1 Today’s Road Map What is Data? Data & Privacy LawsUniversity Policies on Data Data & Information Risks & Practices; Control and Use of Data; Responsibility for Data; Representations about Data; Hacks & Leaks Penn State as a Government Actor - First and Fourth Amendment Avoiding Risk & Exposure: Best Practices Shifting Administration Attitudes towards Data Anne Toomey McKenna © 2017
2 What is Data? Data is defined by context & use - Data as InformationThe Technical Perspective - Penn State IS a Research Institution What is your research goal? How is data stored? What data do you need? What access controls are in place? What data are you creating? What use restrictions are in place? What data are you collecting? Who is working with the data? How is the data gathered? What preconditions are required for data users? Do you need a Data Steward? Anne Toomey McKenna © 2017
3 What is Data? The Legal Perspective - Data as the “Law” sees itData as Property - Intellectual Property and Copyright & Individual Data as a Privacy and Property Right Data and Contracts Data and Privacy Law Data Breach Laws Constitutional Considerations (First & Fourth Amendments) There’s not one legal field or practice area for Data Law Anne Toomey McKenna © 2017
4 What laws regulate Data (Information)?It all depends on the context! What data are we talking about? (is it data that the law recognizes as protected?) Data & information law is a constantly evolving subject that encompasses a broad swath of sources of law (constitutional, statutory, regulatory, and common law) and legal practice areas Anne Toomey McKenna © 2017
5 Consumer Protection Laws; Data Security; EL SUR LawsConsumer Protection Laws; Data Security; EL SUR Laws …this list is NOT exhaustive, but you get the idea FTC Consumer Protection Regulations Data privacy and security Unfair or deceptive advertising Collection of data and recording persons Electronic Communications Privacy Act, 18 USC § 2510, et seq. – wiretapping; hacking; interceptions Computer Fraud and Abuse Act, 18 USC § 1030 Unlawful Access to Stored Communications, 18 U.S.C. § 2701 (SCA) Identity Theft, 18 U.S.C. § 1028(a)(7) Interstate Communications Act, 18 USC § 875 Children’s Online Privacy Protection Act (COPPA) Video voyeurism laws Pennsylvania: Wiretapping and Electronic Surveillance Control Act, 18 Pa. Cons. Stat. Ann. § 5701, et seq., Computer Crime Statute: 18 Pa. Cons. Stat. Ann. § , cyberstalking, 18 Pa. Cons. Stat. Ann. § , Cyberharassment, 18 Pa. Cons. Stat. Ann. § 2709(a), 2709(f) Federal Regulations Medical Records: Health Insurance Portability And Accountability Act (HIPAA) Student Records: Family Educational Rights and Privacy Act (FERPA) Financial Information: Gramm–Leach–Bliley Act (GLBA) Federal Information Security Management Act (FISMA) Security Breach Notification Data Breach Laws (federal and state) Breach of Personal Information Notification Act, 73 Pa. Cons. Stat. Ann. § 2301, et seq National Conference of State Legislatures:
6 Laws regulating data & liability overlap other areas of lawThink of Data Security Law as an integrative legal system Federal Laws Constitution Federal & State Privacy Torts Negligence& Personal Injury Law State Laws Data Specific Regulations - HIPPA GLB Employment Law -Employer Liability Contract Law Copyright Property Law Anne T. McKenna and Claire T. Gartland © 2015
7 PSU provides Resources – USE THEM!How do you navigate the maze of Data Law? PSU provides Resources – USE THEM! Understand that you and the University may face legal exposure/liability for failure to comply with information and privacy laws or failure to act properly in the event of a data breach or misuse of data Anne Toomey McKenna © 2017
8 In Fall of 2016, Penn State created an Office of Information SecurityPSU Computer & Data Policies – These are Being Updated! Computer and Network Resources Computerized Institutional Data Data Stewards Information Associates Anne Toomey McKenna © 2017
9 So, how and what data & info are you collecting, using, storing, disseminating?Anne Toomey McKenna © 2017
10 Is it Data/Info that the Law Recognizes as Protected?Examples of Protected Data (Information): Copyrighted Content, Private Communications, Medical, Financial, and Personally identifiable information (PII) Have you contractually agreed to protect the data? Non-disclosure agreements, contractual representations 73 Pa. Stat. Ann. § (West) defines PII as to include “any of the following”: (1) First name or first initial in combination with last name; (2) Credit or debit card numbers or other financial account numbers; (3) A password or personal identification number required to access an identified financial account other than a password, personal identification number or other identification number transmitted by an authorized user to the issuer of the account or its agent; (4) Social Security number; (5) Any of the following information in a form that personally identifies an authorized user: (i) Account balances, (ii) Overdraft history, (iii) Payment history, (iv) A history of Internet websites visited, (v) Home address, (vi) Work address, (vii) A record of a purchase or purchases. Anne Toomey McKenna © 2017
11 Data as Information in the University Setting and the LawUniversities and their researchers, faculty, employees, and students may be subject to (or protected by) a dizzying tier of federal and state statutes that regulate data privacy as well as constitutional law and common law (property, torts, privacy, and contracts) “Additionally, they can face class action lawsuits and Federal Trade Commission (FTC) action in the wake of a cyber breach.” Again, this is context dependent. Katie Beaudin, College and University Data Breaches: Regulating Higher Education Cybersecurity Under State and Federal Law, 41 J.C. & U.L. 657, 659 (2015) Anne Toomey McKenna © 2017
