Main Nav

EDUCAUSE Western Regional Conference 2006. Summary: Protecting Privacy: Challenges for Higher Education

Summary – Protecting Privacy:  Challenges for Higher Education
Closing general session at the EDUCAUSE 2006 Western Regional Conference
Joanne McNabb, Chief, California Office of Privacy Protection
Joanne McNabb covered four areas in her presentation: 
The California Office of Privacy Protection (COPP)
Defining Privacy
Privacy Laws
Privacy Practices
The California Office of Privacy Protection
Created in 2000, COPP was the first state office for privacy protection and its mission is to protect the privacy of individuals’ personal information.  Its services revolve around consumer assistance, education and information, coordination with law enforcement, and best practice recommendations.   About two thirds of requests are in reference to ID Theft. 
Defining Privacy
The idea of privacy as a legal concern was first developed by Brandeis and Warren in "the Right to Privacy," which was published in the Harvard Law Review in 1890.  Their concept was “the right to be let alone.”  More recently, the concept of the right to control ones’ personal information is the focus of most legislation.  This began with Alan Westin, founder of Privacy and American Business (1967).   One of the leading authorities on privacy and data security, Westin served on the committee that created the first Privacy Act (1974)
Privacy and Security
Information security protects information from unauthorized uses, disclosure, modification, and destruction.
It is related to information privacy which empowers people to have as much control as possible over their own personal information.
McNabb noted that there is no privacy without security.
Privacy Values and Issues
The right to control one’s personal information is essential to protect other values such as confidentiality, anonymity, seclusion, fairness, and liberty.  Most privacy issues affect higher education.
Security and Privacy are intertwined.  McNabb quoted Benjamin Franklin “they that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety” (1759)
Public records/privacy includes the loss of practical obscurity from the courthouse to the World Wide Web. Open government asks if we can keep an eye on our government without spying on individual citizens and asks how to limit access to sensitive data for certain purposes becomes important.  Data brokers are digitizing public records and then selling the enriched data to government and businesses.
Ubiquitous surveillance is made possible by digital trails that include financial transactions, digitized public records, security cameras, building cardkeys, Web searches, electronic health records, and more.
Persistence of data provides yet another path to obtaining personal data.
  • Internet archive – data isn’t going away.  Delete it from your computer it is still there.
  • Online communities – my – do they keep the information “forever.” 
  • A society of digital dossiers means a loss of “social forgiveness” and the ability to “start over.”
Identity and authentication asks how do we know who anyone is.  Many people believe we are not adequately authenticated. 
The last item McNabb mentioned was identity theft.  Causal factors in identity theft include electronic databases that have information which is more available and easier to use, instant credit options, the growing number of remote transactions, and an over reliance on inadequate identification systems.  She noted that obtaining someone’s personal information and using it for an unlawful purpose is now covered under penal code 530.5.
There are different types of identity theft.  These include
  • financial theft where existing or new accounts are compromised.  A credit card is safer than a debit card where money can more easily and speedily be used.  If someone opens new accounts in your name, you discover it much later and it’s much more difficult to deal with.
  • stolen government benefits including someone working under your social security number/name
  • criminal
There are at least 9 million ID thefts each year in the US which is 4% of all adults.   One million of these are in California.  How do they get our information?  McNabb quoted the following statistics:
  • 54% don’t know how the information was taken.
  • 27% in home, online, lost/stolen.  These are cases where the individual is in control of the data.
  • 16% business transactions, company insiders, etc.  These are cases where an organization is in control of the data.
The average loss is $422 out of pocket and the average recovery time is 40 hours.
The total cost of identity theft in US in 2005 was 56.6 Billion dollars.
Approaches to Data Protection
The US takes a sector approach via laws that protect financial, health, or other data records.
EU, Canada, and others have a more blanket approach where privacy is treated as a basic human right.
FERPA, GLBA, and HIPAA are the federal laws that affect higher education. State laws vary but generally include
  • IPA (Information Practices Acts) & other state government privacy laws (public institutions)
  • Online privacy (CA)
  • Information security
  • SSN confidentiality
  • Breach notice
McNabb noted that California is the leader in protecting personal information with a broader perspective of privacy issues.
A few items are:
  • A ban on the public posting of social security numbers, you can print only four digits of the SSN or use employee ID number that is totally separate.
  • Commercial websites that collect personal information must post a privacy policy statement.
  • Security breach notice law says you must notify people “fast”
COPP has been watching the breach notices from individuals, companies, and the media. Their sample includes 101 breaches since July 2003. Over 53 million have been notified of a breach in this time frame.
These break into the following 6 areas:
  • Financial 24%
  • Government 11%
  • Medical 13%
  • University 25%
  • Retail 5%
  • Other 22%
The high percentage of university breaches may because of three reasons:
  • Culture of free flow of information
  • Distributed IT environment
  • More responsible about reporting breaches than other types of organizations.
How the breaches occurred:
  • Lost or stolen device 51%
  • Hack 28%
  • Web site 6% - “didn’t know that was public?”
  • Mail 4% (might not be paper – but paper breaches are smaller)
  • Other 11%
Most of the time the SSN was involved 86%
Financial accounts 33%
Lessons learned will help us prevent future breaches.
  • Data collection policies need to be examined. McNabb gave an example where blood banks were using laptops and SSNs.  They also had a donor number but the patient numbers were SSN when they came from hospital records 
  • Review data retention policies. Files on people who had applied for, but not received admission, accounted for the bulk in one breach.  The files included SSNs.  They had been saved too long.
  • Mobile workforce – protect desktops, laptops, thumbdrives, etc.  Encrypt.
  • Prohibit downloads of sensitive information to PCs and laptops 
  • Use encryption – there is a CA state wide policy
COPP gives best practice recommendations.  Note these are not regulations nor legal opinions.
They cover SSN confidentiality, security breach notice, information sharing disclosure and privacy policy statements.  They can be found at
McNabb stressed building in privacy to all systems and devices as appropriate.
  • Design systems and database to limit and protect personal information.
  • Know where your personal information is and know your risk.
  • Conduct personal information inventory including portable computing and storage devices and paper records (outside the computer room to where the users are)
  • Provide statements of what you do with personal information if you are collecting it.  Post clear notices of privacy practices in offices or online – wherever collecting personal data occurs.
  • Do what you say you will do in managing personal information.  Monitor compliance with laws and policies including content monitoring of web sites and email.
  • Limit access to personal information. Use appropriate security measures to prevent unauthorized access.
  • Develop a culture of respect for privacy.  Provide employees all users with ongoing education and training in requirements and practices
Credit cards are safer than debit cards or checks, said McNabb, because your money can disappear while you are trying to sort it out even if you note the loss quickly.
She also asked who protects the students from themselves.   Is the campus liable if the student is scammed because of information on Facebook, information sent in email, or when an unprotected computer was used?  Universities must be aggressive in awareness education. 
McNabb recommended the good policies and practices of
  • Virginia Tech
  • University of Pennsylvania
  • University of Vermont
  • Cal Poly
  • CSU San Bernardino

Tags from the EDUCAUSE Library

Tags from the Community