legal, policy and regulatory challenges for it executive leadership/seminars on academic computing...
TRANSCRIPT
Legal, Policy and Regulatory Challenges for IT
Legal, Policy and Regulatory Challenges for IT
Executive Leadership/Seminars on Academic Computing
Tracy Mitrano
Cornell University
Executive Leadership/Seminars on Academic Computing
Tracy Mitrano
Cornell University
MarketMarket
ArchitectureArchitecture
Norms Norms
LawLaw
Internet&
IT Policy
Internet&
IT Policy
Big “P” and Little “p” PolicyBig “P” and Little “p” Policy
Big “P” policy involves external issues, such as national security, electronic surveillance laws, privacy, or digital copyright. USA-Patriot Act
http://www.cit.cornell.edu/oit/policy/PatriotAct/ Digital Copyright
http://www.cit.cornell.edu/oit/policy/copyright/ Privacy in the Electronic Realm
http://www.cit.cornell.edu/oit/policy/privacy/ CALEA: Communications Law Enforcement
Assistance Act http://www.cit.cornell.edu/oit/policy/calea/
Big “P” policy involves external issues, such as national security, electronic surveillance laws, privacy, or digital copyright. USA-Patriot Act
http://www.cit.cornell.edu/oit/policy/PatriotAct/ Digital Copyright
http://www.cit.cornell.edu/oit/policy/copyright/ Privacy in the Electronic Realm
http://www.cit.cornell.edu/oit/policy/privacy/ CALEA: Communications Law Enforcement
Assistance Act http://www.cit.cornell.edu/oit/policy/calea/
Little “p” PolicyLittle “p” Policy
Little “p” policy is institutional policy. Preservation and protection of institutional
interests and assets If your policy does not stand up to this test, best to
rethink
Cornell Model Centralized University Policy Office
http://www.policy.cornell.edu/ Famous “policy on policies!”
http://www.policy.cornell.edu/vol4_1.cfm Balance of statement and procedure
At the institutional level of procedure, but not backline
Little “p” policy is institutional policy. Preservation and protection of institutional
interests and assets If your policy does not stand up to this test, best to
rethink
Cornell Model Centralized University Policy Office
http://www.policy.cornell.edu/ Famous “policy on policies!”
http://www.policy.cornell.edu/vol4_1.cfm Balance of statement and procedure
At the institutional level of procedure, but not backline
Go to law school, Tracy!Go to law school, Tracy!
Relationship between higher education and the government, market, social norms and
technology is growing increasingly complicated and will become even more so
given the international nature of communications technologies.
Relationship between higher education and the government, market, social norms and
technology is growing increasingly complicated and will become even more so
given the international nature of communications technologies.
Why so much legal and regulatory activity?
Why so much legal and regulatory activity?
Information technologies driving force of American (and global) economy since 1990’s Personal computer + network systems =
communications Innovation offers untapped potential
New distribution methods Entertainment media Publishing Communications Education, too!
Information technologies driving force of American (and global) economy since 1990’s Personal computer + network systems =
communications Innovation offers untapped potential
New distribution methods Entertainment media Publishing Communications Education, too!
Transformative Effects on…Transformative Effects on…
Revenue Commercialization of the Internet since going public in
early 1990’s created new business models Google and advertising Merchandise distribution, i.e. shopping!
Amazon
Buying and bargaining eBay
Entertainment We’re waiting :-)
Government In the midst of a historic national deficit, watch for an Internet
tax sometime near you soon!
Revenue Commercialization of the Internet since going public in
early 1990’s created new business models Google and advertising Merchandise distribution, i.e. shopping!
Amazon
Buying and bargaining eBay
Entertainment We’re waiting :-)
Government In the midst of a historic national deficit, watch for an Internet
tax sometime near you soon!
…the Law and Regulatory Issues…the Law and Regulatory Issues
Copyright, Copyright, Copyright When I went to law school and walked uphill both
ways… Digital Millennium Copyright Act 1998
Section 512: Notice and take down Section 1201: Anti-circumvention February 2003: Senate Hearings
First letters to the presidents Verizon “fast-track” litigation Law suits against individuals Action against Internet 2 Second letter to presidents regarding subnets and filtering
Copyright, Copyright, Copyright When I went to law school and walked uphill both
ways… Digital Millennium Copyright Act 1998
Section 512: Notice and take down Section 1201: Anti-circumvention February 2003: Senate Hearings
First letters to the presidents Verizon “fast-track” litigation Law suits against individuals Action against Internet 2 Second letter to presidents regarding subnets and filtering
, , !, , !
Current litigation Google Library Project
If there is ever a case to test fair use in the new electronic age, this is the one!
