Presentation is loading. Please wait.

Presentation is loading. Please wait.

Legal, Policy and Regulatory Challenges for IT Executive Leadership/Seminars on Academic Computing Tracy Mitrano Cornell University Executive Leadership/Seminars.

Published byJayson Bridges Modified over 8 years ago

Similar presentations

Presentation on theme: "Legal, Policy and Regulatory Challenges for IT Executive Leadership/Seminars on Academic Computing Tracy Mitrano Cornell University Executive Leadership/Seminars."— Presentation transcript:

1 Legal, Policy and Regulatory Challenges for IT Executive Leadership/Seminars on Academic Computing Tracy Mitrano Cornell University Executive Leadership/Seminars on Academic Computing Tracy Mitrano Cornell University

2 Internet & IT Policy Law NormsArchitectureMarket

3 Big “P” and Little “p” Policy  Big “P” policy involves external issues, such as national security, electronic surveillance laws, privacy, or digital copyright.  USA-Patriot Act  http://www.cit.cornell.edu/oit/policy/PatriotAct/ http://www.cit.cornell.edu/oit/policy/PatriotAct/  Digital Copyright  http://www.cit.cornell.edu/oit/policy/copyright/ http://www.cit.cornell.edu/oit/policy/copyright/  Privacy in the Electronic Realm  http://www.cit.cornell.edu/oit/policy/privacy/ http://www.cit.cornell.edu/oit/policy/privacy/  CALEA: Communications Law Enforcement Assistance Act  http://www.cit.cornell.edu/oit/policy/calea/ http://www.cit.cornell.edu/oit/policy/calea/  Big “P” policy involves external issues, such as national security, electronic surveillance laws, privacy, or digital copyright.  USA-Patriot Act  http://www.cit.cornell.edu/oit/policy/PatriotAct/ http://www.cit.cornell.edu/oit/policy/PatriotAct/  Digital Copyright  http://www.cit.cornell.edu/oit/policy/copyright/ http://www.cit.cornell.edu/oit/policy/copyright/  Privacy in the Electronic Realm  http://www.cit.cornell.edu/oit/policy/privacy/ http://www.cit.cornell.edu/oit/policy/privacy/  CALEA: Communications Law Enforcement Assistance Act  http://www.cit.cornell.edu/oit/policy/calea/ http://www.cit.cornell.edu/oit/policy/calea/

4 Little “p” Policy  Little “p” policy is institutional policy.  Preservation and protection of institutional interests and assets  If your policy does not stand up to this test, best to rethink  Cornell Model  Centralized University Policy Office  http://www.policy.cornell.edu/ http://www.policy.cornell.edu/  Famous “policy on policies!”  http://www.policy.cornell.edu/vol4_1.cfm http://www.policy.cornell.edu/vol4_1.cfm  Balance of statement and procedure  At the institutional level of procedure, but not backline  Little “p” policy is institutional policy.  Preservation and protection of institutional interests and assets  If your policy does not stand up to this test, best to rethink  Cornell Model  Centralized University Policy Office  http://www.policy.cornell.edu/ http://www.policy.cornell.edu/  Famous “policy on policies!”  http://www.policy.cornell.edu/vol4_1.cfm http://www.policy.cornell.edu/vol4_1.cfm  Balance of statement and procedure  At the institutional level of procedure, but not backline

5 Go to law school, Tracy! Relationship between higher education and the government, market, social norms and technology is growing increasingly complicated and will become even more so given the international nature of communications technologies.

6 Why so much legal and regulatory activity?  Information technologies driving force of American (and global) economy since 1990’s  Personal computer + network systems = communications  Innovation offers untapped potential  New distribution methods  Entertainment media  Publishing  Communications  Education, too!  Information technologies driving force of American (and global) economy since 1990’s  Personal computer + network systems = communications  Innovation offers untapped potential  New distribution methods  Entertainment media  Publishing  Communications  Education, too!

