1. Dr. Don Lloyd Cook Gill Ragon Owen, PA

2.  Practicing law in AR since 1989  Virginia Tech, Ph.D. in Marketing ◦ Virginia Tech Congressional Fellow in the office of Congressman Rick Boucher (1996)  Taught at Louisiana Tech University, Georgia State University and University of New Mexico.

3.  Certified Information Privacy Professional (CIPP) 2004; CIPP/Canada 2006  Acxiom Corporation 2006-2007 ◦ Privacy and Risk Consultant  Feeva Technology 2007-2010 ◦ Chief Privacy Officer and later General Counsel  Walmart, Inc. 2010-2011 ◦ Director of Privacy  Lunarline, Inc. 2011-2012 ◦ Director of Privacy

4.  Counsel at Gill Ragon Owen, P.A. ◦ Member of the Privacy and Data Management Practice ◦ Principal Blogger at “The View from 30,000 Feet”  http://gill-lawprivacy.blogspot.com/ (we will come back to this later) http://gill-lawprivacy.blogspot.com/ ◦ Ponemon Institute Distinguished Fellow

5.  Breaches are common ◦ 4,457 DATA BREACHES made public since 2005 ◦ Over 900 million records breached  Breaches are expensive (Ponemon Institute) ◦ Average cost per record breached of $145  Regulators are paying attention ◦ New laws, new techologies  Consumers and Investors are paying attention ◦ Just ask Gregg Steinhafe.

6.  Higher Ed Breaches in the Last Year (handout via the Chronology of Data Breaches)  22 significant breaches  Over 1 million records breached  Costs ◦ Direct vs. indirect ◦ Damage to brand equity  Admissions  Donor support (GT)

7.  FERPA  FACTA  HIPAA/HITECH  Notification Framework  Minnesota Plastic Card Security Act  Regulatory Actions  Civil Litigation

8.  Network Operations ◦ Multiple networks and access points  Internet Usage and Social Networks  Outsourcing  IT Implementation  Healthcare and Additional Miscellaneous Risks  Decentralized Culture  Massive record keeping  Academic and Personal Freedom  Budget

9.  University of Miami (2008) ◦ Backup tapes containing 2.1 million medical records stolen from off-site storage  Hired expert to determine whether information on tapes was accessible  Notified 47,000 individuals whose financial information was compromised  Established website and call center to handle information requests

10.  UCLA Health Systems (2005-2008) ◦ Employees of the health system, repeatedly and without authorization viewed protective health information of patients (celebrities) ◦ Office of Civil Rights investigated ◦ UCLA agreed to corrective action and paid a settlement of $865,000

11.  Unidentified Major State University (2009- 2011) ◦ Since 2009 more than 100,000 faculty, alumni, student and parent records, including names, SSNs, credit card information ◦ Class action lawsuit seeking 2 years credit monitoring, fraud resolution services for affected individuals ◦ Also seeks injunction mandating the university take additional measures to protect personally identifiable information

12.  Be Proactive  Privacy by Design for New Applications, particular for BYOD  Develop the expertise, internally and externally ◦ Information inventory ◦ Policies and procedures  Build a culture of privacy  Contractual risk sharing and insurance

13.  International Association of Privacy Professionals (IAPP) ◦ Education and Certification ◦ Daily Dashboard and other resources  The View from 30,000 Feet The View from 30,000 Feet ◦ Privacy blog from Gill Ragon Owen

14.  Perform an information audit so you can evaluate your risk  Strong passwords and encryption  Use social media for advertising and building relationships, not for monitoring employees  Look at your partner/vendor contracts. Who bears the risk?  Make your policies clear and enforce them  Flash drives are evil  BYOD is a godsend/disaster  SECURE YOUR NETWORKS

15.  An ounce of prevention can be worth big bucks down the road!  Outsourcing may be cheaper  Capitalize on the misfortune of others  Insurance can help you manage the risk  There are software solutions, vendors, experts and other resources to steer you through the process  Shredders are cheap!

16. ?