12 Data as Information: It’s ValuableHence: Hacks & Leaks There are external threats and internal threats Information safeguards: security monitoring, data stewards Who can access the data? Who is affiliated with the research project? Control over personal devices Lawful efforts to restrict outside-school speech and activities that might pose legal exposure? Anne Toomey McKenna © 2017
13 Data Risk Realities Liability Magnified & Shared Reflection On SchoolPreserved Permanent Reflection On School Image Weak controls over use Data Risk Realities Speed of Transmission Liability Accessible- By Media & Public Anne Toomey McKenna © 2017
14 Balancing, on the one hand, while on the other… V E R S UPromoting Academic Growth Fostering Educational Goals Advancing Research Protecting Academic Speech Working with Outside Entities Evolving Use of Data Information Developing Alumni Connections Sharing Information for Advances Ensuring Data/Information Security Enforcing IT and Conduct Codes Adhering to Professional Standards Protecting University Employees Complying with Law/Avoiding Crime Minimizing University Liability Developing Contractual Protections Strengthening University IT Systems V E R S U Anne Toomey McKenna © 2017
15 with Data & Information…Staff & Student Researchers working with Data & Information… What are the implications? Anne Toomey McKenna © 2017
16 Real Legal Situations Anne Toomey McKenna © 2017
17 Liability ConsiderationsDirect Liability Vicarious Liability Negligent Hiring, Retention, Supervision Liability for Use of Systems Notice of Conduct Liability for Failure to Report Liability for Failure to Protect Statutory Damages Invasion of Privacy Data Breaches from Hacking & Employee Activity Online Reputation Management Liability Considerations Anne Toomey McKenna © 2017
18 “An ounce of preventionis worth a pound of cure.” Anne Toomey McKenna © 2017
19 IT’S ALWAYS RECORDED Educating Students, Faculty, and AdministratorsFor security purposes, this [ / text / Tweet / Google search / Facebook post / Snapchat / Instragram post / Vine video / GPS location ] is being monitored… What you view, send, and post to the Internet… Where you are at any given time with a cellphone in “On Mode”… WHY? In part, because Federal law requires ISPs to record and store this data for a period of time. Activity is almost always traceable at least to the ISP, and the IP Address. IT’S ALWAYS RECORDED Anne Toomey McKenna © 2017
20 What are Your Data/Information Practices?Use an integrative approach … Federal & State Laws Education of Faculty, Students & Staff Data Handling Policies & Conduct Codes Negligence In data & info handling University Systems Use Policies Social Media Policies & PSU data Employment Law Contract Law – NDAs Notice & Consent First and Fourth Amendment Think: CONTEXT of Data & Info Anne Toomey McKenna © 2017
21 The Campus Workplace Student/Employee/EmployerEmployee & Student Manuals Internet/Computer Use Policy Social Media Employee & Student cellphones Bring your own device programs Geolocation tracking PSU data & information privacy Social media use – Using the tool Anne Toomey McKenna © 2017 IMAGE SOURCE:
22 In shaping data plans & policies…Think… Penn State’s Computer and Information Policies NDAs or Contractual Representations? Terms of Use and Privacy Policy? Are you collecting Personal Information or PII? Have you made representations about the data? Internal data security practices in place? If not, get them in place. Contact PSU Resources Have all users signed off on info policies? Be aware of… Student’s Online Privacy Information Protection Act (SOPIPA) California Online Privacy Protection Act (CalOPPA) Intellectual Property and Copyright Issues Digital Millennium Copyright Act (DMCA) Commercial Misappropriation of Name or Likeness HIPPA FERPA Communications Decency Act (CDA) FTC Consumer Protection Regulations Data privacy and security Unfair or deceptive advertising Anne Toomey McKenna © 2017
23 Other considerations:Evidence Anonymity and Online Activities Working ASAP with PSU’s Office of Information Security, IT, and Office of General Counsel to get Internet Protocol addresses, , login info, and other university electronic systems evidence IMMEDIATELY NOTIFY General Counsel, Office of Information Security, and IT when a breach of any kind occurs Duty to preserve online evidence Facebook, Twitter, Linked In, You Tube, Instagram, Web sites, etc. IP Address lookup Domain Name lookup Litigation Holds Anne Toomey McKenna © 2017
24 There’s a New Game in TownChanges in Data Attitudes, Data & Speech Rights; and Data Privacy Anne Toomey McKenna © 2017
25 In Sum –What Should University Faculty Do?Understand the contracts surrounding the data you’re using Be aware of pertinent state and federal laws Collaborate with your existing resources Reduce risks Have appropriate codes of conduct & policies in place Educate students, faculty, & staff Take immediate steps when breaches, hacks or leaks are identified or suspected Anne Toomey McKenna © 2017
26 Use Your Resources Data & Information –PSU Office of Information Security PSU University Legal Counsel Office of Vice President of Information Technology (IT) Data & Information – A Powerful Tool at PSU to Integrate & Collaborate Anne Toomey McKenna © 2017
27 PSU Primary Resources:Office of Information Security Office of the Vice President for Information Technology (OVPIT) Office of General Counsel Institute for CyberScience Anne Toomey McKenna © 2017