7 Transformative Effects on…  Revenue  Commercialization of the Internet since going public in early 1990’s created new business models  Google and advertising  Merchandise distribution, i.e. shopping!  Amazon  Buying and bargaining  eBay  Entertainment  We’re waiting :-)  Government  In the midst of a historic national deficit, watch for an Internet tax sometime near you soon!  Revenue  Commercialization of the Internet since going public in early 1990’s created new business models  Google and advertising  Merchandise distribution, i.e. shopping!  Amazon  Buying and bargaining  eBay  Entertainment  We’re waiting :-)  Government  In the midst of a historic national deficit, watch for an Internet tax sometime near you soon!

8 …the Law and Regulatory Issues  Copyright, Copyright, Copyright  When I went to law school and walked uphill both ways…  Digital Millennium Copyright Act 1998  Section 512: Notice and take down  Section 1201: Anti-circumvention  February 2003: Senate Hearings  First letters to the presidents  Verizon “fast-track” litigation  Law suits against individuals  Action against Internet 2  Second letter to presidents regarding subnets and filtering  Copyright, Copyright, Copyright  When I went to law school and walked uphill both ways…  Digital Millennium Copyright Act 1998  Section 512: Notice and take down  Section 1201: Anti-circumvention  February 2003: Senate Hearings  First letters to the presidents  Verizon “fast-track” litigation  Law suits against individuals  Action against Internet 2  Second letter to presidents regarding subnets and filtering

9 , ,  !  Current litigation  Google Library Project  If there is ever a case to test fair use in the new electronic age, this is the one!  American Association of Publishers v.  Shhhhhhhh  Current legislative reform  Orphan works  Finally a boon to and for higher education!!  Current litigation  Google Library Project  If there is ever a case to test fair use in the new electronic age, this is the one!  American Association of Publishers v.  Shhhhhhhh  Current legislative reform  Orphan works  Finally a boon to and for higher education!!

10 Institutional Policy Response  Statement  X complies with all copyright laws.  Procedure  DMCA  E-Reserves  Course management systems  Intellectual Property of the University and its employees, students and faculty  Statement  X complies with all copyright laws.  Procedure  DMCA  E-Reserves  Course management systems  Intellectual Property of the University and its employees, students and faculty

11 Electronic Surveillance  USA-Patriot Act  Amended the Electronic Communications Privacy Act  By lowering the evidentiary standard for voicemail and call records  E.g. network flow logs  Legal backdrop for the collection of call records from major communications providers  Below probable cause = file a paper with a clerk  USA-Patriot Act  Amended the Electronic Communications Privacy Act  By lowering the evidentiary standard for voicemail and call records  E.g. network flow logs  Legal backdrop for the collection of call records from major communications providers  Below probable cause = file a paper with a clerk

12 Institutional Policy Response  Statement  “All roads lead to Rome” i.e. counsel  Cornell University Policy 4.13, Acceptance of Legal Papers  http://www.policy.cornell.edu/vol4_13.cfm http://www.policy.cornell.edu/vol4_13.cfm  Unit Protocol in order to get to Rome  Cornell Information Technologies  Statement  “All roads lead to Rome” i.e. counsel  Cornell University Policy 4.13, Acceptance of Legal Papers  http://www.policy.cornell.edu/vol4_13.cfm http://www.policy.cornell.edu/vol4_13.cfm  Unit Protocol in order to get to Rome  Cornell Information Technologies

13 Make request Start External Law Enforcement University Counsel VP of Info Tech ITSO or IT Policy Office CIT Other CU Department Receive request Follow Internal unit protocol Refer to ITSO, IT Policy, or VP of IT* Refer to University Counsel N Y Y Can Comply? End Request tangible item? Order to provide item** Give item to ITSO/ IT Policy Office Y N End Give item to University Counsel Give item to law enforcement Receive item/ records Request for electronic records Order to provide records** Transmit records to law enforcement ** Depending on nature of the request, University Counsel may contact either IT Policy Office or ITSO Defect in request? Fix defect in legal paperwork YN * Depending on who is available Notify ITSO, IT Policy, or VP of IT* to counsel? Y N to VP of IT? Y N to ITSO or IT Policy? to CIT? Y N N Y

