Friday, August 22, 2014

Data Privacy and Central Wyoming College - Some Musings

Data Privacy and Central Wyoming College - Some Musings

Here are two quick take-aways:

  • Students:  It is not clear to me at this time if STUDENT account's electronic information (email/documents/etc) is legally "private" or not.  It might fall under the State of Wyoming's definition of a "public record."  If the college received an external request for student account e-information, we would seek legal advice on how to respond.  We are also currently in a process with the other colleges and the university in Wyoming to seek a Wyoming State Attorney General's opinion on this matter.
  • Staff:  It seems pretty clear that any e-information in a CWC STAFF account likely DOES qualify as a "public record: - though here too we would likely seek legal advice if confronted with an external request.  My advice (and college policy) is pretty clear on this:  Your staff account e-information has "no legal expectation of privacy."

Read on if you would like some details.

If information is a "public record" then the college is required by law to release it to anyone who requests to see it - unless doing so would violate some other law.  If the requester simply wants to view the information - and comes to CWC to do so - I believe it is required that this information be provided for free.  Otherwise, I believe the college is allowed to charge a "copy charge" to send them a copy of the information.

So here is what happens if an external request comes in to access college information:

  1. The college works with the requester to clearly define the request
  2. College personnel then review the information privately to determine if it is a public record.  For example, an email between two people may or may not be a public record.  If it contains an educational record as defined by FERPA (a federal student information privacy law) it is NOT a public record - and in fact releasing it to an unauthorized person is itself a violation of law.  Likewise for other information like health information (HIPPA), credit card information or a person's Social Security number.  Any such information would either be redacted from the copy of the information released - or not released at all if redaction would still constitute a violation.
  3. Finally, the law requires the college to release anything determined to be a "public record" to the requester.

How could any of this possible affect me, you ask?  I heard a story (which I admit is unconfirmed but sounds plausible to me) of a public college employee going through a nasty divorce proceeding.  Because it was deemed that the employee email was a "public record" the aggrieved spouse did NOT need to prove that access to email was warranted in this case by getting a court order to view the email - they simply needed to make a request for the public record.

My advice:
Don't use your college account for personal communications.  Just don't do it!

John



Thursday, August 7, 2014

Maybe *Worst ever* Internet exploit

Reports (here in the NYTimes for example) yesterday say that a hacker group has managed to gather over 1.2 billion username/password combinations from a wide range of websites. Some 420,000 websites were compromised. Website names have not been released.

I suspect that this is the worst data breech in the history of the internet to date.

You should consider changing passwords on all of the websites where you have accounts. CWC IT folks recommend that you change passwords on all banking and other financial sites, and any other site where you have sensitive data or data that might facilitate identity theft. We strongly encourage you to change passwords on all accounts with usernames/passwords that you use on multiple sites - and to stop doing that!!

We are querying our myCENTRAL vendor to see if we are vulnerable to "SQL injecting" - the technique used in this exploit.

More suggestions:
  • do use strong passwords, 
  • do not reuse passwords, 
  • and change them when we hear news like we heard today. 
  • Even better is to use two-factor authentication (TFA) when it is offered. The most common TFA technique includes sending the user a text message to a mobile device during the login process. The text is typically a number that the user has to enter to complete login to an account. You can expect to see more sites offering, or even requiring, TFA.

(My thanks to Paul Cornia, CIO for NOLS - I blatantly stole much of the text above from his excellent posting advice to all NOLS employees.)