Legal Issues for Supervisors 401

Document Sample
Legal Issues for Supervisors 401 Powered By Docstoc
					Legal Issues for
   Supervisors 401

How to Protect the Confidentiality
and Security of Private Information
on W&L and its Constituents

 (C) Washington & Lee University 2007   1
What’s this all about?
 Three separate issues:
      What is PRIVATE (personally identifiable
       information protected by law, policy, or common

       How to keep PRIVATE information
       CONFIDENTIAL (seen/heard by only those with a
       legitimate need to know); and

      How to keep such information SECURE (so that it
       cannot be improperly altered, removed, or

             (C) Washington & Lee University 2007        2
Private information under law

 Student education records (FERPA);
 Financial account/loan records (Gramm
  Leach Bliley) [student loans, employee
  home loans];
 Personally identifiable employee
  information kept by covered health plans
  (HIPAA) [health, dental, flex, EAP]

         (C) Washington & Lee University 2007   3
Private information under law

 Records related to employee disability
    (Americans with Disabilities Act) [kept separate
    from rest of personnel file];
   Medical records related to family and medical
    leave (FMLA) and workers’ compensation;
   Background Check results (disposal) (FACTA)
   Student medical treatment / counseling records
    (private under Virginia law)
   Human Subjects Research (surveys, etc.)

            (C) Washington & Lee University 2007       4
Private information under
 Social security numbers and credit card
  numbers are included in W&L’s
  Information Security Program.

         (C) Washington & Lee University 2007   5
Other private W&L information

 Personally identifiable information re:
  donors, alumni and alumnae.
 Proprietary W&L information (internal
  operations, financial/investments,
  research and institutional data not
  intended for public disclosure)

          (C) Washington & Lee University 2007   6
Risks to private information

 Unauthorized access or transfer
 Disclosure beyond authorized request
 Improper disclosure based on
  unauthorized request
 Physical loss or destruction
 Alteration/corruption
 Improper interception
 Other security compromise
         (C) Washington & Lee University 2007   7
For example . . .

     (C) Washington & Lee University 2007   8
Responsibilities of all W&L
 All university faculty, staff, student
  workers, and volunteers are expected to
  comply with university policies and
  procedures on privacy, confidentiality
  and security.
 New employees (faculty & staff) sign
  confidentiality and technology use
  agreements. Extend to all, including
  student workers?
          (C) Washington & Lee University 2007   9
What should supervisors do to
protect the confidentiality and
security of private information?
 Stress importance of sound information
  confidentiality and security practices to
  all employees.
 Practice what you preach - - if you have
  no legitimate work-related or educational
  reason to access, disclose, or maintain
  information, don’t.

         (C) Washington & Lee University 2007   10
What should supervisors do to
protect the confidentiality and
security of private information?
 See that your staff receives training and
  resources on policies, procedures, and
  best practices for handling private
  information (use OGC as resource).
 Be sure that only those in your
  department with a legitimate, work-
  related need to know have authority and
  access to private information.

         (C) Washington & Lee University 2007   11
What should supervisors do to
protect the confidentiality and
security of private information?
 Pay attention to provisions on
  confidentiality/security in vendor contracts
  where relevant (see OGC - - contract policy in
 Notify University Computing of lost or stolen
  laptops, flash drives, etc. and
  Telecommunications Manager for stolen
  phones, blackberries, etc., and coordinate in
  advance with HR in the event of a termination.

           (C) Washington & Lee University 2007    12
How to protect the confidentiality
of private information - - general
employee guidance
 When in doubt, ask / confirm first before
  disclosing or accessing private
 Don’t assume that just because you can
  access/disclose information, you should.
 Disposal of documents with private
  information - - internal or external
  shredding - - other?
         (C) Washington & Lee University 2007   13
How to protect the confidentiality
of private information
 Don’t leave private information in plain
  view when leaving your work area.
 Lock file cabinets containing private
 Keep your office locked when you, or
  other authorized employees, are not
 Avoid multiple copies of private
  information unless needed.

