Legal Issues for Supervisors 401 by shimeiyan


									Legal Issues for
   Supervisors 401

How to Protect the Confidentiality
and Security of Private Information
on W&L and its Constituents

 (C) Washington & Lee University 2007   1
What’s this all about?
 Three separate issues:
      What is PRIVATE (personally identifiable
       information protected by law, policy, or common

       How to keep PRIVATE information
       CONFIDENTIAL (seen/heard by only those with a
       legitimate need to know); and

      How to keep such information SECURE (so that it
       cannot be improperly altered, removed, or

             (C) Washington & Lee University 2007        2
Private information under law

 Student education records (FERPA);
 Financial account/loan records (Gramm
  Leach Bliley) [student loans, employee
  home loans];
 Personally identifiable employee
  information kept by covered health plans
  (HIPAA) [health, dental, flex, EAP]

         (C) Washington & Lee University 2007   3
Private information under law

 Records related to employee disability
    (Americans with Disabilities Act) [kept separate
    from rest of personnel file];
   Medical records related to family and medical
    leave (FMLA) and workers’ compensation;
   Background Check results (disposal) (FACTA)
   Student medical treatment / counseling records
    (private under Virginia law)
   Human Subjects Research (surveys, etc.)

            (C) Washington & Lee University 2007       4
Private information under
 Social security numbers and credit card
  numbers are included in W&L’s
  Information Security Program.

         (C) Washington & Lee University 2007   5
Other private W&L information

 Personally identifiable information re:
  donors, alumni and alumnae.
 Proprietary W&L information (internal
  operations, financial/investments,
  research and institutional data not
  intended for public disclosure)

          (C) Washington & Lee University 2007   6
Risks to private information

 Unauthorized access or transfer
 Disclosure beyond authorized request
 Improper disclosure based on
  unauthorized request
 Physical loss or destruction
 Alteration/corruption
 Improper interception
 Other security compromise
         (C) Washington & Lee University 2007   7
For example . . .

     (C) Washington & Lee University 2007   8
Responsibilities of all W&L
 All university faculty, staff, student
  workers, and volunteers are expected to
  comply with university policies and
  procedures on privacy, confidentiality
  and security.
 New employees (faculty & staff) sign
  confidentiality and technology use
  agreements. Extend to all, including
  student workers?
          (C) Washington & Lee University 2007   9
What should supervisors do to
protect the confidentiality and
security of private information?
 Stress importance of sound information
  confidentiality and security practices to
  all employees.
 Practice what you preach - - if you have
  no legitimate work-related or educational
  reason to access, disclose, or maintain
  information, don’t.

         (C) Washington & Lee University 2007   10
What should supervisors do to
protect the confidentiality and
security of private information?
 See that your staff receives training and
  resources on policies, procedures, and
  best practices for handling private
  information (use OGC as resource).
 Be sure that only those in your
  department with a legitimate, work-
  related need to know have authority and
  access to private information.

         (C) Washington & Lee University 2007   11
What should supervisors do to
protect the confidentiality and
security of private information?
 Pay attention to provisions on
  confidentiality/security in vendor contracts
  where relevant (see OGC - - contract policy in
 Notify University Computing of lost or stolen
  laptops, flash drives, etc. and
  Telecommunications Manager for stolen
  phones, blackberries, etc., and coordinate in
  advance with HR in the event of a termination.

           (C) Washington & Lee University 2007    12
How to protect the confidentiality
of private information - - general
employee guidance
 When in doubt, ask / confirm first before
  disclosing or accessing private
 Don’t assume that just because you can
  access/disclose information, you should.
 Disposal of documents with private
  information - - internal or external
  shredding - - other?
         (C) Washington & Lee University 2007   13
How to protect the confidentiality
of private information
 Don’t leave private information in plain
  view when leaving your work area.
 Lock file cabinets containing private
 Keep your office locked when you, or
  other authorized employees, are not
 Avoid multiple copies of private
  information unless needed.

