Protecting Privacy Challenges for Higher Education Educause Western Regional Conference - April 26, 2006
Outline • California Office of Privacy Protection • Defining Privacy • Privacy Laws • Privacy Practices
California Office of Privacy Protection • CA is 1st state with such an agency • Created by law passed in 2000 • Mission: protect the privacy of individuals’ personal information in a manner consistent with the California Constitution by identifying consumer problems in the privacy area and facilitating…fair information practices
COPP Functions • Consumer assistance • Education and information • Coordination with law enforcement • Best practice recommendations
Why People Contact COPP 11/01-12/05
Classic Definition 1 • The right to be let alone. • "The makers of the Constitution conferred the most comprehensive of rights and the right most valued by all civilized men—the right to be let alone." Brandeis & Warren, 1890
Classic Definition 2 • The right to control one’s personal information. • “…the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.” Alan Westin, 1967
Privacy & Security • Information Security: protecting data from unauthorized access, use, disclosure, modification, destruction. • Information Privacy: providing individuals with level of control over use and disclosure of their personal information • No privacy without security
Privacy Values • Privacy – the right to control one’s personal information – is essential to protect other important values. • Confidentiality • Anonymity • Seclusion • Fairness • Liberty
Security vs. Privacy Public Records & Privacy Data Brokers Ubiquitous Surveillance Persistence of Data Identity & Authentication Identity Theft Current Privacy Issues Most of these affect higher ed.
Security vs. Privacy • “They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” Benjamin Franklin, 1759 • A zero-sum game?
Public Records & Privacy • Loss of “practical obscurity” – from the county courthouse to the World Wide Web • Open government – Can we keep an eye on our government without spying on individual citizens? • Limit access to sensitive data to certain purposes • Data brokers digitizing public records • “Enriched” data resold to government and businesses
Ubiquitous Surveillance • Digital trails created by financial transactions, digitized public records, FasTrak, security cameras, building cardkeys, Web searches, electronic health records…
The Persistence of Data • Internet archive • Online communities – MySpace.com, Facebook.com • Loss of “social forgiveness” in society of digital dossiers
Identity Theft • Causal factors in identity theft • Electronic databases • Instant credit • Remote transactions • Over-reliance on inadequate identification system
Identity Theft • Obtaining someone’s personal information and using it for an unlawful purpose • Penal Code § 530.5 • Types of identity theft • Financial – existing account, new account • Government benefits – employment • “Criminal”
Incidence of Identity Theft • Rate steady at about 9 million/year for past 3 years • 4% of adults • Including 1 million Californians Source: BBB/Javelin, 1/06
How ID Thieves Get Your Info Organizations in control 16% Don’t know 57% Consumers in control 27% Source: BBB/Javelin, 1/06
Impact of ID Theft on Victims • Out-of-pocket costs • Average $422 • Time spent recovering • Average 40 hours Source: BBB/Javelin, 1/06
Impact of ID Theft on Economy • Total cost of identity theft in U.S. in 2005 $56.6 Billion Source: BBB/Javelin, 2/06
Protecting Personal Information State and Federal Privacy Laws and Regulations
U.S. takes sectoral approach Laws protect personal information in certain industry sectors (financial, health care, video rental records) EU, Canada, APEC take comprehensive approach Laws treat privacy as fundamental human right Approaches to Data Protection
Credit Reporting Government Privacy Financial Privacy Health Information Privacy Educational Records Information Security Commercial Communications Identity Theft Other Major Sectoral Privacy Laws
Federal Laws FERPA – Privacy of educational records GLBA – Financial privacy & security HIPAA – Health information privacy & security State Laws IPA & other state government privacy laws (public institutions) Online privacy (CA) Information security SSN confidentiality Breach notice Privacy Laws for Higher Ed
California #1 in Privacy Protection • California ranks highest in protecting its citizens against invasions of privacy. • Privacy Journal • All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy. • California Constitution, Article 1, § 1
Social Security Number Law • Prohibits public posting or display of SSN • Don’t print on ID/membership cards. • Don’t mail documents with SSN to individual, unless required by law. • Don’t require sending by email or require for Web site log-on (unless with additional password). • Don’t print more than 4 digits of SSN on paystubs – or use employee ID number
Online Privacy Practices in Higher Ed • Survey report available from Mary Culnan, Bentley College, firstname.lastname@example.org • 236 doctoral universities & national liberal arts colleges in 2004 US News & World Report list • Assessed 3 types of online privacy risks • Privacy statement use • Data collection forms • Cookies
Online Privacy Practices in Higher Ed • 100% of universities & colleges had at least one instance of Web page w/out link to privacy notice • Nearly 100% had 1or more data collection form without link to privacy notice • Nearly 100% had 1or more data collection forms using GET method • 100% had at 1 or more non-secure data-collection page
A Few Headlines • Another University Suffers Security Breach • UCB, 3/29/05 • Tufts warns 106,000 alums, donors of security breach • 4/12/05 • FBI probes network breach at Stanford • 5/25/05 • University to Warn of Web Security Breach • USC, 7/10/05 • 7,800 linked to USD told of network security breach • 12/3/05 • Computer records on 197,000 people breached at UT • 4/24/06
Security Breach Notice Law • Notify individuals if unauthorized person acquires “unencrypted computerized data,” as defined: • Name plus one or more of following: SSN, DL, or financial account number • Notify promptly and without unreasonable delay • Time allowed to assess scope; may delay if would impede law enforcement investigation
Security Breach Notice Law • Notify individually unless >250,000 or >$500,000 or inadequate contact information • Substitute notice • Email if you have address, AND • Post on Web site, AND • Use mass media.
Breach Notifications • CA Office of Privacy Protection learns of breaches from individuals, companies, media • Sample includes 101 breaches since 7/03 (not all) • Over 53 million notified (from 100 to 40 MM per incident) • Mean 646,723 • Median 31,077
Why Universities? • Culture of free flow of information • Distributed IT environment • More responsible about reporting?
Lessons Learned - Prevention • Review data collection policies • Blood bank example: Do we really need SSNs? • Review data retention policies • University example: How long?
Lessons Learned - Prevention • Remember the mobile workforce! • Protect desktops, laptops, other portables • Prohibit downloads of sensitive info to PCs, laptops • Use encryption – State encryption policy • BL05-32 at www.dof.ca.gov/html/budlettr/budlets.htm
Privacy Best Practices • Build in privacy. • Design systems and database to limit and protect personal information. • Know where your personal information is. • Conduct personal info inventory, including portable computing & storage devices and paper records.
Privacy Best Practices • Say what you do with personal information. • Post clear notices of privacy practices on Web sites, in offices, and whenever collecting personal info. • Do what you say in managing personal information. • Monitor compliance with laws and policies, including content monitoring of Web sites and e-mail.