The Convergence of Privacy, Security and Electronic Information M. Peter Adler JD, LLM, CISSP, CIPP Adler InfoSec & Privacy Group LLC Director of Privacy.

The Convergence of Privacy, Security and Electronic Information

M. Peter Adler JD, LLM, CISSP, CIPPAdler InfoSec & Privacy Group LLC

Director of Privacy and Cybersecurity (Interim), Montgomery College, Rockville, MD

Educause Enterprise 2007Educause Enterprise 2007


Agenda Legal Drivers/Applicable Laws

– Security Laws Compliance Elements

– Privacy Laws Compliance Approach

– Rules of Civil Procedure Information Management Requirements

Convergence and Compliance

Legal Drivers in Higher Education

SecurityPrivacyInformation Management


Security GLBA HIPAA FISMA State Law – Notice of Security

Breach and Others


GLBA and Information Security

GLBA: Gramm-Leach-Bliley Act, 15 U.S.C. §§6801,6805


GLBA and Higher Education Higher Education Institutions are “non-bank

businesses” subject to GLBA– the university (i.e. the “financial institution”) provides a

financial service, administering a financial product such as a scholarship, or dispensing financial advice to customers (students and possibly staff).

– This includes student loans, scholarships, bursaries and emergency student aid

– GLBA Privacy provisions are met if the institution complies with FERPA

– The Security Regulations Do Apply Regardless Standards for Safeguarding Customer Information; Final

Rule: 67 Fed. Reg. 36484, codified at 16 C.F.R. Part 314 (“GLBA Safeguards”)

Therefore, colleges and universities have a legal obligation under the GLBA to safeguard all the students’ nonpublic financial information


TechnicalSecurity

Business Associate Management

Administrative Security

Procedures, Legal Compliance

PhysicalSecurity

HIPAA COMPLIANCE

HIPAA Requirements/Security

To guard the confidentiality, integrity and availability (CIA) of health information


Federal Information Security Act of 2002 (FISMA)

FISMA: Federal Information Security Act of 2002, 44 U.S.C. §3537 et seq.– Requires compliance with a set of standards federal government

information security Federal Information Processing Standards (FIPS) NIST Standards

Applies to Federal information System– An information system used or operated by an

executive agency, or by another organization on behalf of an executive agency

May be applicable to higher education through government contracts. – Department of Defense and Department of Labor hold

fund recipients to these standards. – Department of Education, National Science Foundation

and National institutes of Health may do the same.


Approaching Security Goals Unified Approach Risk Assessment Cycle Risk Assessment Methodology Risk Handling Methods Controlling and Mitigating Risk GLBA Example


Goal of Security Generally

ProtectedInformation

To guard the confidentiality, integrity and availability (CIA) of protected information


Unified Approach To SecuritySecurity Practice ISO 17799 NIST

800 SeriesHIPAA GLBA Leahy-

Spector

Administrative Safeguards

Security Management Process

Assigned Security Responsibility

Workforce Security Management of Information Access

Security Incident Procedures Contingency Planning Review/Evaluation Contracts Security Awareness and Training


Unified Approach to Security (cont’d)

Security Practice ISO 17799 NIST800 Series

HIPAA GLBA Leahy-Spector

Physical Safeguards

Facility Access Controls

Workstation Use and Security

Device and Media Controls

Technical Safeguards

Access Control

Audit Controls

Integrity Controls

Person or Entity Authentication

Transmission Security


Risk Assessment Cycle

THREAT AGENT

THREAT

Causes or creates...

VULNERABILITY

Exploits a...

RISK

Leading to...

ASSET

Which can damage an...

EXPOSURE

Causing an...

SAFEGUARD

Which can be controlled by a...

That mitigates...

