Title: Legal Issues for Employees 201
1Legal Issues for Employees 201
- How to Protect Yourself and WL from Improper Use
/ Disclosure of Confidential Information
2Why Do I Need to Be Here?
- Do you have a social security number? Bank
account? Credit card? Medical records? - OR
- Do you work with or around student records?
Employee records? Credit cards? Donor financial
information? Alumni information? University
financial information? Other sensitive or
proprietary information about University
operations? Ever hear about any of this?
3Whats this all about?
- Three separate issues
- What is PRIVATE (personally identifiable
information protected by law, policy, or common
civility) - How to keep PRIVATE information CONFIDENTIAL
(seen/heard by only those with a legitimate need
to know) and - How to keep such information SECURE (so that it
cannot be improperly altered, removed, or
destroyed). -
4Whats the problem?
- Identity Theft - - dont think it cant happen to
you. - Dumpster divers, shoulder surfers, computer
hackers, keystroke loggers, etc. - Its not just people out there who are the
problem - - we need to be pro-active to safeguard
information.
5Give me some examples . . .
- Lets talk about your own personal recordkeeping
and information security practices first - Do you have your social security number as your
drivers license number? Consider changing to a
random number. - Dont give out your social security number to
anyone unless its mandatory and you have
assurance as to safeguards.
6Personal practices (contd)
- Dont give out a credit card number over the
phone unless youve dialed the company and know
you can trust them. - Dont give out a credit card over the internet
unless you see a symbol of encrypted online
information delivery (lock). - Dont use just one user name and password for all
online accounts.
7Personal practices (contd)
- Dont just throw credit card bills or other
bills/documents with account numbers or social
security numbers in the trash - - get a shredder. - Periodically, get a copy of your credit report
(e.g., Equifax) to be sure there are no debts
that you didnt incur.
8What to do in case of identity theft?
- Call 1-877-ID-THEFT to report to the Federal
Trade Commission - Then call local police and FBI
- Also report to Social Security Administration for
SS theft - Contact credit card companies and other creditors
9But enough about you . . .
10Private information under law
- Student education records (FERPA)
- Financial account/loan records (Gramm Leach
Bliley) student loans, employee home loans - Personally identifiable employee information kept
by covered health plans (HIPAA) health, dental,
flex, EAP
11Private information under law
- Records related to employee disability (Americans
with Disabilities Act) kept separate from rest
of personnel file - Medical records related to family and medical
leave (FMLA) - Background Check results (disposal) (FACTA)
- Student medical treatment / counseling records
(private under Virginia law) - Human Subjects Research (surveys, etc.)
12Private information under policy
- Social security numbers and credit card numbers
are included in WLs Information Security
Program.
13Other private WL information
- Personally identifiable information re donors,
alumni and alumnae. - Proprietary WL information (internal operations,
financial/investments, research and institutional
data not intended for public disclosure)
14Responsibilities of WL employees
- All university faculty and staff are expected to
comply with university policies and procedures on
privacy, confidentiality and security. - New employees (faculty staff) sign
confidentiality and technology use agreements.
15How to protect the confidentiality of private
information
- Follow University and department policies,
procedures, and protocols. - If you have no legitimate work-related necessity
or educational reason to hear/see/disclose the
information, dont. - Be sure that only those with a legitimate,
work-related need to know have authority and
access to private information.
16How to protect the confidentiality of private
information
- When in doubt, ask / confirm first before
disclosing private information. - If you are aware of documents with private
information being simply thrown away, not
shredded or otherwise securely disposed of,
advise department head or Scott Dittman, chair of
ISP committee.
17How to protect the confidentiality of private
information
- Dont leave private information in plain view
when leaving your work area. - Lock file cabinets containing private
information. - Keep your office locked when you, or other
authorized employees, are not present. - Avoid multiple copies of private information
unless needed.
18How to protect the confidentiality of private
information
- Dont discuss private or sensitive information
with open doors or in hallways, etc. - Treat private information as if it were about
you. - Taking files home - - handle with care.
19Protecting electronic information
- Password security
- 8 characters, alphanumeric
- Change it often
- Dont share it with anyone
- Dont write it down and tape it close by
- Give proxy to e-mail or calendar, not password to
the account
20Protecting electronic information
- Lock your workstation each time you leave it
unattended (Ctrl/Alt/Delete) - Shut down your computer each evening (allows
patches and updates to apply AND keeps others off
the computer) - Keep anti-virus/firewalls, etc. up to date on
home computers if you work at home - Have multiple user names/pws
21Protecting electronic information
- Safe e-mail practices
- Dont open attachments if you arent expecting
them - Dont click on links in emails
- Safe internet browsing
- Dont click on it if you didnt ask for it
- Dont allow random downloads
- Safe instant messaging (AOL viruses)
- Only communicate with known buddies
22Protecting electronic information
- Consider placement of screen / visibility to
office visitors - Use screen blockers
- Be careful with flash drives, memory keys,
diskettes, CDs, etc.
23What about when traveling?
- Assume NOTHING is secure!!!
- Wired is more secure than wireless
- Always look for the encrypted (lock or
equivalent) symbol to be sure communication is
secure - Wireless off campus - - dont do log ins to other
sites unless encrypted
24What about while traveling?
- Never user hotel lobby computers for anything
sensitive or private - - only map quest type
inquiries, etc. - Why? Keystroke loggers . . . Scary
- If you lose a memory key, laptop, etc. report it
to University Computing immediately
25Specific private information
- Student educational records (FERPA)
- Know policy / guidance
- http//registrar.wlu.edu/policies/ferpa.htm
- Consent, unless school official with legitimate
educational interest, subpoena, emergency, few
other exceptions - Directory information unless opt out
- Resources Registrar, counsel.wlu.edu
26Specific private information
- HIPAA
- Records kept by WL health plans on employee
medicals, claims, etc. - Group health, Flex, Dental, EAP
- Deborah Stoner and Steven McClure are authorized
officials (HR) - http//humanresources.wlu.edu/other/Benefit20Plan
20Privacy20Practices.htm
27Specific private information
- Background check information (FACTA)
- Disposal of such information
- ADA/FMLA
- Faculty staff medical information related to
disability accommodations or family/medical leave
- - should be kept separate from personnel file
(HR Office)
28Specific private information
- Personally identifiable financial information
(finances, social security number, credit card)
(GLB WL policy) - Treasurers office
- HR
- Financial Aid
- Business Office
- Bookstore, Alumni Office, Special Programs,
Development, etc.
29Information Security Program
- Campus internal inventory of department
information security practices to identify and
address any potential security concerns. - Will begin with Financial Aid, Treasurers
Office, Business Office, HR, and other offices
maintaining social security numbers or credit
card numbers.
30What to do in case of improper disclosure or
other security breach
- Notify your department head, Scott Dittman
(Registrar/Chair of ISP Committee), and/or Ruth
Floyd (University Computing) as appropriate