14 Privacy Laws…  Health Insurance Portability Act  Financial Services Act (GLBA)  **Both HIPAA and GLBA have explicit security and privacy regulations  Family Education Rights Privacy Act  Pre-existing, so it has not caught up yet  Got a campus hotel with cable or movies?  Video Recording Act  Cable Act  Health Insurance Portability Act  Financial Services Act (GLBA)  **Both HIPAA and GLBA have explicit security and privacy regulations  Family Education Rights Privacy Act  Pre-existing, so it has not caught up yet  Got a campus hotel with cable or movies?  Video Recording Act  Cable Act

15 Institutional Policy Response  Complementary Privacy and Security Programs organized around the following five categories:  Policy  Risk Assessment/Operations  Training for personnel  Education for all users  Enforcement  Complementary Privacy and Security Programs organized around the following five categories:  Policy  Risk Assessment/Operations  Training for personnel  Education for all users  Enforcement

16 Examples  Cornell Security Program  http://www.cit.cornell.edu/oit/policy/security.html http://www.cit.cornell.edu/oit/policy/security.html  Cornell (nascent) Privacy Program  http://www.cit.cornell.edu/oit/policy/privacy.html http://www.cit.cornell.edu/oit/policy/privacy.html  IT Policy Framework  http://www.cit.cornell.edu/oit/policy/framework-chart.html http://www.cit.cornell.edu/oit/policy/framework-chart.html  Cornell Security Program  http://www.cit.cornell.edu/oit/policy/security.html http://www.cit.cornell.edu/oit/policy/security.html  Cornell (nascent) Privacy Program  http://www.cit.cornell.edu/oit/policy/privacy.html http://www.cit.cornell.edu/oit/policy/privacy.html  IT Policy Framework  http://www.cit.cornell.edu/oit/policy/framework-chart.html http://www.cit.cornell.edu/oit/policy/framework-chart.html

17 Data Breach Notification  Laws in several states  California and New York, notably  Federal one is on the way, currently several offerings  Common characteristics  Name + SSN, bank routing, credit card or other financial transaction numbers  Standard: reasonable belief that data were accessed by an unauthorized individual  Encryption is a safe harbor  Laws in several states  California and New York, notably  Federal one is on the way, currently several offerings  Common characteristics  Name + SSN, bank routing, credit card or other financial transaction numbers  Standard: reasonable belief that data were accessed by an unauthorized individual  Encryption is a safe harbor

18 Cornell’s Institutional Response (Reactive)  Data Incident Response Team (DIRT)  VP of IT  Directors of Security and Policy  Legal Counsel (sometimes two!)  Director of Communications  Campus Police  ***Unit head of affected computers and associated personnel  ***Data stewards of the breached data  Data Incident Response Team (DIRT)  VP of IT  Directors of Security and Policy  Legal Counsel (sometimes two!)  Director of Communications  Campus Police  ***Unit head of affected computers and associated personnel  ***Data stewards of the breached data

19 Institutional Policy Response  Information Security of Institutional Data http://www.cit.cornell.edu/oit/policy/drafts/RUis.html  Appendix A  Rules for handling data broken down into three categories of users:  Data Stewards  Unit Heads  Custodians  Appendix B  Minimum Data Security Standards for Three Classes of Data http://www.cit.cornell.edu/computer/security/prop-baseline.html  Information Security of Institutional Data http://www.cit.cornell.edu/oit/policy/drafts/RUis.html  Appendix A  Rules for handling data broken down into three categories of users:  Data Stewards  Unit Heads  Custodians  Appendix B  Minimum Data Security Standards for Three Classes of Data http://www.cit.cornell.edu/computer/security/prop-baseline.html

20 Data Steward Inventory data under his/her jurisdiction Categorize data Establish rules for disclosing and authorizing access to administrative data Conduct annual risk assessments of security and privacy practices Unit Head Assume responsibility for data under his/her control Deploy procedures to comply with steward's rules for disclosing, categorizing, and authorizing access to administrative data Deploy procedures for meeting minimum standards for data security according to data classification (see Appendix B) Negotiate with stewards in cases of disclosing mixed data sets (i.e., more than one data category or steward) Custodian Execute unit's procedures for disclosing, categorizing, and authorizing access to administrative data Execute unit's procedures for meeting minimum standards for data security according to data classification (see Appendix B) Report all data breach incidents

21 Data Classification Criteria  Cost/Benefit Analysis  Costs (financial and administrative):  Administrative burden  Financial cost of new technologies  New business practices  Benefits (mitigating risk):  Legal check list  Policy decisions (prioritizing institutional data)  Ethical considerations?  Cost/Benefit Analysis  Costs (financial and administrative):  Administrative burden  Financial cost of new technologies  New business practices  Benefits (mitigating risk):  Legal check list  Policy decisions (prioritizing institutional data)  Ethical considerations?

