future of privacy forum
play

Future of Privacy Forum Higher Education Working Group GLBA - PowerPoint PPT Presentation

Nov 07, 2023 •284 likes •739 views

Future of Privacy Forum Higher Education Working Group GLBA Safeguards Rule Dean Forbes Counsel September 29, 2017 Agenda Introductions Department of Education Publications on Protecting Student Information GLBA Privacy and

  1. Future of Privacy Forum Higher Education Working Group GLBA Safeguards Rule Dean Forbes Counsel September 29, 2017

  2. Agenda • Introductions • Department of Education Publications on Protecting Student Information • GLBA Privacy and Safeguards Rules • FTC Orders and NIST • Questions and Discussion 2

  3. Presenter Dean C. Forbes Counsel Washington, D.C. 1.202.736.8165 dforbes@sidley.com Education: University of Virginia School of Law (J.D., 1991); Brown University (A.B., 1987) Practice Groups: Privacy & Cybersecurity, and Healthcare DEAN is an accomplished global privacy, cybersecurity, and compliance legal adviser. He has advised and represented clients in a variety of industries, including health care, financial services, high tech, energy, and education, on matters related to privacy strategy, security, data governance and use, and consumer protection. Dean is widely known for his work on cases of first impression — including landmark FTC privacy and information security matters, Geocities (1998) and Eli Lilly (2002) — and for designing, developing and executing global privacy programs that manage privacy risks and protect companies and their stakeholders.  Former Lead, Commercial Privacy Practice, Booz Allen Hamilton  Former Global Privacy Officer, Schering-Plough (also held senior roles at Merck and Johnson & Johnson)  Former Sr. Staff Attorney, Federal Trade Commission, Bureau of Consumer Protection  Former Board Member, International Association of Privacy Professionals (IAPP)

  4. Department of Education Publications on Protecting Student Information

  5. Department of Education Publications on Protecting Student Information • Federal Student Aid (FSA), Department of Education Publications: – DCL ID: GEN-15-18 (July 29, 2015) – DCL ID: GEN-16-12 (July 1, 2016) • Subject: Protecting Student Information Reminders to institutions of higher education and their 3 rd party service providers of continuing • obligations to protect data used in administering Title IV Federal student financial aid programs • To support Student Aid Internet Gateway (SAIG) Enrollment Agreement entered into by each Title IV participating institution, FSA has strongly encouraged institutions to follow industry standards and best practices in managing information and information systems, and in securing PII • In addition, FSA requires institutions to comply with the Gramm-Leach-Bliley Act (GLBA) – Under Title V, financial services organizations, including institutions of higher education, are required to ensure the security and confidentiality of customer records and information. – Requirement recently added to Program Participation Agreement (PPA); is reflected in the Federal Student Aid Handbook • The Department of Education plans to audit educational institutions for GLBA compliance – More info here: https://ifap.ed.gov/dpcletters/GEN1612.html • The Department strongly encourages institutions to review and understand the standards defined in NIST SP 800-171 5

  6. Educational Institution Gramm-Leach-Bliley Act (GLBA) Safeguards Rule Compliance – Information Security Program • Each educational institution’s PPA includes provision requiring GLBA compliance • Under the GLBA, financial services organizations, which include postsecondary educational institutions, are required to ensure the security and confidentiality of student financial aid records and information. • Among other things, the GLBA requires institutions to: – Develop, implement, and maintain a written information security program – Designate the employee(s) responsible for coordinating the information security program – Identify and assess risks to customer information – Design and implement an information safeguards program – Select appropriate service providers capable of maintaining appropriate safeguards, and – Periodically evaluate and update their security program • Educational Institution Presidents and CIOs should have, at a minimum: – evaluated and documented their current security posture against GLBA’s requirements – taken immediate action to remediate any identified deficiencies • Department of Education: – incorporating GLBA security controls into Annual Audit Guide, to assess and confirm institutions’ GLBA compliance – will require examination of evidence of GLBA compliance as part of institutions’ annual student aid compliance audit. 6

  7. The GLBA Privacy and Safeguards Rules

  8. GLBA • The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, requires financial institutions to: – explain their information-sharing practices to customers – limit sharing and disclosure of financial data with third parties – safeguard sensitive data 8

