Technology and the Law Presented at the Greene County Educational Service Center Bricker & Eckler...

Technology and the LawTechnology and the Law

Presented at thePresented at theGreene County Educational Service CenterGreene County Educational Service Center

Bricker & Eckler LLPBricker & Eckler LLP

Sue W. YountSue W. Yount

C. Allen ShafferC. Allen Shaffer

October 7, 2009October 7, 2009

© Bricker & Eckler 2009 2

Format and IntroductionFormat and Introduction

• About 14 separate topicsAbout 14 separate topics

• Data security/ Public Records requests• Records Technology• Acceptable Use of Computers/ Forensics• Termination and discipline/ Off-Campus computing• The Copyright Act/ new laws, new technology• Searching electronics/ “Sexting”• “cutting edge” problems• Your Questions


Data and Records: Data and Records: Security, storage, and Security, storage, and

requests for datarequests for data


Legal aspects of Legal aspects of Data Breaches in Ohio: when Data Breaches in Ohio: when

must I report? must I report?

SWYSWY


Data Security, Data BreachesData Security, Data Breaches

Chapter 1347 of the Ohio Revised Code creates duties and responsibilities for those who maintain “personal information systems”

R.C. 1347.05 imposes 8 duties, including –

There must be an individual “caretaker” of the data system who is responsible for overseeing performance of the duties.



1347.12 Agency disclosure of security breach 1347.12 Agency disclosure of security breach of computerized personal information data.of computerized personal information data.

unauthorized access to . . . computerized unauthorized access to . . . computerized data that . . . reasonably is believed to have data that . . . reasonably is believed to have caused, or reasonably is believed will cause acaused, or reasonably is believed will cause a material risk of identity theft or other fraudmaterial risk of identity theft or other fraud to to the person or property of a resident of this the person or property of a resident of this state. state.



((6)(a) “Personal information” means . . . an 6)(a) “Personal information” means . . . an individual’s name, consisting of the individual’s first individual’s name, consisting of the individual’s first name or first initial and last name, in combination with name or first initial and last name, in combination with . . . . . . (i) Social security number;(i) Social security number;(ii) Driver’s license number or state identification card (ii) Driver’s license number or state identification card number;number;(iii) Account number or credit or debit card number, in (iii) Account number or credit or debit card number, in combination with and linked to any required security combination with and linked to any required security code, access code, or password that would permit code, access code, or password that would permit access to an individual’s financial account.access to an individual’s financial account.



When must I disclose the breach?When must I disclose the breach?

. . . shall make the disclosure . . . in the . . . shall make the disclosure . . . in the most most expedientexpedient time possible but not later than time possible but not later than forty-five daysforty-five days following its discovery or following its discovery or notification of the breach in the security of the notification of the breach in the security of the system, subject to . . . any measures system, subject to . . . any measures necessary to determine the scope of the necessary to determine the scope of the breach . . . and to restore the reasonable breach . . . and to restore the reasonable integrity of the data system. integrity of the data system.



PRACTICAL reporting of Data PRACTICAL reporting of Data Breaches:Breaches:

- Get ahead of the rumorsGet ahead of the rumors- Inform all affectedInform all affected- Share remediation effortsShare remediation efforts- Talk about limits of the riskTalk about limits of the risk


Remediation of a Data BreachRemediation of a Data Breach

CASCAS

The 1938 “Woolworth” wallet card

http://en.wikipedia.org/wiki/Image:Walletssn2.gif

The 1938 “Woolworth” wallet card- the REAL SSN of the CEO’s secretary- 40,000+ persons have used the number- 12 people used it in 1977- Now, 987-65-4320 to 987-65-4329 are reserved for use in advertisements

http://en.wikipedia.org/wiki/Image:Walletssn2.gif


• Get back anything you canGet back anything you can

• Decide about reportingDecide about reporting

• Report to ALL, not just those affectedReport to ALL, not just those affected

• Have 1 year of credit monitoring ready Have 1 year of credit monitoring ready to offer (the “gold standard”)to offer (the “gold standard”)