22 Legal Check List Type of Data Privacy Statement Annual Notice Notification Upon Breach Private Right of Action Government Enforcement Statutory Damages Personally Identifiable no xxxx Education Record xno x Medical Record xno xxx Banking Record xx complicated oxx

23 Yochai Benkler, The Wealth of Networks We are in the midst of a technological, economic and organizational transformation that allows us to renegotiate the terms of freedom, justice and productivity in the information society. How we shall live in this new environment will in some significant measure depend on policy choices that we make over the next decade or so.

24 How Social Production Transforms Markets and Freedom To be able to understand these choices, to be able to make them well, we must recognize that they are part of what is fundamentally a social and political choice -- a choice about how to be free, equal, productive human beings under a new set of technological and economic conditions.

25 The Big “P” Policy Challenge: As economic policy, allowing yesterday’s winners to dictate the terms of tomorrow’s economic competition would be disastrous. As social policy, missing an opportunity to enrich democracy, freedom and justice in our society while maintaining or even enhancing our productivity would be unforgivable.

Download ppt "Legal, Policy and Regulatory Challenges for IT Executive Leadership/Seminars on Academic Computing Tracy Mitrano Cornell University Executive Leadership/Seminars."

Similar presentations

Chapter 44 Administrative Law Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin.

Chapter 44 Administrative Law Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin.
Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC 29406 843-576-1426 Health Insurance Portability.

Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.
IT Security Policy Framework

IT Security Policy Framework
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
Electronic commerce EDI (8 decade) – base of EC. 1994 – “Netscape” – propose SSL (Secure Sockets Layer) 1995 – “Amazon.com” “eBay.com” 1998 – DSL (Digital.

Electronic commerce EDI (8 decade) – base of EC – “Netscape” – propose SSL (Secure Sockets Layer) 1995 – “Amazon.com” “eBay.com” 1998 – DSL (Digital.
Identification and Disposition of Official University Records University of Texas at Arlington Records Management.

Identification and Disposition of Official University Records University of Texas at Arlington Records Management.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Regulatory Issues in Campus Computing Privacy and Security in a Digital World Presented by David Gleason, Esq. University Counsel University of Maryland,

Regulatory Issues in Campus Computing Privacy and Security in a Digital World Presented by David Gleason, Esq. University Counsel University of Maryland,
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.

Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
Presented by: Dan Landsberg August 12, 2011. Agenda  What is Social Media?  Social Media’s Professional Side  Benefits of Social Media  Regulatory.

Presented by: Dan Landsberg August 12, Agenda  What is Social Media?  Social Media’s Professional Side  Benefits of Social Media  Regulatory.
Policing the Internet: Higher Education Law and Policy Rodney Petersen, Policy Analyst Wendy Wigen, Policy Analyst EDUCAUSE.

Policing the Internet: Higher Education Law and Policy Rodney Petersen, Policy Analyst Wendy Wigen, Policy Analyst EDUCAUSE.
5/21/2015 (1) Complying with P2P Mandates in the HEOA of 2008 EDUCAUSE Live! 23 November 2009

5/21/2015 (1) Complying with P2P Mandates in the HEOA of 2008 EDUCAUSE Live! 23 November 2009
Data Classification & Privacy Inventory Workshop

Data Classification & Privacy Inventory Workshop
Security Controls – What Works

Security Controls – What Works
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
IT Security Challenges In Higher Education Steve Schuster Cornell University.

IT Security Challenges In Higher Education Steve Schuster Cornell University.

Similar presentations

Ads by Google