  9. Gramm-Leach-Bliley Act • Requirement for initial and annual privacy notices • Required options for information sharing – Some sharing does not require opt-out o “As permitted by law” o Own advertising o Joint marketing – Affiliate sharing (regulated by the FCRA) o Sharing transaction & experience information o Sharing creditworthiness information o Sharing for affiliates’ marketing purposes – Sharing with non-affiliates • New exception for annual notice requirement – Applies only if the financial institution has a “no sharing” policy – Applies only if the privacy policy has not changed from the prior communication 9

  10. Safeguards • Title V of the GLBA sets out a number of mechanisms to protect the privacy and security of non-public personal information collected by financial institutions in connection with the provision of a financial product or service. Requires financial institutions to: – provide notices of policies and practices regarding disclosure of personal information – prohibit the disclosure of such data to unaffiliated third parties unless consumers are provided the right to “opt out” of such disclosure or unless other exceptions apply, and – establish safeguards to protect the security of personal information • To whom does the safeguards rule apply? – Applies to “financial institutions” (see section 313.3(k) on applicability) – All businesses, regardless of size, that are “significantly engaged” in providing fiancial products or services • What steps should your organization take to comply? • Securing personal information – Reasonable and appropriate security measures 10

  11. The Safeguards Rule requires • The Safeguards Rule requires companies to: • Assess and address risks to customer information – in all areas of their operations, including 3 areas important to information security: • Employee Management and Training • Information Systems, and • Detecting and Managing System Failures • Determine what information they are collecting and storing, and whether they have a business need to do so 11

  12. The Safeguards Rule requires • GLBA Safeguards Rule requires companies to: – develop written information security plan • describes program to protect customer information • appropriate to company’s size and complexity • nature and scope of its activities • sensitivity of the customer information it handles. • As part of its plan, each company must: • designate one or more employees to coordinate its information security program • identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks • design and implement a safeguards program, and regularly monitor and test it • select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information, and • evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring 12

  13. Examples of Reasonable Security Measures • Checking references and background checks of employees with access to customer PII • New hires agree to follow security measures • Limit access based on role • Access controls, including strong passwords • Password activated screen savers • Policies and procedures, including for mobile devices • Training • Remind employees of obligations • Policy for telecommuters • Imposing disciplinary measures • No access for terminated employees • Data asset inventory / data element inventory • Secure data storage, transmission, and destruction • Keep security controls up to date 13

  14. FTC Orders and NIST

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Connected and Autonomous Vehicles June 25, 2020 Future of Privacy Forum Our Mission Bridging the

Connected and Autonomous Vehicles June 25, 2020 Future of Privacy Forum Our Mission Bridging the

Digital Data Flows Masterclass # 7 : Connected and Autonomous Vehicles June 25, 2020 Future of Privacy Forum Our Mission Bridging the policymaker-industry-academic gap in privacy policy Developing privacy protections, ethical norms, &

1.07k views • 106 slides
and the Data Privacy Outlook for the Future 7 th Annual Corporate Counsel Forum Stacey Shadden

and the Data Privacy Outlook for the Future 7 th Annual Corporate Counsel Forum Stacey Shadden

GDPR One Year Later: Todays Impact on US Companies and the Data Privacy Outlook for the Future 7 th Annual Corporate Counsel Forum Stacey Shadden May 31, 2019 (402) 633-9591 sshadden@mcgrathnorth.com Agenda General Data Protection

252 views • 24 slides
De-Identifying Education Data Future of Privacy Forum Webinar October 13, 2017 MICHAEL HAWES

De-Identifying Education Data Future of Privacy Forum Webinar October 13, 2017 MICHAEL HAWES

De-Identifying Education Data Future of Privacy Forum Webinar October 13, 2017 MICHAEL HAWES Director of Student Privacy Policy U.S. Department of Education United States Department of Education 2 Student Privacy Policy and Assistance

535 views • 38 slides
COPPA 101 Amelia Vance , Future of Privacy Forum Linnette Attai , PlayWell LLC Sara Kloek, SIIA

