Scared Straight: The Need for Change Beth Cate Associate General Counsel, Indiana University

“The Scary” (aka External Drivers for Change) Lawsuits Regulatory Enforcement Actions by government agencies Contract-based Penalties Harm to Reputation Resource diversion Loss of Confidence and Support from Financial Supporters Alums/donors Legislatures Increased Regulation

Some scary numbers From the Privacy Rights Clearinghouse ( –Higher education accounted for 115 of 478 reported data security breaches since Feb. 15, 2005 –3,817,372 persons’ data compromised (conservative estimate) Frequency of release of sensitive personal data + associated risks = need to construct authentication and ID management systems very carefully and with eye toward risk minimization

Some grim headlines “Ohio University: Data Breach Central?” – Martin Bosworth, ConsumerAffairs.com “UCLA Data Breach Leaves 800K At Risk” – CBS News, Dec. 12, 2006 “University of Texas probes computer breach—Files illegally accessed; second intrusion in three years” – MSNBC, Apr. 24, 2006

Some (a lot) of state laws State breach notification laws –35 and counting – State privacy laws, usually specific to data element or sector And whose law applies anyway? –Many out of state residents – long arm jurisdiction? –What about international students?

And more on the way

And some federal laws FERPA –According to OFCP, need to limit and track electronic access to student records to avoid violations –Mechanisms for electronic “consent” to disclosure of student records and access to student records must be reasonably secure –Loss of federal funding, injunctions HIPAA –Privacy and Security Rules require the implementation of systems to manage, limit, and monitor access to PHI –Civil and criminal penalties for violations GLB –Schools must implement security plan with administrative, technical, and physical safeguards to protect confidentiality of covered financial information –Agency enforcement actions

And probably more on the way Feinstein bill: “Notification of Risk to Personal Data Act of 2007,” S.239 Barney Frank (chair, House Financial Services Committee) bill: Predicted….

Periodic call for enactment of Fair Information Practice Principles as broad-based federal legislation, if not enough effective self-regulation –Notice –Choice/consent –Access –Integrity/Security –Enforcement Private right of action (lawsuits) Civil/criminal enforcement by government agencies

And much use of resources Containment and implementing fixes –Ohio University: between $5.5 and 8 million ) Investigation Notice (individuals, credit bureaus, state agencies) Further communications with individuals/media –UCLA incident: 8,500 calls to hotline within first few days Any reimbursement of costs incurred by individuals undertaken by institutions

And private contract-based penalties PCIDSS – Payment Card Industry Data Security Standards –Require strong access control and tracking measures re: credit card data Penalties for noncompliance: –Fines –Loss of approval to accept credit card payments –Enhanced audit requirements

And loss of confidence by donors Ohio University: –“’It was my intention to leave a sizable endowment to OU, but not any longer,’ announced one [alumnus]. –Another signed off his May 3 with, ‘You incompetent f---ing a--holes. I will never donate a penny to you.’" (“OU has been getting an earful about huge data theft,” The Athens News (6/12/06)).

Or, as they say on the commercial side… “TJX, in public relations terminology, is in hell,” said Geri Denterlein, a Boston ‘crisis management’ expert. – (“Bank reissues cards as TJX sued over cyberscam,” Boston Herald (1/30/07)).

And heads rolling Ohio University: –CIO resignation –Director of communication network services fired –Manager of internet and school systems fired Dept. of Veterans’ Affairs Chief Information Security Officer resigned after data breach involving data of 26 million vets AOL Chief Tech Officer resigns, and two company researchers fired, after breach involving 650,000 subscribers’ data

And the possibility of criminal penalties E.g., Indiana Code (disclosure of SSNs) –Personal criminal liability for negligent, knowing, reckless, and intentional disclosures –Felony convictions punishable by up to 3 years’ imprisonment and $10K fines

And the specter of litigation E.g., Ohio University alumni/class action suit –Seeks costs of credit monitoring; less clear about actual damages and “anxiety” May be difficult for plaintiffs to win on negligence, invasion of privacy theories BUT still incur costs of defense, which can be considerable –** insurance/credit monitoring services – Louisiana state arrangement with Equifax (free daily credit monitoring, $2,500 identity theft insurance)

Legislative requirements can set standards for negligence/common law invasion of privacy actions E.g., proposed Federal Agency Data Privacy Protection Act, H.516 –All sensitive data in federal agencies must be secured by most secure encryption standard recognized by National Institute of Standards and Technology (and must be updated every 6 months) –No access by anyone without security clearance and financial disclosure; no offsite transport w/o agency IG approval –Flow down of requirements to govt contractors

So, to summarize… There are many, and increasing, external drivers for well constructed and managed authentication and identity management systems