• Suggest Suggest www.ftc.com,www.ftc.com, “Identity theft” “Identity theft”

• Have the “fix” ready to talk aboutHave the “fix” ready to talk about



• most data security breaches are not most data security breaches are not from complicated “hacking” or other from complicated “hacking” or other outside interventionoutside intervention

• many data breaches do NOT have a many data breaches do NOT have a financial motivefinancial motive

• “ “anticipate curiosity”anticipate curiosity”

• get review from those not “burned out” get review from those not “burned out” due to familiarity with the systemdue to familiarity with the system



The Public Records Law and its The Public Records Law and its Interface with Recordkeeping Interface with Recordkeeping

TechnologyTechnology

SWYSWY


Public Records - DefinitionsPublic Records - Definitions

1. Any record that is stored on a fixed medium (e.g. paper, microfiche, the computer, etc.), AND

2. Created, stored, transmitted or received under a public office’s jurisdiction, AND

3. Documents the organization, functions, policies, decisions, procedures, operations or other activities of the school district. R.C. § 149.011(G).


Exceptions to disclosureExceptions to disclosure

1. Medical records (provided that the records pertain to the diagnosis, prognosis or medical condition of an individual AND were created and maintained in the course of treatment).

2. “Records the release of which is prohibited by state or federal law.” R.C. §149.43(A)(1)(v).


Exceptions to disclosureExceptions to disclosure

3. Social Security numbers. State ex rel. Beacon Journal Publishing Co. v. City of Akron, 70 Ohio St.3d 605 (1994).

4. Attorney-client privileged information.


Rights & Responsibilities of a school Rights & Responsibilities of a school district under the Public Records Actdistrict under the Public Records Act

1. Prompt inspection of public records. R.C. §149.43(B)(1).

– “Prompt” means within a reasonable period of time or without undue delay, depending on the circumstances.

– Inspections must be allowed during regular business hours.

– Cannot charge an individual for inspecting records, but may charge for requested copies.



2. Upon request, copies of public records shall be provided within a reasonable amount of time. R.C. § 149.43(B)(1).

– A “reasonable amount of time” is determined based upon the circumstances of the request.

– May charge actual cost for making copies of the public records.

– Has no duty to provide free copies to any individual who cannot or will not pay for them, regardless of indigent status.

– May require an individual to pay for the copies in advance of the copying.



3. Upon request, copies of the records shall be transmitted by mail or other method of delivery.

4. An individual may specify, with certain limitations, that the copies of the public records be in a specific medium.

5. There is no requirement to create a new record to fit the public records request. If the information, however, is in such a format (e.g. computer) that would allow a tailored response to the request, then it exists in that form and must be disclosed in that form.



6. Undue burden or expense is not a valid reason for refusing to comply with a public records request. State ex. rel Beacon Journal Publishing Co. v. Andrews, 48 Ohio St.2d 283 (1976). Where a public records request unreasonably interferes with the discharge of a records custodian’s duties or endangers the safety of the record, however, the school district may not be required to comply with the request.


Redaction & Withholding DocumentsRedaction & Withholding Documents

1. If a public body redacts a record, the person responsible for the record must notify the person requesting documents of any redaction made, or make the redaction plainly visible.

2. Any redaction of information pursuant to a public records request is deemed to be a denial of the request "except if federal or state law authorizes or requires a public office to make the redaction.”


Redaction & Withholding DocumentsRedaction & Withholding Documents

3. Upon ultimate denial of a request, the public body is required to provide an explanation, including citations to legal authority, for its denial of a request.


The Problem of E-MailThe Problem of E-Mail

• You must keep all e-mails that are public records in accordance with a records retention policy.

• Are e-mails sent and received on private accounts public records?


Ohio Office of Information TechnologyOhio Office of Information Technology

• Any communication that documents your organization itself and/or functions, policies, decisions, procedures, operations or other activities of your office, is a public record. This applies whether your communication is from a personal e-mail account (ex: yahoo, hotmail), personal instant message account (ex: AIM), personal Internet chat room, text message from your personal cell phone, or other means. Similarly, it applies whether you are sending the communication from a personal laptop, cell phone, Blackberry, PDA, or similar device.


