1

Protecting PrivacyChallenges for Higher Education

Educause Western Regional Conference - April 26, 2006

2

Outline California Office of Privacy Protection Defining Privacy Privacy Laws Privacy Practices

3

California Office of Privacy Protection CA is 1st state with such an agency Created by law passed in 2000 Mission: protect the privacy of individuals’

personal information in a manner consistent with the California Constitution by identifying consumer problems in the privacy area and facilitating…fair information practices

4

COPP Functions Consumer assistance Education and information Coordination with law enforcement Best practice recommendations

5

Why People Contact COPP

5% 5% 4% 2% 1%

12%

63%

12%

0%

13%

26%

40%

53%

66%

11/01-12/05

6

Defining Privacy

7

Classic Definition 1 The right to be let alone.

"The makers of the Constitution conferred the most comprehensive of rights and the right most valued by all civilized men—the right to be let alone." Brandeis & Warren, 1890

8

9

Classic Definition 2 The right to control one’s personal

information. “…the claim of individuals, groups, or

institutions to determine for themselves when, how, and to what extent information about them is communicated to others.” Alan Westin, 1967

10

11

Privacy & Security Information Security: protecting data from

unauthorized access, use, disclosure, modification, destruction.

Information Privacy: providing individuals with level of control over use and disclosure of their personal information

No privacy without security

12

Privacy Values Privacy – the right to control one’s personal

information – is essential to protect other important values. Confidentiality Anonymity Seclusion Fairness Liberty

13

Current Privacy Issues

14

Current Privacy Issues Security vs. Privacy Public Records &

Privacy Data Brokers Ubiquitous

Surveillance

Persistence of Data Identity &

Authentication Identity Theft

15

Security vs. Privacy “They that can give up

essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” Benjamin Franklin, 1759

A zero-sum game?

16

Public Records & Privacy Loss of “practical obscurity” – from the

county courthouse to the World Wide Web Open government – Can we keep an eye on

our government without spying on individual citizens? Limit access to sensitive data to certain purposes

Data brokers digitizing public records “Enriched” data resold to government and

businesses

17

Ubiquitous Surveillance Digital trails created by

financial transactions, digitized public records, FasTrak, security cameras, building cardkeys, Web searches, electronic health records…

18

19

The Persistence of Data Internet archive Online communities – MySpace.com,

Facebook.com Loss of “social forgiveness” in society of

digital dossiers

20

Identity & Authentication

21

Identity Theft Causal factors in identity theft

Electronic databases Instant credit Remote transactions Over-reliance on inadequate identification system

22

Identity Theft Obtaining someone’s personal information

and using it for an unlawful purpose Penal Code § 530.5

Types of identity theft Financial – existing account, new account Government benefits – employment “Criminal”

23

Incidence of Identity Theft Rate steady at about 9 million/year for past 3

years 4% of adults Including 1 million Californians

Source: BBB/Javelin, 1/06

24

How ID Thieves Get Your Info

Don't know how54%

In home6%

Lost/stolen17%

No answer 3%

Company insiders10%Transaction

4%

Online4%

Other3%

Source: BBB/Javelin, 1/06

Organizations in control 16%

Consumers in control 27%

Don’t know 57%

25

Impact of ID Theft on Victims Out-of-pocket costs

Average $422

Time spent recoveringAverage 40 hours

Source: BBB/Javelin, 1/06

26

Impact of ID Theft on Economy Total cost of identity

theft in U.S. in 2005

$56.6 Billion

Source: BBB/Javelin, 2/06

27

Protecting Personal Information State and Federal Privacy Laws and Regulations

28

Approaches to Data Protection U.S. takes sectoral

approach Laws protect personal

information in certain industry sectors (financial, health care, video rental records)

EU, Canada, APEC take comprehensive approach Laws treat privacy as

fundamental human right

29

Major Sectoral Privacy Laws Credit Reporting Government Privacy Financial Privacy Health Information

Privacy Educational Records

Information Security Commercial

Communications Identity Theft Other

30

Privacy Laws for Higher Ed Federal Laws

FERPA – Privacy of educational records

GLBA – Financial privacy & security

HIPAA – Health information privacy & security

State Laws IPA & other state

government privacy laws (public institutions)

Online privacy (CA) Information security SSN confidentiality Breach notice

31

California #1 in Privacy Protection California ranks highest in protecting its citizens

against invasions of privacy. Privacy Journal

All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy. California Constitution, Article 1, § 1

