IT Security and Legal Liability for Colleges

Thursday, October 26, at 12 noon, U.S. Eastern time

Tracy Mitrano, director of IT policy and of the program in computer policy and law for the Office of Information Technologies at Cornell University, is an expert on legal and security issues in technology and higher education. She was also co-chair of the Internet2/Educause Security Task Force, Law, and Policy Team from 2004 to 2006.

A transcript of the chat follows.

Dan Carnevale (Moderator):
    Do you have any questions about computer security? Have any horror stories to share?

I'd like to thank Tracy Mitrano for joining us today to lend her expertise on this topic. Let's get the chat started.

Question from Dan Carnevale:
    We hear story after story about IT security breaches at college campuses. Are colleges doing a better or worse job than other entities at securing data? Is anyone doing a particularly good job?

Tracy Mitrano:
    According to the ECAR study, Dan, a recent survey on this issue found that 39% of known breaches involving legally protected data occurred within higher education.

While it is true that higher education has more of a challenge to balance technical security, protection of its data, preservation of appropriate degrees and kinds of privacy relevant to it business purposes and missions and maintain openness for free speech, academic inquiry in the pursuit of knowledge and innovation, it is also true that we have the will and are finding the governance, technical and business methods ways to do so in keeping with our distinct identity in American -- and global -- society. Sometimes I think higher education makes headlines because we are open and because we respond in ways that for profit corporations may not have either the requirement or will to do so.

Rather than naming names let me simply echo the ECAR report: Any institution that endeavors to create a sound enterprise security program that includes governance (executive support -- spiritual as well as financial! -- a dedicated security officer and team with authority to act throughout the institution and binding policy); operations/tools (IDS systems, back up, disaster recovery and business continuity planning, virus and firewall software, monitoring, audits, encryption and other tools such as "spider" and "Helix"); training (computer science, engineering, information science degrees together with CISSP and CIPP [privacy] for IT professionals; educational programs (the sky is the limit here from the moment a constituent gains access to the network system and throughout their life-cycle -- and make it interesting and fun to start with!) and finally enforcement circling back up to governance, policy and audit, will have the stuff of what it takes to address this challenge.

A tangential note: Moreover, I believe that while the last five years as about "security" the next five will be about policy...which brings technology into focus with principle, purpose and missions.

Question from James Estrada, Fairfield University, CT:
    Just to support the statement that the "problem is growing, and so are the potential legal liabilities," there has been a dramatic increase in our ISP warnings. In 2005-06 we received 4 warnings from one of our ISPs related to illegal downloading. In the past two months of this academic year we've received over 25 warnings! I don't think student behavior has changed dramatically in one year but the monitoring appears to have increased.

Is our ISP merely responding to the threats of the RIAA?

Tracy Mitrano:
    Hi James,

You have raised a very important question, but please note it is about copyright infringement, indeed a serious legal concern, but not a security one for higher education. (It is true that some p2p programs can introduce spyware and viruses.)

Has student behavior changed? I don't think there are enough good studies on this point for us to know for certain if it has and/or the reasons why it has or hasn't change, except the PEW one a few years ago that showed that file sharing of illegal material drops off around age 23 when traditional student age people are living off campus and have personal resources to procure legal copies.

Please note, however, that the legal liability falls to the individual engaged in the copyright infringement, not to the ISP. If it is a student owned computer, the institutional ISP acts as a conduit, it has no liability under section 512 of the DMCA, and no requirement to do anything about the notice. Many institutions, believing that they have an obligation to educate students as a part of their missions, do act on them; Cornell does for that reason not because it feels "threatened" by content owners.

We also have an "educational" disciplinary consequence for first offenders and progressive discipline thereafter. I should note that students first coming on the network when they authenticate must review materials and take a tutorial that covers this issue, plus they receive an annual letter from the DMCA Agent for the University and we have programming throughout the year on matters of copyright to discuss it as a national policy issue as well as a component of our code of conduct.

In short, I am in favor of broadening the discussion about the impact on copyright law on higher education both on our missions to do innovative research, to teach effectively in a new global world of technologies as well as to teach citizenship to students in American society and beyond.