Risk = Threats x Vulnerabilities x Impact


General Assessment Model: Security

Phase 0.Prepare Project Plan

Phase 1. Information Collection

Phase 2. Perform Risk and other

Analyses

Phase 3.Report of Findings and

Recommendations

Phase 4.Prepare Implementation

Plan

Documentation Review

InterviewsISO 17799 Security

Standards

Determine Applicable Laws

Requirements

Data Classification and Mapping


Handling Risk

AvoidAvoid

MitigateMitigate ControlControl

TransferTransfer

AssumeAssume

RISK


Example: GLBA Information Security Program Implement, and maintain a comprehensive

information security program – that is written in one or more readily

accessible parts and – contains administrative, technical, and physical

safeguards The safeguards are to be appropriate

– to the organization’s size and complexity, – the nature and scope of its activities, and– the sensitivity of any customer information


Roles and Responsibilities Roles and Responsibilities:

– Designate an employee or employees to coordinate the information security program


GLBA Risk Assessment Risk Assessment:

– Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse alteration, destruction or other compromise of such information,

– Assess the sufficiency of any safeguards in place to control these risks.

Minimal areas to be addressed:– Employee training and management;– Information systems, including network and software

design, as well as information processing, storage, transmission and disposal;

– Detecting, preventing and responding to attacks, intrusions, or other systems failures.


Implement and Monitor Safeguards Safeguard Implementation:

– Design and implement information safeguards to control the identified risks

Monitoring Safeguard Effectiveness:– Regularly test or otherwise monitor the

effectiveness of the safeguards (i.e., key controls, systems and procedures)


Evaluate and Modify GLBA Information Security Program Evaluate and adjust the GLBA

information security program in light of the results of the testing and monitoring – any material changes to business

operations or arrangements; or– any other circumstances that you know

or have reason to know may have a material impact on your information security program


Third Party Service Providers

Selection of Service Providers:– Select and retain service providers that

are capable of maintaining appropriate safeguards for the customer information

Contractually Bind Security Safeguards:– Contractually require service providers to

implement and maintain such safeguards to protect customer information.


Privacy Family Educational Rights and

Privacy Act (FERPA) Health Insurances Portability and

Accountability Act State Law

– Notice of Breach Laws– Other state laws


Family Education Rights & Privacy Act(FERPA)

Leading federal privacy law for educational institutions.

Imposes confidentiality requirements over student educational records.

Prohibiting institutions from disclosing "personally identifiable education information" such as grades or financial aid information without the student's written permission.

Provides students with the right to request and review their educational records and to make corrections to those records.

Law applies with equal force to electronic and hardcopy records.


HIPAA Applies to Health Care Providers, Health Plans and

Health Care Clearinghouses, e.g., – Student Health Services– Academic medical centers– Business associates (through contracts)

Imposes confidentiality requirements on Protected Health Information (“PHI”) – PHI is individually identifiable health information

transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium.

– PHI excludes: education records covered by FERPA and employment records held by a covered entity in its

role as employer. PHI may be used and disclosed for treatment, payment

and healthcare operation, under an authorization or as permitted by regulation


State Breach Notification Laws

Most of the laws require notification if there has been, or there is a reasonable basis to believe the occurrence of unauthorized access that compromises personal data– “Notice triggering information,” e.g., name, in

combination with a Social Security number, driver's license or state identification number, or financial account or debit card number plus an access code

Some states have some form of harm or risk threshold, under which entities need not notify individuals of a breach if an investigation by the covered entity (sometimes in conjunction with law enforcement) finds no significant possibility that the breached data will be misused to do harm to the individual

Most apply only to breaches of unencrypted personal information, and require written notification after a breach is discovered


State Breach Notice Laws Some state laws may require compliance with security

standards, e.g., California and Maryland.– Some provide a “safe harbor” for covered entities that

maintain internal data security policies that include breach notification provisions consistent with state law.

Some give state’s Attorney General enforcement authority;

Most allow for a delay in notification if a disclosure would compromise a law enforcement investigation, except Illinois;

Most allow substitute notice to affected individuals via announcements in statewide media and on a Web site if more than 500,000 people are affected or the cost of notification would exceed $250,000 --Rhode Island, Delaware, Nebraska, Ohio set lower thresholds.