COPPA 101 Amelia Vance , Future of Privacy Forum Linnette Attai , PlayWell LLC Sara Kloek, SIIA

COPPA 101 Amelia Vance , Future of Privacy Forum Linnette Attai , PlayWell LLC Sara Kloek, SIIA Emily S. Tabatabai , Orrick Herrington & Sutcliffe November 2017 NOTHING IN THIS PRESENTATION IS INTENDED TO CONSTITUTE A LEGAL OPINION

753 views • 32 slides
COPPA 101 Amelia Vance , Future of Privacy Forum Linnette Attai , PlayWell LLC Sara Kloek, SIIA

COPPA 101 Amelia Vance , Future of Privacy Forum Linnette Attai , PlayWell LLC Sara Kloek, SIIA

COPPA 101 Amelia Vance , Future of Privacy Forum Linnette Attai , PlayWell LLC Sara Kloek, SIIA Emily S. Tabatabai , Orrick Herrington & Sutcliffe November 2017 NOTHING IN THIS PRESENTATION IS INTENDED TO CONSTITUTE A LEGAL OPINION

330 views • 30 slides
Inform rming Deci ecisi sions s while Prot otecting P Privacy: y: T The Future of the F

Inform rming Deci ecisi sions s while Prot otecting P Privacy: y: T The Future of the F

Inform rming Deci ecisi sions s while Prot otecting P Privacy: y: T The Future of the F Federal St Statistical System Katharine G. Abraham University of Maryland, NBER and IZA Data Science for the Public Good Forum September 17, 2019

788 views • 43 slides
Privacy and security in the cloud Challenges and solutions for our future information society

Privacy and security in the cloud Challenges and solutions for our future information society

Privacy and security in the cloud Challenges and solutions for our future information society Panel Building trust the technical challenges World Summit on the Information Society Forum 25-29 May 2015 ITU, UNESCO, UNDP and UNCTAD

709 views • 17 slides
Privacy Past and Future ISSA Lansing, MI May 19, 2016 Keith A. Cheresko Principal, Privacy

Privacy Past and Future ISSA Lansing, MI May 19, 2016 Keith A. Cheresko Principal, Privacy

Privacy Past and Future ISSA Lansing, MI May 19, 2016 Keith A. Cheresko Principal, Privacy Associates International LLC Purpose What is Privacy? American Privacy Past - How we got to here Some International Privacy OECD, EU

499 views • 36 slides
Building a Privacy Management Program February 26, 2013 Office of the Information and Privacy

Building a Privacy Management Program February 26, 2013 Office of the Information and Privacy

Building a Privacy Management Program February 26, 2013 Office of the Information and Privacy Commissioner of Alberta Session Overview Reasons for having a PMP Strategies to deal with current and future privacy challenges at your

469 views • 33 slides
PET Semetary: Privacys return from the dead and the Future of Privacy Engineering Seda

PET Semetary: Privacys return from the dead and the Future of Privacy Engineering Seda

PET Semetary: Privacys return from the dead and the Future of Privacy Engineering Seda Grses CITP , Princeton University COSIC, University of Leuven getting privacy engineering right? getting privacy engineering right? software

471 views • 20 slides
$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

Presentation Slides $ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

318 views • 13 slides
Technology and Legislative Solutions to Maintain Cell Phone Privacy October 15, 2019 Privacy and

Technology and Legislative Solutions to Maintain Cell Phone Privacy October 15, 2019 Privacy and

The Robocall Epidemic: Leveraging Technology and Legislative Solutions to Maintain Cell Phone Privacy October 15, 2019 Privacy and Security Forum Divya Gupta Dorsey & Whitney LLP Jeremy Gladstone Capital One 1 Agenda The

257 views • 21 slides
Do Not Track The Future of Web Privacy Nick Doty UC Berkeley, School of Information World Wide

Do Not Track The Future of Web Privacy Nick Doty UC Berkeley, School of Information World Wide

Do Not Track The Future of Web Privacy Nick Doty UC Berkeley, School of Information World Wide Web Consortium http://npdoty.name who I am "future of" a clarification not that Do Not Track is a solution to all Web privacy problems