Question from Goldie Blumenstyk, Chronicle of Higher Education reporter:
    When colleges work with outside vendors for services like credit-card processing of online donations, what sorts of questions should they be asking of those vendors to try to ensure that the company has adequate security controls of its own?

Given the state of affairs these days, would colleges be more vulnerable to lawsuits if there was a security breach and they hadn't asked those questions?

Tracy Mitrano:
    Many vendors are asking us the questions, Goldie!

According to the ECAR study, which I recommend to every participant in this program and with kudos to Richard Katz and EDUCAUSE for highlighting privacy and security issues, Visa and MasterCard have joined forces to create a Payment Card Industry (PCI) data security standard, which requires all merchants offering payment with their credit cards to comply.

So not only should we (higher education institutions) expect as a matter of contract to have our vendors comply with our policies regarding security and privacy but we should be on the look-out to comply with their standards, especially when working with partners such as financial institutions.

Indeed, as your question suggest, the contract could impute liability in the breach in addition to the potential for tort concerns such as negligence.

Question from Joe, Rice University:
    We are concerned about security on laptops and other mobile devices which contain private data. Do you have any recommendations to help keep this secure?

Tracy Mitrano:
    Hi Joe,

My dad used to have a restaurant and the quote was "location, location, location."

On this issue a means to address your question begins with "policy, policy, policy."

Make sure everyone knows the rules for security of ANY device used for transaction of institutional business and the FACT that the institution owns that data, so it is at the user's risk to put such data on mobile devices.

It is worth mentioning here another concern: personal devices. Users should know firmly that if they choose to meld or combine institutional data on personally owned devices, especially in the event of a breach or other kind of security or privacy event, they may have that device confiscated or their personal information exposed. It might not fair or right, it will depend on what the institution's policy is regarding this matter, put they should know the risk exists (especially given changes in the new Federal Rules of Civil Procedure).

Question from Vic Goldberg, U. of Colorado:
    At any large university, there are many organizations that are responsible for protecting data security, from individual departments and offices to the central IT organization. How does one address the weakest link problem -- especially in these days of budget crisis?

Tracy Mitrano:
    So right you are, Vic, that the weakest link is the first place to look in any security assessment.

A sound security program should be built around this kind of vision. If the weakest link is, say, a student computer, then a combination of limiting access to institutional data or programs or close monitoring of residential networks might help, along with policies that make sure everyone knows that it is their responsibility to manage the security of devices they either own or are responsible for on the network.

Curiously, our security team here at Cornell has noted that these approaches -- and a Quarantine Program in particular -- have made our residential networks among the most secure sub-nets on our network!

So then one moves on to the next set of links -- but always with a sound enterprise security program and robust policy. On this point allow me to say: Policy is an IT Professional's friend -- because with it you no longer need to cry alone in the wilderness, but can say to supervisors, deans, etc.: "We have to do it -- it is institutional policy!"

Question from Joseph Anniello, NYS Higher Education Services Corporation:
    Do colleges typically have two Internet systems: a public one for students, and a secured one for staff use? If so, I imagine that the public sites are responsible for most of the information breaches, correct?

Tracy Mitrano:
    As a rule, no, Joe, there are not two Internet systems if you mean two separate links of our pipes to the Internet commodity providers.

A few years ago I used to hear more about that kind of idea, but less so now. I think because enterprise security programs have taken a categorical approach to the problem. For example, Cornell security policy 5.4.1 divides users into five categories. The most basic is "user" which is what a student with their own machine would fall under, but because they do not, like a university employee, have a local support (or desktop) provider, then they have to assume the obligations for management of their devices under both categories. Those obligations include network registration, anti-virus/firewall protection, following all policy, etc.

FCC modifications to the Communications Assistance Law Enforcement Act, upheld recently by the D.C. Court of Appeals, makes this question of two networks even more complicated of a calculus or colleges and universities, because one of the tests that would take an higher education ISP out of the "private" category to which CALEA either does not apply or applies only at the "edge" router is whether it offers Internet service to the public.

Some schools, such as Bowdoin that had considered offering wireless coverage to their municipal area tabled that project as a result of that ruling. Public sites are almost never the place for information breaches, by the way, because by definition if they are public the material is not protected. That would only be the case if someone wrongly placed protected information on a site that was available openly.