Ohio Office of Information TechnologyOhio Office of Information Technology

• Others disagree. R.C. 149.43 (A)(1) says, "Public record" means records kept by any public office.

• State ex rel Glasgow v. Jones (2008) 119 Ohio State 3d 391, 2008 Ohio 4788 at ¶ 23:– Based on this concession, we need not

address the issue whether an e-mail message sent from or to a private account can be a public record.


The Problem of E-MailThe Problem of E-Mail

• In Toledo Blade, supra, the Supreme Court ruled that deleted e-mail messages remain public records as long as they remain on a hard drive.


Toledo BladeToledo Blade

• Court can order public body to reconstruct deleted e-mails upon the following showings:

– The e-mails have not been destroyed.– The e-mails were deleted in violation of

records retention and destruction policy.– There must be some evidence that

recovery may be successful.


Toledo BladeToledo Blade

• Just because recovery would be expensive does not bar the Court from ordering that it be attempted.

• Recovery effort only needs to be reasonable, not Herculean.


Problems with electronic Problems with electronic storage of recordsstorage of records

• How do you destroy them?How do you destroy them?

• Is the software right?Is the software right?

• Is it reliable?Is it reliable?

• What about technology changes?What about technology changes?


““ESI” – Electronically Stored ESI” – Electronically Stored Information and Public Records or Information and Public Records or

e-discoverye-discovery

CASCAS


A large and rapidly expanding A large and rapidly expanding “Digital Universe”“Digital Universe”

SOURCE: IDC, “The Diverse and Exploding Digital Universe: An Updated Forecast of Worldwide Information Growth Through 2011” (March 2008), Figure 1 used with permission.


Greater Complexity In the Storage Greater Complexity In the Storage and Use of ESIand Use of ESI


Potential Sources of ESIPotential Sources of ESI

• Network email servers• File servers, application servers• Third party hosts – AOL, Yahoo, Google, MSN• PDAs, Blackberries, Treos, Smart phones• Diskettes, CDs, DVDs, Thumb drives• Voice mail, cell phones, text messages• Home computers• Websites and intranets• i-Pods• Web 2.0: Social Networks, Blogs, Wikis, Cloud

Computing


The Dynamic and Fragile Nature of ESIThe Dynamic and Fragile Nature of ESI


The ConvergenceThe Convergence

Records Retention

Legal Discovery

These two issues are converging from both legal process and technology perspectives.

Both records managers and lawyers face significant eRetention and eDiscovery issues


What is the Challenge Facing Lawyers What is the Challenge Facing Lawyers and Records Managers?and Records Managers?

They must understand:

• Where ESI is

• What ESI should be preserved

• How it is technologically stored and managed


What is the Challenge Facing What is the Challenge Facing Information Technology?Information Technology?

IT is being asked not just to archive and back up information, but also to help classify it, policy manage it, and efficiently preserve, search, retrieve, and produce it.


Duty to PreserveDuty to Preserve

• What preservation steps must be taken?

http://images.google.com/imgres?imgurl=http://www.citnet.org/images/5steps.jpg&imgrefurl=http://www.citnet.org/&h=1268&w=447&sz=43&hl=en&start=5&um=1&usg=__J2Rgnj_xsIaxfLfpX2aOGCuLPYw=&tbnid=qCSFkgvisJKXxM:&tbnh=150&tbnw=53&prev=/images%3Fq%3Dsteps%26um%3D1%26hl%3Den%26rlz%3D1T4GGIH_enUS279US279


Preservation StepsPreservation Steps

• Written notice must be issued to every custodian of potentially relevant ESI with detailed explanation of what ESI might be relevant in the litigation, and explanation of what to do to preserve



• Must be followed by meeting with each custodian, and measures to isolate relevant ESI, while preserving metadata



• The legal hold must be monitored by counsel, the hold notice must be periodically reissued, and it must be updated as conditions change


Public Records vs. EdiscoveryPublic Records vs. Ediscovery

Public Records have a number of automatic (statutory)

exceptions.

