Legal Issues for Supervisors 401

1
Legal Issues for Supervisors 401

• How to Protect the Confidentiality and Security
  of Private Information on WL and its Constituents

2
Whats this all about?

• Three separate issues
• What is PRIVATE (personally identifiable
  information protected by law, policy, or common
  civility)
• How to keep PRIVATE information CONFIDENTIAL
  (seen/heard by only those with a legitimate need
  to know) and
• How to keep such information SECURE (so that it
  cannot be improperly altered, removed, or
  destroyed).

3
Private information under law

• Student education records (FERPA)
• Financial account/loan records (Gramm Leach
  Bliley) student loans, employee home loans
• Personally identifiable employee information kept
  by covered health plans (HIPAA) health, dental,
  flex, EAP

4
Private information under law

• Records related to employee disability (Americans
  with Disabilities Act) kept separate from rest
  of personnel file
• Medical records related to family and medical
  leave (FMLA) and workers compensation
• Background Check results (disposal) (FACTA)
• Student medical treatment / counseling records
  (private under Virginia law)
• Human Subjects Research (surveys, etc.)

5
Private information under policy

• Social security numbers and credit card numbers
  are included in WLs Information Security
  Program.

6
Other private WL information

• Personally identifiable information re donors,
  alumni and alumnae.
• Proprietary WL information (internal operations,
  financial/investments, research and institutional
  data not intended for public disclosure)

7
Risks to private information

• Unauthorized access or transfer
• Disclosure beyond authorized request
• Improper disclosure based on unauthorized request
• Physical loss or destruction
• Alteration/corruption
• Improper interception
• Other security compromise

8
For example . . .
9
Responsibilities of all WL employees

• All university faculty, staff, student workers,
  and volunteers are expected to comply with
  university policies and procedures on privacy,
  confidentiality and security.
• New employees (faculty staff) sign
  confidentiality and technology use agreements.
  Extend to all, including student workers?

10
What should supervisors do to protect the
confidentiality and security of private
information?

• Stress importance of sound information
  confidentiality and security practices to all
  employees.
• Practice what you preach - - if you have no
  legitimate work-related or educational reason to
  access, disclose, or maintain information, dont.

11
What should supervisors do to protect the
confidentiality and security of private
information?

• See that your staff receives training and
  resources on policies, procedures, and best
  practices for handling private information (use
  OGC as resource).
• Be sure that only those in your department with a
  legitimate, work-related need to know have
  authority and access to private information.

12
What should supervisors do to protect the
confidentiality and security of private
information?

• Pay attention to provisions on confidentiality/sec
  urity in vendor contracts where relevant (see OGC
  - - contract policy in development).
• Notify University Computing of lost or stolen
  laptops, flash drives, etc. and
  Telecommunications Manager for stolen phones,
  blackberries, etc., and coordinate in advance
  with HR in the event of a termination.

13
How to protect the confidentiality of private
information - - general employee guidance

• When in doubt, ask / confirm first before
  disclosing or accessing private information.
• Dont assume that just because you can
  access/disclose information, you should.
• Disposal of documents with private information -
  - internal or external shredding - - other?

14
How to protect the confidentiality of private
information

• Dont leave private information in plain view
  when leaving your work area.
• Lock file cabinets containing private
  information.
• Keep your office locked when you, or other
  authorized employees, are not present.
• Avoid multiple copies of private information
  unless needed.

15
How to protect the confidentiality of private
information

• Dont discuss private or sensitive information
  with open doors or in hallways, etc.
• Treat private information as if it were about
  you.
• Taking files home - - handle with care.

16
Protecting electronic information

• Password security
• 8 characters, alphanumeric
• Change it often
• Dont share it with anyone
• Dont write it down and tape it close by
• Give proxy to e-mail or calendar, not password to
  the account

17
Protecting electronic information

• Lock your workstation each time you leave it
  unattended (Ctrl/Alt/Delete)
• Shut down your computer each evening (allows
  patches and updates to apply AND keeps others off
  the computer)
• Keep anti-virus/firewalls, etc. up to date on
  home computers if you work at home
• Have multiple user names/pws

18
Protecting electronic information

• Safe e-mail practices
• Dont open attachments if you arent expecting
  them
• Dont click on links in emails
• Safe internet browsing
• Dont click on it if you didnt ask for it
• Dont allow random downloads
• Safe instant messaging (AOL viruses)
• Only communicate with known buddies

19
Protecting electronic information

• Consider placement of screen / visibility to
  office visitors
• Use screen blockers
• Be careful with flash drives, memory keys,
  diskettes, CDs, etc.

20
What about when traveling?

• Assume NOTHING is secure!!!
• Wired is more secure than wireless
• Always look for the encrypted (lock or
  equivalent) symbol to be sure communication is
  secure
• Wireless off campus - - dont do log ins to other
  sites unless encrypted

21
What about while traveling?

• Never user hotel lobby computers for anything
  sensitive or private - - only map quest type
  inquiries, etc.
• Why? Keystroke loggers . . . Scary . . .

22
Specific private information

• Student educational records (FERPA)
• Know policy / guidance
• http//registrar.wlu.edu/policies/ferpa.htm
• Consent, unless school official with legitimate
  educational interest, subpoena, emergency, few
  other exceptions
• Directory information unless opt out
• Resources Registrar, counsel.wlu.edu

23
Specific private information

• HIPAA
• Records kept by WL health plans on employee
  medicals, claims, etc.
• Group health, Flex, Dental, EAP
• Deborah Stoner and Steven McClure are authorized
  officials (HR)
• http//humanresources.wlu.edu/other/Benefit20Plan
  20Privacy20Practices.htm

24
Specific private information

• Background check information (FACTA)
• Disposal of such information
• ADA/FMLA
• Faculty staff medical information related to
  disability accommodations or family/medical leave
  - - should be kept separate from personnel file
  (HR Office - - avoid duplicates in department)

25
Specific private information

• Personally identifiable financial information
  (finances, social security number, credit card)
  (GLB WL policy)
• Treasurers office
• HR
• Financial Aid
• Business Office
• Bookstore, Alumni Office, Special Programs,
  Development, etc.

26
Information Security Program

• Internal inventory of department information
  security practices to identify and address any
  potential security concerns. FEDERAL LAW
  MANDATE.
• Will begin with Financial Aid, Treasurers
  Office, Business Office, HR, and other offices
  maintaining social security numbers or credit
  card numbers.

27
Required Information Security Program risk
assessment

• Interactive web-based risk asessment tool
  http//law.wlu.edu/administration/surveys/financia
  l.asp
• Supervisor or knowledgeable designee should
  complete. Questions? Contact Jennifer Kirkland,
  Associate General Counsel (x8929).
• If you have no financial information, or SSNs or
  credit card s, just say no.

28
What to do in case of improper disclosure or
other security breach

• Notify Office of General Counsel, Ruth Floyd
  (University Computing) (if IT-related), and Scott
  Dittman (Chair, Information Security Program
  Committee)