:No state shall . . . deprive any person of life, liberty, or property, without due process of law. 4th Amendment:People have the right . . . to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures . . . no warrants shall issue [without] probable cause . . .
![Page 6: Insights on the Legal Landscape for Data Privacy in Higher Education](https://reader036.fdocuments.us/reader036/viewer/2022062422/568140a7550346895dac6704/html5/thumbnails/6.jpg)
Federal Law
Electronic Communications Privacy Act (ECPA)
Family Educational Rights and Privacy Act (FERPA)
Federal Information Security Management Act (FISMA)
Foreign Intelligence Surveillance Act (FISA)
Gramm-Leach-Bliley Act (GLBA)
Health Information Portability and Accountability Act (HIPAA)
![Page 7: Insights on the Legal Landscape for Data Privacy in Higher Education](https://reader036.fdocuments.us/reader036/viewer/2022062422/568140a7550346895dac6704/html5/thumbnails/7.jpg)
FTC Regulatory Enforcement
ChoicePoint – settlement for $10 million in civil penalties and $5 million to be used to reimburse consumers for expenses due to identity theft caused by the security breach. BJ’s Wholesale Club – ordered to “establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.”Guidance Software, Inc. - settled for its failure to take reasonable security measures to protect sensitive customer data, contradicted security promises made on its Web site, and violated federal law. The data-security failure allowed hackers to access sensitive credit card information for thousands of consumers. The settlement will require the company to implement a comprehensive information-security program and obtain audits by an independent third-party security professional every other year for 10 years.
![Page 8: Insights on the Legal Landscape for Data Privacy in Higher Education](https://reader036.fdocuments.us/reader036/viewer/2022062422/568140a7550346895dac6704/html5/thumbnails/8.jpg)
State Law
Data Incident (Breach) Notification Laws Define what constitutes a “breach” Establish procedures for “notifications” Qualified by exceptions and protections
Privacy Policies for Websites Applies to collection of “personal records” Specifies “notice” requirements Websites only
![Page 9: Insights on the Legal Landscape for Data Privacy in Higher Education](https://reader036.fdocuments.us/reader036/viewer/2022062422/568140a7550346895dac6704/html5/thumbnails/9.jpg)
“Notice” and Other Principles
1. The purpose for which the personal information is collected;
2. Any specific consequences to the person for refusal to provide the personal information;
3. The person’s right to inspect, amend, or correct personal records, if any;
4. Whether the personal information is generally available for public inspection;
5. Whether the personal information is made available or transferred to or shared with any entity other than the official custodian.
![Page 10: Insights on the Legal Landscape for Data Privacy in Higher Education](https://reader036.fdocuments.us/reader036/viewer/2022062422/568140a7550346895dac6704/html5/thumbnails/10.jpg)
Fair Information Practices
NotificationMinimizationSecondary UseNondisclosure and ConsentNeed to KnowData Accuracy, Inspection, and ReviewInformation Security, Integrity, and AccountabilityEducation
![Page 11: Insights on the Legal Landscape for Data Privacy in Higher Education](https://reader036.fdocuments.us/reader036/viewer/2022062422/568140a7550346895dac6704/html5/thumbnails/11.jpg)
Contractual Obligations
Contract law is a function of state law and “common law”Procurement of Hardware and SoftwareOutsourced Services (data handling, email, etc.)Government Contracts and Grants (e.g., NASA, NIH, NSF, ED, etc.) Payment Card Industry – Data Security Standard (PCI DSS)
![Page 12: Insights on the Legal Landscape for Data Privacy in Higher Education](https://reader036.fdocuments.us/reader036/viewer/2022062422/568140a7550346895dac6704/html5/thumbnails/12.jpg)
Desktop Configuration
![Page 13: Insights on the Legal Landscape for Data Privacy in Higher Education](https://reader036.fdocuments.us/reader036/viewer/2022062422/568140a7550346895dac6704/html5/thumbnails/13.jpg)
![Page 14: Insights on the Legal Landscape for Data Privacy in Higher Education](https://reader036.fdocuments.us/reader036/viewer/2022062422/568140a7550346895dac6704/html5/thumbnails/14.jpg)
Case Law
Based upon Tort/Negligence Law Duty Breach of Duty Damages Foreseeable Risks
![Page 15: Insights on the Legal Landscape for Data Privacy in Higher Education](https://reader036.fdocuments.us/reader036/viewer/2022062422/568140a7550346895dac6704/html5/thumbnails/15.jpg)
Public Policy
Identity Theft
Social Security Number use
Data Privacy and Security Proposals
FISA Amendments
Communications Assistance for Law Enforcement Act
Data Retention
![Page 16: Insights on the Legal Landscape for Data Privacy in Higher Education](https://reader036.fdocuments.us/reader036/viewer/2022062422/568140a7550346895dac6704/html5/thumbnails/16.jpg)
For More Information
EDUCAUSE/Internet2 Security Task Forcehttp://www.educause.edu/security
EDUCAUSE Washington Officehttp://www.educause.edu/policy
Rodney PetersenEmail: [email protected]: 202.331.5368