Click for Text-Only version
Back to CUA Home
The Catholic University of America - Campus Legal Clearinghouse
 
 
Collage of Pictures

Affirmative Action

ADA Compliance

Copyright

Employment

Environment

FERPA

GLB/Security
Quick Clicks
FedLaw
Publications, Video, & Web Tutorials
Q & A
Resources, Forms, & Checklists 		 

Harassment

HIPAA

Immigration

Religious Issues

Research & Patents

Student Life Issues

IDEA Scholarships

Campus Security

Tax
CLIC Home        CUA Policies        Text-Only        FedLaw        DC Law        Compliance Calendar        Links

Publications, Videos, Web Tutorials

 


CRS Report to Congress: Information Security and Data Breach Notification Safeguards July 31, 2007 This report analyzes the Privacy Act, the Federal Information Security Management Act, OMB Guidance, the Veterans Affairs Information Security Act, HIPAA, and GLB.

 

GAO Report on Personal Information and Data Breaches: June 2007

United States v. Heckenkamp, No. 05-10322 and O5-10323 (April 5, 2007, C.A. 9)
This decision addresses whether a remote search of computer files on a hard drive by a network administrator was justified under the "special needs" exception to the Fourth Amendment. The case law would apply directly only to governmental actors such as public universities, however the case is of interest to private universities as well due to the discussion of the computer policy at the University of Wisconsin-Madison, and whether or not a reasonable expectation of privacy was created by the language used in the policy. 

A student at the university (who had previously worked for the computer department and had been terminated for unauthorized computer activity) was in the process of hacking in to the computers of a corporation in San Diego. In tracing the intrusion at the request of the company, the system admininstrator at UW noticed that the student in question had gained access to the university's Mail2 server. Access at one IP address was denied to protect the university system, but the student in question simply logged on at another IP address. The university police and the system administrator went to the dorm room in question and disconnected the network cord from the computer. The student Heckencamp authorized the administrator to make a copy of his hard drive. A search warrant was issued the next day, and the computer was seized pursuant to that warrant. In the criminal case against him, the student made motions to suppress the evidence gathered from (1) the remote search of his computer, (2) the image taken of his computer's hard drive, and (3) the search conducted pursuant to the FBI's search warrant. In addressing this motion, the court noted as follows:

As a prerequisite to establishing the  illegality of a search under the Fourth Amendment, a defendant must show that he had a reasonable expectation of privacy in the place searched. Rakas v. Illinois, 439 U.S. 128, 143, 99 S. Ct. 421, 58 L. Ed. 2d 387 (1978). An individual has a reasonable expectation of privacy if he can "'demonstrate a subjective expectation that his activities would be private, and he [can] show that his expectation was one that society is prepared to recognize as reasonable.'

 ***The salient question is whether the defendant's objectively reasonable expectation of privacy in his computer was eliminated when he attached it to the university network. We conclude under the facts of this case  that the act of attaching his computer to the network did not extinguish his legitimate, objectively reasonable privacy expectations. ****

However, privacy expectations may be reduced if the user is advised that information transmitted through the network is not confidential and that the systems administrators may monitor communications transmitted by the user. United States v. Angevine, 281 F.3d 1130, 1134 (10th Cir. 2002); United States v. Simons, 206 F.3d 392, 398 (4th Cir. 2000).

In the instant case, there was no announced monitoring policy on the network. To the contrary, the university's computer policy itself provides that "[i]n general, all computer and electronic files should be free from access by any but the [*13]  authorized users of those files. Exceptions to this basic principle shall be kept to a minimum and made only where essential to . . . protect the integrity of the University and the rights and property of the state." When examined in their entirety, university policies do not eliminate Heckenkamp's expectation of privacy in his computer. Rather, they establish limited instances in which university administrators may access his computer in order to protect the university's systems. Therefore, we must reject the government's contention that Heckenkamp had no objectively reasonable expectation of privacy in his personal computer, which was protected by a screensaver password, located in his dormitory room, and subject to no policy allowing the university actively to monitor or audit his computer usage.

Although a reasonable expectation of privacy existed, the court found the search was justified under the "special needs" exception to the warrant requirement, which means a need beyond the normal need for law enforcement, making the warrant and probable cause impracticable. See also the April 9 Inside Higher Ed article Defining Privacy and its Limits for a summary of the case, and comments from Steve Worona and Tracy Mitrano on the case.

Higher Education and PCI Compliance: Definitions, Challenges and Actions (2006)

PCI Compliance for Higher Education: Best Practices Checklist

E-Commerce and the Cardholder Information Security Program (CISP)
This Educause Effective Practice Detail provides basic information important for universities that sell products or services online and collect fees via credit card. The approach is meant to help institutions of higher education get started in assessing their responsibilities with regard to cardholder data that they may process or otherwise come in contact with, and help institutions determine whether there are regulatory obligations, what those obligations are, and some steps to take to help meet those obligations.

CUA Gramm Leach Bliley Training Brochure

Shakespeare on Cyberliabilty, by Beth Cate, Associate University Counsel, Indiana University, published for the NACUA Annual Conference, Orlando, Florida, June 27, 2005 This is an excellent (and witty) overview of the main privacy laws affecting higher education, HIPAA, FERPA and GLB. The paper also includes a very thorough section on common law tort claims that might arise in connection with security and privacy breaches, as well as an overview of contractual security obligations and the duty to notify in the event of a security breach.

 

GAO Jan. 2004 Report on Social Security Numbers:

Private Sector Entities Routinely Obtain and Use SSNs, and Laws Limit the Disclosure of This Information:

This thirty page report focuses on how information resellers, CRAs and some health care organizations obtain and use SSNs and discusses the laws and practices relevant to safeguarding SSNs and consumer's privacy. The report covers HIPAA, Gramm Leach Bliley, The Fair Credit Reporting Act, the Drivers Privacy Protection Act

 

CUA Video for NACUA

 

NACUA June 2003 Power Point Presentation 



Last Revised 05-Mar-08 11:59 AM.