560 views • 34 slides
Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks; Security and Cooperation in Wireless Networks Georg-August University Gttingen Chapter outline 1 Important privacy related

1.12k views • 33 slides
Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

CISPA Center for IT Security, Privacy and Accountabiltiy Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when,

573 views • 26 slides
$ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy

$ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy

Presentation Slides $ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

429 views • 13 slides
Updates Wednesday, August 24, 2016 Tucson, Arizona Prevent Terrorism/Enhance Security 2011

Updates Wednesday, August 24, 2016 Tucson, Arizona Prevent Terrorism/Enhance Security 2011

American Association of State Highway and Transportation Officials Special Committee on Transportation Security and Emergency Management 2016 Critical Infrastructure Committee Joint Annual Meeting Department of Homeland Security Updates

600 views • 17 slides
Implementing the IODEF at the CERT/CC Roman Danyliw <rdd@cert.org> INCH IETF 55

Implementing the IODEF at the CERT/CC Roman Danyliw <rdd@cert.org> INCH IETF 55

Implementing the IODEF at the CERT/CC Roman Danyliw <rdd@cert.org> INCH IETF 55 Incident Reporting Forms CERT Coordination Center (CERT/CC) Federal Computer Incident Response Capability (FedCIRC) National

437 views • 9 slides
Corporate Governance Prof. John Ferguson Part 1 - What is a corporation and who should it serve?

Corporate Governance Prof. John Ferguson Part 1 - What is a corporation and who should it serve?

Corporate Governance Prof. John Ferguson Part 1 - What is a corporation and who should it serve? CORPORATE GOVERNANCE What is Corporate Governance? the system by which companies are directed and controlled (The Cadbury Report, 1992)

1.91k views • 114 slides
GNR607 Principles of Satellite Image Processing Instructor: Prof. B. Krishna Mohan CSRE, IIT

GNR607 Principles of Satellite Image Processing Instructor: Prof. B. Krishna Mohan CSRE, IIT

GNR607 Principles of Satellite Image Processing Instructor: Prof. B. Krishna Mohan CSRE, IIT Bombay bkmohan@csre.iitb.ac.in Slot 4 Lecture 21-23 Image Corrections Sept. 15-18, 2014 9.30 10.25 AM, 10.35 AM 11.30 AM, 11.35 12.30 PM

1.15k views • 35 slides
This webinar is Parish Emergency Operations Planning Session 1: Beginning the Basic Plan October

This webinar is Parish Emergency Operations Planning Session 1: Beginning the Basic Plan October

This webinar is Parish Emergency Operations Planning Session 1: Beginning the Basic Plan October 22, 2018 Welcome Questions - Chat feature During our initial workshops, I introduced you to this model for capabilities- based planning. I want

497 views • 33 slides
1 Basic Info n Breakfast, coffee breaks n Meals n Lunch provided both days n Supported by

1 Basic Info n Breakfast, coffee breaks n Meals n Lunch provided both days n Supported by

1 Basic Info n Breakfast, coffee breaks n Meals n Lunch provided both days n Supported by University of Pittsburgh Provosts Office, SCI n n Dinner on your own n WiFi password: n Need help? n Kelly Shaffer, Program Director at SCI n Runhua

951 views • 38 slides
HSARPA Cyber Security Division Internet Measurement and Attack Modeling Project Active Internet

HSARPA Cyber Security Division Internet Measurement and Attack Modeling Project Active Internet

HSARPA Cyber Security Division Internet Measurement and Attack Modeling Project Active Internet Measurement Systems Workshop (AIMS) February 6-8, 2013 Ann Cox, PhD. Program Manager Cyber Security Division Homeland Security Advanced Research

545 views • 21 slides
Emerging Risk Management and Coverage Challenges Presented by the Internet of Things and Vendor

Emerging Risk Management and Coverage Challenges Presented by the Internet of Things and Vendor

Emerging Risk Management and Coverage Challenges Presented by the Internet of Things and Vendor Breaches John D. Hackett & Margaret A. Shipitalo , Cassiday Schade LLP Kenneth K. Suh , Technology, Media, and Business Services, Beazley Group

391 views • 35 slides

More recommend