32

Social Security Number Law Prohibits public posting or display of SSN

Don’t print on ID/membership cards. Don’t mail documents with SSN to individual, unless

required by law. Don’t require sending by email or require for Web site

log-on (unless with additional password). Don’t print more than 4 digits of SSN on paystubs –

or use employee ID number

33

Online Privacy Protection Act Commercial Web sites that collect personal info of

CA residents must post privacy policy statement Categories of 3rd parties with whom personal information

may be shared How consumers may review or remove their PII (if

offered)   How site will notify consumers when the privacy policy is

changed Effective date of the policy

Site operators must comply with policy

34

Online Privacy Practices in Higher Ed Survey report available from Mary Culnan, Bentley

College, mculnan@bentley.edu 236 doctoral universities & national liberal arts

colleges in 2004 US News & World Report list Assessed 3 types of online privacy risks

Privacy statement use Data collection forms Cookies

35

Online Privacy Practices in Higher Ed 100% of universities & colleges had at least one

instance of Web page w/out link to privacy notice Nearly 100% had 1or more data collection form

without link to privacy notice Nearly 100% had 1or more data collection forms

using GET method 100% had at 1 or more non-secure data-collection

page

36

A Few Headlines Another University Suffers Security Breach

UCB, 3/29/05 Tufts warns 106,000 alums, donors of security breach

4/12/05 FBI probes network breach at Stanford

5/25/05 University to Warn of Web Security Breach

USC, 7/10/05 7,800 linked to USD told of network security breach

12/3/05 Computer records on 197,000 people breached at UT

4/24/06

37

Security Breach Notice Law Notify individuals if unauthorized person

acquires “unencrypted computerized data,” as defined: Name plus one or more of following: SSN, DL,

or financial account number Notify promptly and without unreasonable

delay Time allowed to assess scope; may delay if would

impede law enforcement investigation

38

Security Breach Notice Law Notify individually unless >250,000 or

>$500,000 or inadequate contact information Substitute notice

Email if you have address, AND Post on Web site, AND Use mass media.

39

40

Breach Notifications CA Office of Privacy Protection learns of

breaches from individuals, companies, media Sample includes 101 breaches since 7/03 (not

all) Over 53 million notified (from 100 to 40 MM

per incident) Mean 646,723 Median 31,077

41

Where are breaches occurring?Other22%

Retail5%

Gov't11%

Medical13%

University25%

Financial24%

n=101

42

Why Universities? Culture of free flow of information Distributed IT environment More responsible about reporting?

43

How are breaches occurring?Other11%Web Site

6%

Mail4%

Hack28%

Lost or Stolen Device51%

n=101

44

Types of Information Involved

86%

33%

10% 13%

0%

30%

60%

90%

120%

SSN FinancialAcct.

DL Number Other/ DK

n=101

45

Lessons Learned - Prevention Review data collection policies

Blood bank example: Do we really need SSNs? Review data retention policies

University example: How long?

46

Lessons Learned - Prevention Remember the mobile workforce!

Protect desktops, laptops, other portables Prohibit downloads of sensitive info to PCs, laptops Use encryption – State encryption policy

BL05-32 at www.dof.ca.gov/html/budlettr/budlets.htm

47

Privacy Practices

48

COPP’s Recommended Practices Best practice recommendations, not

regulations, not legal opinions Social Security Number Confidentiality Security Breach Notice Information-Sharing Disclosure and Privacy

Policy Statements

49

Privacy Best Practices Build in privacy.

Design systems and database to limit and protect personal information.

Know where your personal information is. Conduct personal info inventory, including

portable computing & storage devices and paper records.

50

Privacy Best Practices Say what you do with personal information.

Post clear notices of privacy practices on Web sites, in offices, and whenever collecting personal info.

Do what you say in managing personal information. Monitor compliance with laws and policies,

including content monitoring of Web sites and e-mail.

51

Privacy Best Practices Limit access to personal information.

Use appropriate security measures to prevent unauthorized access, including limiting internal access to need-to-use level.

Develop a culture of respect for privacy. Provide employees and all users with ongoing

education and training in requirements and practices.

52

53

“Personal information is like toxic waste – Managing it requires a high level of skill and training.”

Phil Agre, U.C.L.A.1997

54

55

Joanne McNabb, CIPP/GChief, California Office of Privacy Protection1625 North Market Blvd., Suite N324Sacramento, CA 95834www.privacy.ca.gov866-785-9663