AICPA/CICA Privacy Framework AICPA/CICA Trust Services

Privacy Principle – Personal information is collected,

used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the AICPA/CICA Trust Services Privacy Criteria.


AICPA/CICA Privacy Framework

Trust Services Privacy Components and Criteria– The Framework contains 10 privacy

components and related criteria that are essential to the proper protection and management of personal information.

– These privacy components and criteria are based on internationally known fair information practices included in many privacy laws and regulations of various jurisdictions around the world


AICPA/CICA Privacy Framework Criteria 1-5

1. Management. The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.

2. Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.

3. Choice and Consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.

4. Collection. The entity collects personal information only for the purposes identified in the notice.

5. Use and Retention. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes.


AICPA/CICA Privacy FrameworkCriteria 6-10

6. Access. The entity provides individuals with access to their personal information for review and update.

7. Disclosure to Third Parties. The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.

8. Security. The entity protects personal information against unauthorized access (both physical and technical).

9. Quality. The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.

10. Monitoring and Enforcement. The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.


Privacy OverlapOECD Guidelines AICPA (Criterion No.)

N/A but implied Management (1)

Openness Notice (2) Choice/Consent (3)

Collection Limitation Collection (4)

Purpose Specification Use and Retention (5)

Use Limitation Use and Retention (5)Disclosure to Third Parties (7) Choice/Consent (3)

Security Safeguards Security (8)

Data Quality Quality (9)

Individual Participation Right to Access (6)Choice/Consent (3)

Accountability Monitoring and Enforcement (10)


…as Applied to U.S. Law…

AICPA GLBA HIPAA FERPA

1. Management Implied, Training

Administrative Requirements, Training

Implied

2. Notice Notification Notice of Privacy Practices

Notification

3. Choice/ Consent

Choice, Opt Out Individual Rights, Permissible Uses,Authorization

Consent required unless exceptions apply

4. Collection Information Collection Limitation

Minimum Necessary Rule

Legitimate educational interest

5. Use and Retention,

Uses Limitation, Minimum Necessary Rule,

Legitimate educational interest

Educause Enterprise 2007Educause Enterprise 2007…as Applied to U.S. Law…(cont’d)

AICPA GLBA HIPAA FERPA

6. Access Access/Correction

Access/Correction

Inspect, review, and challenge, including statement of dispute

7. Disclosure Service Provider Contracts

Business Associates Contracts, Permissible Uses, Authorized Uses

Consent for third party disclosures unless exceptions apply

8. Security Safeguards Safeguards, Security Regulations

Unspecified beyond obtaining consent if required, Audit Trail

9. Quality Integrity Integrity Unspecified beyond Right to Review and Audit Trail

10. Monitoring Enforcement

MonitoringEnforcement

MonitoringEnforcement

Audit trail Enforcement

Educause Enterprise 2007Educause Enterprise 2007General Assessment Model: Privacy

Phase 0.Prepare Project Plan

Phase 1. Information Collection

Phase 2. Perform Risk and other

Analyses

Phase 3.Report of Findings and

Recommendations

Phase 4.Prepare Implementation

Plan

Documentation Review

InterviewsAICPA or Create Own Standards

Determine Applicable Laws

Requirements

Data Classification and Mapping


Information Management Federal Rules of Civil Procedure

(FRCP) Notice of Security Breach Laws,

GLBA, HIPAA


The Federal Rules of Civil Procedure

The Federal Rules of Civil Procedure (and most state law) provides the following discovery tools:– Depositions Upon Written or

Oral Written Questions (Rules 30, 31 and 32)

– Written Interrogatories (Rule 33)

– Production of Document or Things (Rule 34)

– Permission to Enter Upon Land for Inspection and Other Purposes (Rule 34)

– Physical and Mental Examinations (Rule 35)

– Requests for Admission (Rule 36)

Tools to Ensure or Excuse Discovery – Motion to Compel

(Rule 37(a))– Sanctions (Rule 37 (b),

(c)&(d))– Protective Orders

(Rule 26(c))

“The pretrial devices that can be used by one party to obtain facts and information about another party in order to assist the party’s preparation for trial.” - Blacks Law Dictionary


E-Discovery: 12/2006 New and amended rules of civil procedure governing

the treatment of electronically stored information (ESI) are expected by December of this year.