American Association of Publishers v. Shhhhhhhh
Current legislative reform Orphan works
Finally a boon to and for higher education!!
Current litigation Google Library Project
If there is ever a case to test fair use in the new electronic age, this is the one!
American Association of Publishers v. Shhhhhhhh
Current legislative reform Orphan works
Finally a boon to and for higher education!!
Institutional Policy ResponseInstitutional Policy Response
Statement X complies with all copyright laws.
Procedure DMCA E-Reserves Course management systems Intellectual Property of the University and its
employees, students and faculty
Statement X complies with all copyright laws.
Procedure DMCA E-Reserves Course management systems Intellectual Property of the University and its
employees, students and faculty
Electronic SurveillanceElectronic Surveillance
USA-Patriot Act Amended the Electronic Communications
Privacy Act By lowering the evidentiary standard for voicemail
and call records E.g. network flow logs
Legal backdrop for the collection of call records from major communications providers
Below probable cause = file a paper with a clerk
USA-Patriot Act Amended the Electronic Communications
Privacy Act By lowering the evidentiary standard for voicemail
and call records E.g. network flow logs
Legal backdrop for the collection of call records from major communications providers
Below probable cause = file a paper with a clerk
Institutional Policy ResponseInstitutional Policy Response
Statement “All roads lead to Rome” i.e. counsel Cornell University Policy 4.13, Acceptance of
Legal Papers http://www.policy.cornell.edu/vol4_13.cfm
Unit Protocol in order to get to Rome Cornell Information Technologies
Statement “All roads lead to Rome” i.e. counsel Cornell University Policy 4.13, Acceptance of
Legal Papers http://www.policy.cornell.edu/vol4_13.cfm
Unit Protocol in order to get to Rome Cornell Information Technologies
Make request
Start
Ext
erna
l Law
E
nfor
cem
ent
Uni
vers
ity
Cou
nsel
VP
of
Inf
o T
ech
ITS
O o
r IT
P
olic
y O
ffic
eC
ITO
ther
CU
D
epar
tmen
t
Receive request
Receive request
Receive request
Receive request
Receive request
Follow Internal unit
protocol
Refer to ITSO, IT Policy,
or VP of IT*
Refer to University Counsel
Refer to University Counsel
N
Y Y
Refer to University Counsel
CanComply?
End
Requesttangibleitem?
Order to provide item**
Give item to ITSO/ IT
Policy Office
Y
N
End
Give item to University Counsel
Give item to law
enforcement
Receive item/
records
Request for electronic records
Order to provide
records**
Transmit records to law enforcement
** Depending on nature of the request, University Counsel may contact either IT Policy Office or ITSO
Defect inrequest?
Fix defect in legal
paperwork
Y N
* Depending on who is available
Notify ITSO, IT Policy, or
VP of IT*
to counsel?Y
N
to VP of IT?Y
N
to ITSO or IT Policy?
to CIT?
Y
N
N
Y
Privacy Laws…Privacy Laws…
Health Insurance Portability Act Financial Services Act (GLBA)
**Both HIPAA and GLBA have explicit security and privacy regulations
Family Education Rights Privacy Act Pre-existing, so it has not caught up yet
Got a campus hotel with cable or movies? Video Recording Act Cable Act
Health Insurance Portability Act Financial Services Act (GLBA)
**Both HIPAA and GLBA have explicit security and privacy regulations
Family Education Rights Privacy Act Pre-existing, so it has not caught up yet
Got a campus hotel with cable or movies? Video Recording Act Cable Act
Institutional Policy ResponseInstitutional Policy Response
Complementary Privacy and Security Programs organized around the following five categories: Policy Risk Assessment/Operations Training for personnel Education for all users Enforcement
Complementary Privacy and Security Programs organized around the following five categories: Policy Risk Assessment/Operations Training for personnel Education for all users Enforcement
ExamplesExamples
Cornell Security Program http://www.cit.cornell.edu/oit/policy/security.html
Cornell (nascent) Privacy Program http://www.cit.cornell.edu/oit/policy/privacy.html
IT Policy Framework http://www.cit.cornell.edu/oit/policy/framework-chart.html
Cornell Security Program http://www.cit.cornell.edu/oit/policy/security.html
Cornell (nascent) Privacy Program http://www.cit.cornell.edu/oit/policy/privacy.html
IT Policy Framework http://www.cit.cornell.edu/oit/policy/framework-chart.html
Data Breach NotificationData Breach Notification
Laws in several states California and New York, notably Federal one is on the way, currently several offerings
Common characteristics Name + SSN, bank routing, credit card or other
financial transaction numbers Standard: reasonable belief that data were accessed by
an unauthorized individual Encryption is a safe harbor
Laws in several states California and New York, notably Federal one is on the way, currently several offerings
Common characteristics Name + SSN, bank routing, credit card or other
financial transaction numbers Standard: reasonable belief that data were accessed by
an unauthorized individual Encryption is a safe harbor
Cornell’s Institutional Response (Reactive)