         (C) Washington & Lee University 2007   14
How to protect the confidentiality
of private information
 Don’t discuss private or sensitive
  information with open doors or in
  hallways, etc.
 Treat private information as if it were
  about you.
 Taking files home - - handle with care.

         (C) Washington & Lee University 2007   15
Protecting electronic
 Password security:
     8 characters, alphanumeric
     Change it often
     Don’t share it with anyone
     Don’t write it down and tape it close by
     Give proxy to e-mail or calendar, not
      password to the account

           (C) Washington & Lee University 2007   16
Protecting electronic
 Lock your workstation each time you
  leave it unattended (Ctrl/Alt/Delete)
 Shut down your computer each evening
  (allows patches and updates to apply
  AND keeps others off the computer)
 Keep anti-virus/firewalls, etc. up to date
  on home computers if you work at home
 Have multiple user names/pws

         (C) Washington & Lee University 2007   17
Protecting electronic
 Safe e-mail practices:
   Don’t open attachments if you aren’t
    expecting them
   Don’t click on links in emails

 Safe internet browsing:
   Don’t click on it if you didn’t ask for it
   Don’t allow random downloads

 Safe instant messaging (AOL viruses):
      Only communicate with known buddies

           (C) Washington & Lee University 2007   18
Protecting electronic information

 Consider placement of screen / visibility
  to office visitors
 Use screen blockers
 Be careful with flash drives, memory
  keys, diskettes, CDs, etc.

         (C) Washington & Lee University 2007   19
What about when traveling?

 Assume NOTHING is secure!!!
 Wired is more secure than wireless
 Always look for the encrypted (lock or
  equivalent) symbol to be sure
  communication is secure
 Wireless off campus - - don’t do log ins
  to other sites unless encrypted

         (C) Washington & Lee University 2007   20
What about while traveling?

 Never user hotel lobby computers for
  anything sensitive or private - - only map
  quest type inquiries, etc.
 Why? Keystroke loggers . . . Scary . . .

         (C) Washington & Lee University 2007   21
Specific private information

 Student educational records (FERPA)
     Know policy / guidance
     Consent, unless school official with
      legitimate educational interest, subpoena,
      emergency, few other exceptions
     Directory information – unless opt out
     Resources – Registrar,

           (C) Washington & Lee University 2007     22
Specific private information

     Records kept by W&L health plans on
      employee medicals, claims, etc.
     Group health, Flex, Dental, EAP
     Deborah Stoner and Steven McClure are
      authorized officials (HR)

           (C) Washington & Lee University 2007   23
Specific private information

 Background check information (FACTA)
     Disposal of such information
     Faculty staff medical information related to
      disability accommodations or
      family/medical leave - - should be kept
      separate from personnel file (HR Office - -
      avoid duplicates in department)

           (C) Washington & Lee University 2007   24
Specific private information

 Personally identifiable financial
  information (finances, social security
  number, credit card) (GLB + W&L policy)
      Treasurer’s office
      HR
      Financial Aid
      Business Office
      Bookstore, Alumni Office, Special
       Programs, Development, etc.

            (C) Washington & Lee University 2007   25
Information Security Program

 Internal inventory of department
  information security practices to identify
  and address any potential security

 Will begin with Financial Aid, Treasurer’s
  Office, Business Office, HR, and other
  offices maintaining social security
  numbers or credit card numbers.
         (C) Washington & Lee University 2007   26
Required Information Security
   Program risk assessment
 Interactive web-based risk asessment
 Supervisor or knowledgeable designee
  should complete. Questions? Contact
  Jennifer Kirkland, Associate General
  Counsel (x8929).
 If you have no financial information, or
  SSN#s or credit card #s, just say no.
         (C) Washington & Lee University 2007   27
What to do in case of improper
disclosure or other security breach
 Notify Office of General Counsel, Ruth
  Floyd (University Computing) (if IT-
  related), and Scott Dittman (Chair,
  Information Security Program

         (C) Washington & Lee University 2007   28