These Rules are broken into the following categories:– Early attention to electronic discovery issues:

Rules 16 and 26(f)– Better management of discovery into ESI that is

not reasonably accessible: Rule 26(b)(2)– New provision setting out procedure for assertions

of privilege after production: Rule 26(b)(5)– Interrogatories and Requests for Production of ESI:

Rules 33 and 34– Application of sanctions rules pertaining to ESI:

Rule 37


ESI Retention

Duty to Preserve–Legal Duty

e.g., Sarbanes–Oxley, HIPAA, FACTA and other document retention requirements

–Lawyer’s duty to preserve evidence in discovery and litigation

Continued Operations–Normal system Operations

–Data Backup–Data Destruction


Duty to Preserve Duty attaches when a person knows or

reasonably anticipates litigation involving identifiable parties and identifiable facts.– Encompasses potential evidence related to

identifiable facts, which may shift as litigation proceeds. Stevenson v. Union Pac. R.R., 354 F.3d 739 (8th Cir. 2004)

– Exists independent of any preservation demand letter, or court order. Wigington v. Ellis, 2003 WL 22439865 (N.D. Ill. 2003) (Wigington I); Treppel v. Biovail Corp., 233 F.R.D. 363 (S.D.N.Y 2006).

– The fact that ESI is not reasonably accessible does not relieve a party from its duty to preserve the information if potentially relevant. Zubulake v. UBS Warburg LLC, 220 F.R.D. 212 (S.D.N.Y. 2003) (“Zubulake IV”)


Failure to Preserve: Sanctions for Spoliation Duty to monitor preservation falls on inside

and outside counsel. Potential sanctions will vary on intent and

behavior of producing party (bad faith, gross negligence, negligence) and degree of prejudice to the requesting party caused by spoliation. Possible sanctions include:– Fines;– Adverse inference jury instruction;– Striking of a pleading or defense;– Dismissal or default; and– Costs for supplemental discovery.


Right to Destroy Courts have acknowledged that organizations

have the right to destroy - whether or not it is consciously deleted - electronic information that does not meet the internal criteria of information or records requiring retention. – “‘Document retention policies,’ which are created

in part to keep certain information from getting into the hands of others, including the Government, are common in business …. It is, of course, not wrongful for a manager to instruct his employees to comply with a valid document retention policy under ordinary circumstances’ Arthur Andersen, LLP v. United States, 125 S. Ct. 2129, 2135 (2005).


Safe Harbor: Rule 37(f) The court will not impose sanctions parties who

fail to produce ESI that was lost as a result of routine, good faith operation of an electronic information system, absent exceptional circumstances. Rule 37(f)

Good faith destruction of potentially relevant ESI will be difficult to establish when there is a claim pending or has received a credible threat of a claim.– A Committee Note to Rule 37 (f) states: “Good Faith in

the routine operation of an information system may involve a party’s intervention to modify or suspend certain features of that routine operation to prevent the loss of information if that information is subject to a preservation obligation.


ESI Retention Risks Spoliation and Sanction Risks. Because of

retention duties, a party persuade the court that those documents that no longer exist were purged pursuant to a policy and were not willfully destroyed or spoliated.

Cost of Retrieval Risk. Knowing where information is stored or if it has been destroyed pursuant to document retention policies will avoid the high costs associated with e-discovery fishing expeditions.