Cornell’s Institutional Response (Reactive)
Data Incident Response Team (DIRT) VP of IT Directors of Security and Policy Legal Counsel (sometimes two!) Director of Communications Campus Police ***Unit head of affected computers and associated
personnel ***Data stewards of the breached data
Data Incident Response Team (DIRT) VP of IT Directors of Security and Policy Legal Counsel (sometimes two!) Director of Communications Campus Police ***Unit head of affected computers and associated
personnel ***Data stewards of the breached data
Institutional Policy ResponseInstitutional Policy Response
Information Security of Institutional Datahttp://www.cit.cornell.edu/oit/policy/drafts/RUis.html
Appendix A Rules for handling data broken down into three categories of
users: Data Stewards Unit Heads Custodians
Appendix B Minimum Data Security Standards for Three Classes of Data
http://www.cit.cornell.edu/computer/security/prop-baseline.html
Information Security of Institutional Datahttp://www.cit.cornell.edu/oit/policy/drafts/RUis.html
Appendix A Rules for handling data broken down into three categories of
users: Data Stewards Unit Heads Custodians
Appendix B Minimum Data Security Standards for Three Classes of Data
http://www.cit.cornell.edu/computer/security/prop-baseline.html
Data Steward• Inventory data under his/her jurisdiction• Categorize data• Establish rules for disclosing and authorizing access to administrative
data• Conduct annual risk assessments of security and privacy practices
Unit Head
• Assume responsibility for data under his/her control• Deploy procedures to comply with steward's rules for disclosing,
categorizing, and authorizing access to administrative data• Deploy procedures for meeting minimum standards for data security
according to data classification (see Appendix B)• Negotiate with stewards in cases of disclosing mixed data sets (i.e.,
more than one data category or steward)
Custodian • Execute unit's procedures for disclosing, categorizing, and
authorizing access to administrative data• Execute unit's procedures for meeting minimum standards for data
security according to data classification (see Appendix B)• Report all data breach incidents
Data Classification CriteriaData Classification Criteria
Cost/Benefit Analysis Costs (financial and administrative):
Administrative burden Financial cost of new technologies New business practices
Benefits (mitigating risk): Legal check list Policy decisions (prioritizing institutional
data) Ethical considerations?
Cost/Benefit Analysis Costs (financial and administrative):
Administrative burden Financial cost of new technologies New business practices
Benefits (mitigating risk): Legal check list Policy decisions (prioritizing institutional
data) Ethical considerations?
Legal Check ListLegal Check List
Type of Data
Privacy Statement
AnnualNotice
NotificationUponBreach
PrivateRight ofAction
GovernmentEnforcement
Statutory Damages
PersonallyIdentifiable no no x x x x
EducationRecord x no no no x no
MedicalRecord x no no x x x
Banking Record x x complicated o x x
Yochai Benkler, The Wealth of Networks
Yochai Benkler, The Wealth of Networks
We are in the midst of a technological, economic and organizational transformation that allows us to renegotiate
the terms of freedom, justice and productivity in the information society. How we shall live in this new
environment will in some significant measure depend on policy choices that we make over the next decade or so.
We are in the midst of a technological, economic and organizational transformation that allows us to renegotiate
the terms of freedom, justice and productivity in the information society. How we shall live in this new
environment will in some significant measure depend on policy choices that we make over the next decade or so.
How Social Production Transforms Markets and Freedom
How Social Production Transforms Markets and Freedom
To be able to understand these choices, to be able to make them well, we must recognize that they are part of what is fundamentally a social and political choice -- a choice about
how to be free, equal, productive human beings under a new set of technological and
economic conditions.
To be able to understand these choices, to be able to make them well, we must recognize that they are part of what is fundamentally a social and political choice -- a choice about
how to be free, equal, productive human beings under a new set of technological and
economic conditions.
The Big “P” Policy Challenge:The Big “P” Policy Challenge:
As economic policy, allowing yesterday’s winners to dictate the terms of tomorrow’s
economic competition would be disastrous. As social policy, missing an opportunity to enrich democracy, freedom and justice in
our society while maintaining or even enhancing our productivity would be
unforgivable.
As economic policy, allowing yesterday’s winners to dictate the terms of tomorrow’s
economic competition would be disastrous. As social policy, missing an opportunity to enrich democracy, freedom and justice in
our society while maintaining or even enhancing our productivity would be
unforgivable.