Security Professionals Workshop:

Legal Issues in Computer and Network Security

Peter C. Cassat

Introduction and Agenda

Purpose: Provide an overview of the legal issues confronting institutions of higher education in the area of IT security.

From a legal perspective, IT security is intertwined with privacy law. Network security compromise resulting in breach of obligation to maintain privacy can give rise to liability.

Discuss some of the challenges unique to educational institutions and what practical steps can be taken.

Current Environment

Colleges and universities increasingly operate in electronic environments that are themselves increasingly complex.

Increased use of networked systems has resulted in a proliferation of electronic records, data, devices and communications.

This is true for traditional classroom instruction, as well as for new delivery methods and media (e.g., distance learning, streaming media, content repositories).

Current Legal Landscape

No comprehensive federal privacy or security laws. Instead, there is a patchwork of federal and state laws that affect or potentially affect institutions.

Federal privacy laws to date largely aimed at curbing certain, perceived specific abuses or potential abuses of privacy rights. The extent to which these laws apply specifically to electronic environments and educational institutions varies.

Federal Privacy/Security Laws Most significant federal privacy law for educational

institutions remains FERPA, which generally requires institutions to refrain from disclosing student educational records.

FERPA could be interpreted to impose liability even where the disclosure of information is result of unauthorized network access.

Increased proliferation of electronic records with no clear delineation between non-covered communications and protected educational records raises additional issues.

Other Federal Privacy/Security Laws

Other relevant federal laws include:HIPAA (restricts disclosure of personal

health information)ECPA (applies to disclosure of electronic

records or communications)USA Patriot Act (grants law enforcement

increased access to electronic communications)

New Federal TEACH Act

Recently enacted federal legislation relaxes copyright restrictions but carries with it obligations that have privacy and security implications. Requirements: limit transmissions to enrolled students to

the extent technologically feasiblemust institute technological means to

prevent unauthorized retransmission

Gramm Leach Bliley (GLBA)

GLBA applies to financial institutions, which include educational institutions.

Educational institutions not subject to GLBA privacy rules if they comply with FERPA.

No comparable safe harbor for GLBA security rules, which go into effect on May 23, 2003.

GLBA Security Rule Requirements

Develop, implement and maintain a comprehensive, written information security program.

Designate employee(s) to coordinate program. Identify reasonably foreseeable internal and

external risks and assess those risks. Design and implement safeguards to control

those risks. Oversee service providers (including by

contract).

Other Federal Laws and Regulations

Other significant federal laws and regulations in the privacy area (but they apply only tangentially to non-profit educational institutions):COPPA (children)FTC’s Section 5 Jurisdiction (enunciates

core privacy principles)

State Law -- the Sleeping Giant

State common law and statutes protecting right of privacy should not be overlooked.

Many states also have adopted laws specifically criminalizing electronic eavesdropping or computer theft.

Moreover, absence of comprehensive federal standards is leading to proliferation of state online privacy laws, e.g., MN and CA (an example of be careful what you ask for).

State Law (continued . . .)

Numerous states considering or adopting “little DMCAs.”

Possible or even likely potential for negligence suits based on unauthorized disclosures of confidential information.

FERPA, GLBA Security Rule or even the President’s outline for a national cyber-security strategy could be pointed to as standards in a state law suit alleging negligence in failing to protect personal information.

Additional Observations

Absence of uniform standards relating to optimal or mandatory levels of security.

No uniform standards relating to acceptable means of authentication or binding e-contracts for use where consent to disclosure is required.

Observations (continued)

The technological and legal landscapes together provide increased complexity, decreased certainty and therefore increased risk.

Problems are complicated by inherent friction between need to ensure security and prevent unauthorized access, on the one hand, with the desire to protect privacy on the other hand.

These challenges are exacerbated in the educational environment where decision making often reflects traditional educational values of open-ness, informal policy making, and de-centralized control.

Where We Go From Here

Current path suggests increased costs associated with compliance, legal exposure, and policy making.

Unilateral policy making process is a double edged sword (greatest exposure may result from failure to follow adopted policies).

At the same time, challenges may present opportunities.

Practical Suggestions

Review and analyze applicable state laws as well as federal legal obligations.

Assess information security vulnerabilities. Review IT security and privacy policies. Review personnel/user policies and

procedures focusing on security. Promptly implement safeguards when

vulnerabilities are identified and minimize creation and retention of harmful records.

Practical Suggestions (cont.)

Scrutinize relationships with third party vendors.

Consider insuring against cyber security risks. Develop rapid response team and disaster

recovery plan in advance of a security compromise.

Encourage associations to continue their proactive role – so as to effectuate sensible federal and state policies.

Questions?

Peter C. Cassat

1200 New Hampshire Avenue Washington, D.C. 20036

Telephone: 202-776-2724 Fax 202-776-4724pcassat@dowlohnes.com