Inability to Defend Risk. The loss of critical evidence potentially leads to the inability to properly defend a claim.


ESI Retention/Destruction Program Compliance and Auditing Plan Create or Amend Policy on ESI Retention

and Destruction Indexing and Document Naming System Attorney-Client Privilege Procedures Litigation Hold Procedures Employee Training Post-Implementation Compliance and

Auditing


General Assessment Model: ESI Retention and Destruction

Phase 1.

Information Collection

Phase 3.Data Classification

Phase 4.Implement Modifications to

Indexing and Retrieval

Phase 6.Implement Litigation Hold

Procedures

ISO 15489

Determine Applicable

Retention Laws

Requirements

Phase 7.

Training

Document Review

Interviews

Phase 2. Asset Assessment

Key Systems Identified

Assess Indexing & Retrieval

Capabilities

Phase 7.

Review Evaluate and Modify

Privacy-Protected

Phase 5.Retention and Destruction

Program


ESI Retention/Destruction Review Written vs. Actual ESI Retention

Practices– Creation– Use– Disposal

Are electronic records being kept as required by law and internal procedures?

Are electronic records being managed over their entire lifecycle?


ESI Retention/Destruction Program

An ESI Management Program contains many of the elements found in security and privacy programs.

Removal of sensitive ESI on a regular basis will enhance an organization’s privacy and security.

Will lower discovery costs in litigation

Convergence and Compliance

SecurityPrivacyInformation Management


Electronic Records Management Requirements

System Characteristics

Notice of Breach Law

GLBA HIPAA FERPA

Protected Information Notice Triggering

Information

Customer Information

Electronic PHI Education Records

Identify, sort and store

Yes Yes Yes Yes

Access, retrieve and use

Yes Yes Yes Yes

CIA Protections Yes Yes Yes Yes

Authentication Yes Yes Yes Yes

Retention and Disposition

Yes Yes Yes Yes

Accountability Yes Yes Yes Yes

Audit Trail Yes Yes Yes Yes

Compliance Yes Yes Yes Yes

Breach Notice Capable Yes Yes No No


Compliance Convergence

Element Examples Security Privacy ESI Management

Planning, Governance and Management

Roles and Responsibilities

Yes Yes Yes

Coordination with Multiple Department

Yes Yes Yes

Data Classification

Map Data Flow Yes Yes Yes

Key System (Asset) Identification

Yes Yes Yes


Compliance ConvergenceElement Examples Security Privacy ESI

Management

Shared Security Functions

Protection of CIA Yes Yes Yes

Roles and responsibilities

Yes Yes Yes

Access controls Yes Yes Yes

Management of email

Yes Yes Yes

Disaster Recovery and Contingency Planning

Yes Yes Yes

System Backup Yes Yes Yes


Compliance ConvergenceElement Examples Security Privacy ESI

Management

Third Party Contracts

Yes Yes Yes

Incident Response Yes Yes Yes

Formal technology standards (AICPA, EU Data Directive)

Yes Yes Yes

Compliance with specific legal or private contractual requirements

Yes Yes Yes

Training Yes Yes Yes


Approach “Follow The Data” – Data classification

and mapping is essential Integrate security, privacy, ESI and

records management planning– Simultaneously assess overlapping elements – Build privacy and security compliance Into

information management– Safely and securely destroy all ESI, including

information protected by security and privacy laws, considering legal and business constraints


Telephone: (202) 251-7600Facsimile: (703) 997.5633Email: [email protected]: www.adleripg.com

M. Peter Adler

2103 Windsor RoadAlexandria, VA 22307

Adler InfoSec & Privacy Group LLC

Contact Information

The Convergence of Privacy, Security and Electronic Information M. Peter Adler JD, LLM, CISSP, CIPP Adler InfoSec & Privacy Group LLC Director of Privacy.

Documents

otherseducause enterprise

mdeducause enterprise

training educause enterprise

security regulations

information securityglba

goal of security

financial institution

department of education