EDiscovery has few exceptions, and a judge must agree. (e.g.,

irrelevancy)

BOTH are ESI we must manage and sometimes produce!


Acceptable Use of Acceptable Use of Computers and Computers and

Investigating MisuseInvestigating Misuse


Acceptable Use of ComputersAcceptable Use of Computers

The District’s Acceptable Use Policy is the single most important tool in managing the misuse of technology

SWYSWY


Acceptable Use of ComputersAcceptable Use of Computers

The AUP permits our investigation and gives notice

of potential discipline; dismissal or termination


Acceptable Use of Computers

The AUP must cover:• No expectation of privacy – complete waiver of privacy

rights• District owns the system and makes all the rules• Personal use, if permitted, is limited and does not

misuse work time• Responsibility for protection of student confidential data


Acceptable Use of Computers

Our experience with misuse by staff:• Not “borderline” abuse• Investigation many times triggered by non-computer

events• Often massive amounts of work time used for surfing or

outside business; “content-neutral”• Weight of computer evidence provokes resignation


Computer Forensics “light”: Computer Forensics “light”: Investigating Misuse of Investigating Misuse of

Computers and diversion of work Computers and diversion of work time by employeestime by employees

CASCAS


A Word on Computer Forensics• Used to identify and

review “deleted data” that persists on the hard drives until overwritten

• Data persists in the “slack space”

• Painstaking, expensive, time consuming

• Anti-Forensics

• Trained personnel & forensic software


How investigations begin…How investigations begin…

Where is the “crime scene?”

Perpetrator’s

System

Victim’s

System

Electronic Crime

Scene

Cyberspace


WARNING:WARNING:

OFFLINE content on the hard drive OFFLINE content on the hard drive is “fair game”is “fair game”

NEVER go “online” to access a NEVER go “online” to access a subject’s accounts without subject’s accounts without

permission or a search warrant!permission or a search warrant!


DO “try this at home”:DO “try this at home”:

Web Historian:Web Historian:www.mandiant.comwww.mandiant.com


When teachers or staff misuse When teachers or staff misuse access to District computers, access to District computers,

what rules apply?what rules apply?


Termination for Misuse (staff)Termination for Misuse (staff)

Using the new Licensure Code of Professional Conduct - “Conduct Unbecoming” includes:

1(g) Using technology to intentionally host or post improper or inappropriate material that could reasonably be accessed by the school community.

SWYSWY




2 (i) Using technology to promote inappropriate communications with students.




5 (a) Willfully or knowingly violating any student confidentiality required by federal or state laws, including publishing, providing access to, or altering confidential student information on district or public web sites such as grades, personal information, photographs, disciplinary actions, or individual educational plans (IEPs)




7 (h) Using school property without the approval of the superintendent or designee and/or not in accordance with local board policy (e.g., technology, copy machines, vehicles).



Using Existing Board Policy(Cyberspace is NOT a “separate place”)

• Inappropriate student relationships• Fraternizing• Professional Conduct• Misuse of District Resources• AND – Make sure that the AUP is authorized by and “springs

from” Board policy regarding computers



Experiences with Computer misuse by Staff and

Collective Bargaining Agreements:• These are NOT “borderline” cases• Overwhelming evidence generated by the system• District looks at system AFTER problems spark

an investigation – not “routine”


What speech is “free”? (staff)What speech is “free”? (staff)

• The Pickering test still applies:

- speech as a citizen on a matter of public interest, balanced against:

- the right of the District to avoid disruption of the workplace (Pickering v. Bd. of Education, 391 U.S.563 (1968)

• See also: Garcetti v. Ceballos, 547 U.S. 410 (2006)

- the Court will not “constitutionalize a grievance”


Teacher activities in Cyberspace:Teacher activities in Cyberspace:Blogging, social networking, Blogging, social networking,

Tweeting and other Tweeting and other communicationscommunications

CASCAS


The “Drunken Pirate” caseThe “Drunken Pirate” case


Hennessy v. City of Melrose, 194 F.3d 237 (1999)Hennessy v. City of Melrose, 194 F.3d 237 (1999)

. . . requires the court to strike a . . . requires the court to strike a balance between the interests of the balance between the interests of the teacher, as a citizen, in commenting teacher, as a citizen, in commenting upon matters of public concern and upon matters of public concern and

the interest of the State, as an the interest of the State, as an employer, in promoting the efficiency employer, in promoting the efficiency

of the public services it performs of the public services it performs through its employees. through its employees.