Question from Anne, private doctoral college:
    How are institutions balancing the need for security with the fact that for many colleges, this is a student's home? Can we/how do we set policies for students' use that is more "residential" in nature?

Tracy Mitrano:
    Anne, I think this is an excellent and important question.

Higher education generally addresses it by balancing the obligations that we place upon all users, including students, to manage the security of any device they connect to the network with the appropriate degree and kind of privacy that we provide recognizing that residential students *live* on our campuses, and on our networks.

So "in exchange," if you will, for the obligations we make of them: secure the device and don't do anything illegal (i.e. copyright infringement or fraud and abuse of a computer) we, at least at Cornell, have solid procedures in place to respect their privacy. For example, if IT receives a request for a student record of any sort -- e-mail let's say -- we refer that question to the steward of that record: the Vice President for Student and Academic Services. The institution has placed its trust in her (Susan Murphy) judgment to do the right thing. Thus, if she believes it is important to consult counsel, she will, or policy, or health services, whatever is appropriate to the situation and person.

Perhaps another way to say it is that we do not willy-nilly provide access to student information, and certainly not to educational records, which are protected by law. We take the appropriate degree and kind of privacy owing to a student who lives on our campuses very seriously.

Question from Mark, Westchester Community College:
    We use an outside organization to track down alumni for our communication/donation activities. Of necessity we provide them with student/alumni SSNs. What security measures would you recommend to address the fact that once the file with SSNs leaves us, data security is beyond our control?

Tracy Mitrano:
    Gosh, Mark, I would begin by asking what the business need is to include the SSN in that information. You can imagine where I am going here: If you absolutely do not need it for an essential business purpose, I would delete that information absolutely.

If you do, I suppose you could try a contract that heaps all the responsibility for a breach onto their outside organization, but I would not count on that provision in a crunch. First, a potential plaintiff could still sue as a tort matter, negligence for example, and second privacy notification laws might not let the institution so easily off the proverbial hook. Finally, and most important is the loss of reputation that the institution suffers and adverse relationship with the affected individuals -- the very people you are trying to please the most! And as you know, trust cannot be bought and sold.

Question from Anne, private doctoral college:
    What about security & liability issues for mobile devices we don't own? So many of our faculty and staff use smart phones and the "thumb" drives. What about those?

Tracy Mitrano:
    Please see previous answer on that point, and I would include thumb drives in the array of mobile devices that create the specter of challenges.

Main points: user assumes responsibility; institution owns the data -- and is responsible for it as a matter of law; have good policy on this point and make sure every employee reads, understands and signs on the dotted line about it.

Question from Brad Miller, U. of North Dakota:
    We are beginning a risk management effort here at UND, and during this effort we will be identifying "gaps" in security on various systems. Executives/managers will then make risk decisions to remediate or assume risks. A question has come up -- Would knowing about a vulnerability and assuming the risk (not fixing it) introduce a greater liability to the University than not knowing about it and not doing anything?

Tracy Mitrano:
    It might, Brad, but what your question raises is the larger question of the standard of care expected by entities that hold protected information. As a tort matter, there is insufficient case law to answer the question.

The standards could ultimately be anything from strict liability -- it doesn't matter, you still pay -- to should have known, to knowledge, to "local standards."

Until we have more case law I would go with the highest standards as a matter of practice and then if in the event of a real case defend on the facts. For example, if it is a really obvious gap -- no updates, no virus/firewall on the system -- I would suggest settling the case! If it is a more complicated matter that would challenge almost any institution for or not-for profit, some new vulnerability we don't even know yet (but criminals do!) then perhaps one could argue that it is impossible to protect with existing standards.

At some point it becomes an "arms race" and a challenge to "keep up with the Joneses" in terms of enterprise security programs, i.e. governance, operations, tools, training, education and internal enforcement.

Question from David Meske, Loyola Marymount University:
    The issue of legal liability seems to be the primary motivator for higher education institutions to make information security a priority (motivation by fear and money). Other than the costs associated with the disclosure of security breaches mandated by various state laws and the purchase of credit reports for security breach victims, do we have an idea of what a security breach costs an institution? Have there been any successful civil lawsuits that have put a price tag on a security breach?

