It is getting scary out there! What a spooky coincidence that October is National Cyber Security Awareness Month! It is 2018, is your institution or organization’s data protected? How do you know the goblins, ghouls, and trolls are not already infesting your perimeter?
WCET began following the issue of data protection and privacy (DPP) in earnest over the past year by providing resources and monthly tips on our Data Protection and Privacy Issue Page. We recognize that this growing and complex issue is something that should be understood by non-technical staff, faculty, and students, as well as IT staff. Data Protection is not just an IT issue! Everyone has a data protection role, from digital citizen to cyber superhero (cape not included). It is important to remember that data protection and network security are the responsibility of all members of the institution or organization community.
Higher education has many assets to protect including personal data of students and staff, research and institution information, as well as maintenance of network-dependent infrastructure. The Department of Education (Department) recently warned universities that they must improve their identity management to protect students receiving financial aid from compromising their personal information during phishing attacks. While protecting the students is critical, we must also protect faculty and staff, as well, as shown by the recent Department of Justice indictment.
As we have discussed in a previous Frontiers Blog post, data protection is also a compliance issue. Institutions and organizations that process the personal information of a person residing in a European country that is part of the European Union must observe data protection protocols to meet General Data Protection Regulations (GDPR). Failure of an institution to create data protection safeguards, as required by the Gramm-Leach-Bliley Act (GLBA, 2002) 16 CFR 314.4 (b), could result in fines and affect participation in Title IV HEA programs.
Today we welcome Tiina Rodrigue, Cybersecurity Subject Matter Expert, and Baron Rodriguez, Data Privacy Expert and Owner/CEO, Noble Privacy Solutions LLC, to share insights and direction for institutions and organization with regard to protection, privacy, and compliance.
– Cheryl Dowd, WCET
Tools That Don’t Say “BOO!”
While the Department has put together multiple tools to help improve compliance from a data-protection perspective, members need to realize compliance is the least of the institution’s worries. The Department has agreed to audit the language to review IHE GLBA (Gramm-Leach-Bliley Act)-compliance starting in 2019, per the FY2018 submittal to the U.S. Government Accountability Office(GAO.) To date, while the Department may have suspended individual or organizational access to the U.S. Federal Student Aid (FSA) systems; the Department has not taken any punitive actions nor eliminated Title IV participation in response to a data breach or security compromise, yet.
Compliance should be considered a bare minimum, but how well would a compliant approach protect you? Unfortunately, when reading the GLBA statutes, the needed level of specificity is almost entirely lacking from the legislation. Further, what danger lurks within your walls? General Brigadier Gregory Touhill, appointed by President Obama to be the first Federal Chief Information Security Officer of the United States, recently stated that 95% of issues arise from the unspeakable acts of negligent leaders or staff. From a data-protection reality, a GLBA audit may be too flimsy to provide true direction for improvement if the threat is the one facing you in the mirror. It is also frightening to picture fighting off bad guys (or scary monsters) with a wet noodle. Luckily, there is at least one Department recommended way to achieve stronger data protection.
Don’t Be Scared of These Data Protection Standards
In Dear Colleague Letter 16-12, the Department suggested a higher data-protection standard that includes clear controls for non-federal systems: 800-171. The National Institute of Standards and Technology (NIST) publication, 800-171, is a smaller list of technical controls that are appropriate to protect unclassified information, rather than the terrifying list included in NIST publication, 800-53. Even better, NST recently published a guide to assess the requirements to protect data to the 800-171 standard – 800-171a. This guide includes supplemental templates for a system security plan and a plan of actions and milestones, to assist you and your team in jumpstarting the heart of your data protection documentation, in case your existing library is ghastly. The 800-171a can be used to self-assess, or to inform a 3rd-party assessment, perhaps for submittal to the Department or an auditor.
Missing from this approach; however, are the external dependency aspects required by GLBA that may be included in future audit language; for example, how are you managing your data protection at 3rd-party servicer or contractor-supplied sites? How are you inspecting or examining those controls? How often to you check? Additionally, 800-171 and 800-171a both take a very system-level approach, whereas the GLBA requirements focus on consumer data-protection. Please be warned that you could perhaps focus too much on the oyster shell and not enough on the data pearl within. Fear not, as 800-171a can be customized by a savvy cyberteam, or by your out-sourced team, if your cyberteam is still forming.
Privacy Laws – Ideas for Treats, Not Tricks
With a plethora of new privacy laws potentially in the queue to follow up the California Consumer Privacy Act and GDPR, the postsecondary community needs to solidify three primary areas (which will likely take time, so don’t wait until the last minute):
- Employee awareness/training – During very recent engagements with the postsecondary community, it is evident that staff are still the biggest area of risk for potential privacy incidents. Employees should be aware of the laws to ensure that data being transferred on student and staff records are being done in a secure manner.
- Vendor & 3rd Party Clauses – The second greatest risk to your organization is that of your third parties and how they handle your data. From IT and HR infrastructure functions, to software vendors, to researchers utilizing your data, it is imperative that you have strong data protection, data breach, and potentially financial penalties (that you can pass onto the vendor, since many of these new laws an impose fines on your organization) for failure to adequately protect your data.
- Transparency – Most of the new laws have a focus on transparent use of personal information. This likely means your privacy notices are in desperate need of updating. Unfortunately, this will require a bit of effort, as your institution will need to inventory all of your various uses of data, including your administrative, research, and alumni association use. Your organization will need to clearly articulate:
- who has access to data,
- data use purposes,
- the avenue for students and staff to “opt-in” to sharing of data outside of those uses that are strictly required to provide services to individuals.
National Privacy Landscape
On the national privacy landscape, congress just recently held a hearing as they are considering national legislation to address consumer privacy. Privacy experts leading the charge with GDPR and the California Consumer Privacy Act as well as privacy advocates from the Center for Democracy and Privacy and the Georgetown Law Center on Privacy & Technology essentially agreed that the current U.S. laws need an emphasis on transparency and consumer protections. This comes at the heels of some of the largest custodians of U.S. consumer’s data (Google, Amazon, Apple and others) advocating the need for a national consumer privacy law to get ahead of divergent state-based laws on consumer privacy.
Don’t Be Afraid!
We do not want institutions and organizations to be afraid. Our goal is to share the need for the development of best practices for data management and to safeguard your institution or organization from exposure to a data breach. Understanding that EVERYONE at an institution or organization must take personal ownership is key to a strong data protection plan! The resources shared here will provide initial talking points for you to use for discussion.
Look for WCET to share more information in the form of webcasts and resources on the WCET Data Protection and Privacy Issue page.
Happy Halloween, everyone!
Cheryl Dowd, Cyber Fellow, WICHE
Director, WCET State Authorization Network (SAN)
Tiina Rodrigue, Cybersecurity Subject Matter Expert
Baron Rodriguez, Data Privacy Expert
Owner/CEO, Noble Privacy Solutions, LLC