Hennessy v. City of Melrose, 194 F.3d 237 (1999)Hennessy v. City of Melrose, 194 F.3d 237 (1999)

Expression should not be considered Expression should not be considered in a vacuum; the manner, time, and in a vacuum; the manner, time, and place of the employee's expression place of the employee's expression

are relevant, as is the context in which are relevant, as is the context in which the dispute arose . . . whether the the dispute arose . . . whether the

statement impairs discipline by statement impairs discipline by superiors or harmony among co-superiors or harmony among co-

workers, has a detrimental impact on workers, has a detrimental impact on close working relationships or close working relationships or

impedes the performance of the impedes the performance of the speaker's duties.speaker's duties.


““On-line disinhibition effect”On-line disinhibition effect”

Many people feel a “distance” from their Many people feel a “distance” from their actions on a computer/ on the Internet that actions on a computer/ on the Internet that

they would never feel otherwisethey would never feel otherwise

Psychologists have likened it to the Psychologists have likened it to the phenomenon of “mob behavior”, where phenomenon of “mob behavior”, where

individual limits and values are submerged individual limits and values are submerged in the anonymity of the mob in the anonymity of the mob


Rule of Thumb?Rule of Thumb?

““Blog” or otherwise put on the Blog” or otherwise put on the Internet those things that you would Internet those things that you would feel comfortable standing in front of feel comfortable standing in front of

the local Grocery and saying to the local Grocery and saying to customers, while illustrating your customers, while illustrating your

points on a whiteboard.points on a whiteboard.


When students misuse access When students misuse access to District computers, or “act up” to District computers, or “act up”

on the Internet, what rules on the Internet, what rules apply?apply?


Dismissal for Misuse (students)Dismissal for Misuse (students)

The Student Acceptable Use Policy: again, the most important tool for the District

• Must cover known and emerging technology• Focuses on OUR system and on OUR time• Can be a “teachable moment”• No expectation of privacy, and no ownership• Tailored to District practices, teaching needs

SWYSWY



The “Tinker” Standard of “substantial disruption”

Tinker v. DesMoines ind. Comm. Sch. Dist. 393 U.S. 503 (1969) (suspension of students for wearing black armbands protesting the Vietnam War)

“students and teachers do not shed their constitutional rights to freedom of speech or expression at the schoolhouse gate”



The “True Threat” Analysis

– D.F. v. Bd. of Educ. of Syosset Central Sch. Dist. (E.D.N.Y., 2005) 386 F. Supp.2d 119

• A student wrote a fictional story of graphic violence and sexual acts in his school journal and read the story aloud to his classmates. The student was suspended.

• The court ruled that because the story involved real students and used real names, it constituted a “true threat” and did not qualify as free speech. The student’s suspension was upheld.



The “Mission of Education” or “Who’s in Charge Here” Analysis

Bethel School Dist. v. Fraser, 478 U.S. 675 (1986)

(Student gave a speech at a school assembly nominating another for elective office. The speech referred to the candidate in “terms of an elaborate, graphic, and explicit sexual metaphor”).

“the Federal Constitution does not compel teachers, parents, and elected school officials to surrender control of the American public school system to public school students”


““Off-Site” computing by students Off-Site” computing by students using private equipment; what using private equipment; what

happens when it offends?happens when it offends?

CASCAS



The potential new “Student Welfare” standard

from Morse v. Frederick, 551 U.S. 393 (students unfurled a banner reading “Bong Hits 4 Jesus” during a televised Olympic torch relay. Student suspended 10 days”

“the First amendment does not require schools to tolerate at school events student expression that contributes to the danger of drug use”



The problem: Layshock v. Hermitage Sch. Dist., 496 F. Supp 2d 587 (W.D. Pa. 2007)

The very specific facts of this case place it squarely on the borders of almost all of our previous understanding of discipline for student speech and off-campus activities.