         (C) Washington & Lee University 2007   14
How to protect the confidentiality
of private information
 Don’t discuss private or sensitive
  information with open doors or in
  hallways, etc.
 Treat private information as if it were
  about you.
 Taking files home - - handle with care.

         (C) Washington & Lee University 2007   15
Protecting electronic
 Password security:
     8 characters, alphanumeric
     Change it often
     Don’t share it with anyone
     Don’t write it down and tape it close by
     Give proxy to e-mail or calendar, not
      password to the account

           (C) Washington & Lee University 2007   16
Protecting electronic
 Lock your workstation each time you
  leave it unattended (Ctrl/Alt/Delete)
 Shut down your computer each evening
  (allows patches and updates to apply
  AND keeps others off the computer)
 Keep anti-virus/firewalls, etc. up to date
  on home computers if you work at home
 Have multiple user names/pws

         (C) Washington & Lee University 2007   17
Protecting electronic
 Safe e-mail practices:
   Don’t open attachments if you aren’t
    expecting them
   Don’t click on links in emails

 Safe internet browsing:
   Don’t click on it if you didn’t ask for it
   Don’t allow random downloads

 Safe instant messaging (AOL viruses):
      Only communicate with known buddies

           (C) Washington & Lee University 2007   18
Protecting electronic information

 Consider placement of screen / visibility
  to office visitors
 Use screen blockers
 Be careful with flash drives, memory
  keys, diskettes, CDs, etc.

         (C) Washington & Lee University 2007   19
What about when traveling?

 Assume NOTHING is secure!!!
 Wired is more secure than wireless
 Always look for the encrypted (lock or
  equivalent) symbol to be sure
  communication is secure
 Wireless off campus - - don’t do log ins
  to other sites unless encrypted

         (C) Washington & Lee University 2007   20
What about while traveling?

 Never user hotel lobby computers for
  anything sensitive or private - - only map
  quest type inquiries, etc.
 Why? Keystroke loggers . . . Scary . . .

         (C) Washington & Lee University 2007   21
Specific private information

 Student educational records (FERPA)
     Know policy / guidance
     Consent, unless school official with
      legitimate educational interest, subpoena,
      emergency, few other exceptions
     Directory information – unless opt out
     Resources – Registrar,

           (C) Washington & Lee University 2007     22
Specific private information

     Records kept by W&L health plans on
      employee medicals, claims, etc.
     Group health, Flex, Dental, EAP
     Deborah Stoner and Steven McClure are
      authorized officials (HR)

           (C) Washington & Lee University 2007   23
Specific private information

 Background check information (FACTA)
     Disposal of such information
     Faculty staff medical information related to
      disability accommodations or
      family/medical leave - - should be kept
      separate from personnel file (HR Office - -
      avoid duplicates in department)

           (C) Washington & Lee University 2007   24
Specific private information

 Personally identifiable financial
  information (finances, social security
  number, credit card) (GLB + W&L policy)
      Treasurer’s office
      HR
      Financial Aid
      Business Office
      Bookstore, Alumni Office, Special
       Programs, Development, etc.

            (C) Washington & Lee University 2007   25
Information Security Program

 Internal inventory of department
  information security practices to identify
  and address any potential security

 Will begin with Financial Aid, Treasurer’s
  Office, Business Office, HR, and other
  offices maintaining social security
  numbers or credit card numbers.
         (C) Washington & Lee University 2007   26
Required Information Security
   Program risk assessment
 Interactive web-based risk asessment
 Supervisor or knowledgeable designee
  should complete. Questions? Contact
  Jennifer Kirkland, Associate General
  Counsel (x8929).
 If you have no financial information, or
  SSN#s or credit card #s, just say no.
         (C) Washington & Lee University 2007   27
What to do in case of improper
disclosure or other security breach
 Notify Office of General Counsel, Ruth
  Floyd (University Computing) (if IT-
  related), and Scott Dittman (Chair,
  Information Security Program

         (C) Washington & Lee University 2007   28

To top