Tracy Mitrano:
    I wouldn't say that there is one single price tag on a security breach, David, but given notification laws and the prospect of legal action, whether involving statutory damages or contract or tort actions, the specter of overwhelming costs certainly is a motivation for serious reflection and action on the part of us all.

Having said that I want to add quickly that the main reason why everyone from a president right down to a user would and should take these issues seriously is because we believe it is the right thing to do to provide the security and privacy of our information technology systems and want to be good stewards and custodians of the data at rest and in transit on our systems if for no other particular reason concerning the law, or data or system than that we love higher education and our missions and want our institutions to be the jewel in the crown of American society and good global citizens to our world partners!

Question from Marilyn Lockhart, Montana. State University:
    I am a faculty member and am wondering what would be the implications for me, personally, if there was a security breach at my institution.

Tracy Mitrano:
    I knew it would come to this statement, Marilyn: it depends!

It depends on whether you willfully did something to cause the breach, say purposefully gather and sell personally identifiable information to an gang of identity thieves. Here not only would their internal disciplinary action (termination, I would imagine) but potential liability for conspiracy for identity theft and then civil liability from the defrauded persons.

Next scenario: you willfully fail to secure protected data, even after your dean and department chair and Information Security Officer for your institution has personally all told you do to so: internal discipline, plus potential personal liability because you were not acting in the scope of your responsibilities.

Scenario three: you pretty much follow institutional policy for information security but something happens anyway: your institution would probably identify you in that case of demonstration of good faith.

Notably, for FERPA there is no personal right of action; for HIPAA, regulations have let even willful malefactor employees off the hook (giving full responsibility to the institution) and I don't believe a personal statutory right of action under GLBA.

But watch our for those torts! And of course, HR!

Question from Norma, large university:
    Please address the institution's responsibility for overseeing blogs, especially if suicide or other mentions of that sort are made in a (student's) blog.

Tracy Mitrano:
    Now here is a complicated question, allow me a brief answer.

Based on the famous Berkeley case of many years ago, if the institution has reasonable belief that someone is going to act criminally (in this case it was a homicide) then they have a duty to warn. This case involved a health provider in the student clinic who had a client who expressed homicidal desires, and then did in fact kill the person about whom he was speaking.

So now let's take the blog. First, is the institution monitoring the blog consistently (and if so, why????) and have they made it a policy to do so? Some institutions do so as a matter of their mission, say a military institute or religious school. As a result, they may be acquiring a responsibility to act, depending of course on any number of specific factors in the case -- did they assume a duty of care would be the first question. Was the statement clear or oblique, i.e. would a reasonable person have interpreted it to be a suicide prediction, etc. Many issues are very fact specific, so it is hard to answer.

But the overall message is: if the institution does monitor its network/postings for content, it should know clearly why it does and what liability it might be acquiring as a result.

On a tangential note I am waiting for the case against a university from a individual who did not gain admission only as a result of their Facebook posting. The claim: the school had no sense of humor!

Question from Linda Hilton, Vermont State Colleges:
    Are there model programs for user education? It seems that while IT has a great, and grave, responsibility to protect the confidentiality, integrity, and availability of data, we cannot do it alone.

Tracy Mitrano:
    I agree, and what a great question to end this program on!

Here, Linda, I strongly recommend becoming involved in EDUCAUSE, which sponsored the report that prompted today's program, has an EXCELLENT security program and staff and list service devoted to security issues, a task force that they share with Internet 2 and even an annual Security Professionals Conference, lots of materials on their website -- and never hesitate to call them or any IT security professionals around the county. Personally I have found every single person helpful, insightful and on the same main page as your question: we want and need to work these challenges out together!

Thank you everyone who asked questions and the staff at the Chronicle!

Best, Tracy Mitrano

Dan Carnevale (Moderator):
    That's all the time we have for today's chat. Sorry we could not get to everyone's question.

Thanks again to Tracy Mitrano for providing such great information. And be sure to join us again next week for another installment of the Brown Bag. Same chat time. Same chat channel.