Therefore, each new Court has seen this case differently and reached a different result!



Libel and Defamation is the only LEGAL assistance for teachers and administrators; however,

• Unions, administrators, and counsel for both have joined together to get such sites removed from the internet

• All such sites are contrary to the “terms of service” of the various social network services


Copyright law for Copyright law for teachers in a Digital teachers in a Digital

EnvironmentEnvironment


General Copyright LawGeneral Copyright Law

• Fair Use• Educators may use copyrighted materials

within their own classrooms without express permission from the copyright owner.

SWYSWY



What is Fair Use?

The guidelines apply to use that is:

• ...without permission,

• ...of portions,

• ...of lawfully acquired copyrighted works,

• ...in educational multimedia projects,

• ...created by educators or students,

• ...as part of a systematic learning activity,

• ...by nonprofit educational institutions.



Fair Use Standards:

• The purpose and character of the use

• The nature of the copyrighted work

• The amount and substantiality of the portion used in relation to the work as a whole

• The effect of the use upon the potential market for or value of the work


Specific new copyright law: the Specific new copyright law: the “Digital Millenium”, Chafee “Digital Millenium”, Chafee

Amendment, and the TEACH ActAmendment, and the TEACH Act

CASCAS


Section 230:

-“service provider” not liable if:

-Does not have actual knowledge

-Not aware of circumstances from which infringement is apparent

- if knows, acts expeditiously to remove

-Does not receive a financial benefit

Digital Millenium Copyright Act (DMCA)Digital Millenium Copyright Act (DMCA)


• May reproduce any and all copyrighted works for the use of the blind and disabled

• “Disabled” is an old definition from a 1930’s law – it requires “an organic basis” for the disability

• In the opinion of most, reading disabilities “have an organic basis”, at least in part

• Applies to material, for example, for use in a Kurzweil 3000

• Make sure parents sign an agreement

The Chafee Amendment (Section 168)The Chafee Amendment (Section 168)


• Recognizes the “digital classroom” in distance learning environments

• Basically allows all that is necessary for teachers to use copyrighted material in distance learning classes in the same way they use it in physical classrooms

• Some extra provisions require minimal “copyright law training” for staff in order to use the protections of the Act.

The TEACH Act The TEACH Act


• Releases used to say “the District owns all student work” when releases were gathered for exhibitions, web use, publication, etc.

• New trend is for releases to give District a “license to use” student work for the purpose – student retains all other rights

• District and student may share if work was created with significant District resources

• What is arguably the most famous piece of student artwork in America?

Ownership of Student Work Ownership of Student Work


Student Possession of Student Possession of contraband electronic contraband electronic information or devicesinformation or devices


Searching Student DevicesSearching Student Devices

Again, Cyberspace is not Again, Cyberspace is not

a “new place” a “new place”

We can apply what you know We can apply what you know

from previous lawfrom previous law

SWYSWY



Student searches, since 1985, have been governed by a standard of Student searches, since 1985, have been governed by a standard of “reasonableness”, because of the need for school officials to “reasonableness”, because of the need for school officials to maintain order, and to preserve health, safety and discipline in the maintain order, and to preserve health, safety and discipline in the schools. schools.

Reasonableness is much lower than “probable cause”, and takes in “all Reasonableness is much lower than “probable cause”, and takes in “all the circumstances”the circumstances”

The search should be justified, and reasonably related in scope to the The search should be justified, and reasonably related in scope to the circumstances that brought it about. circumstances that brought it about.

New Jersey v. T.L.O.,New Jersey v. T.L.O., 469 U.S. 325 (1985) 469 U.S. 325 (1985)



““Justified” (the first part of the test) is satisfied Justified” (the first part of the test) is satisfied “when there are reasonable grounds for “when there are reasonable grounds for suspecting that the search will turn up suspecting that the search will turn up evidence that the student has violated or is evidence that the student has violated or is violating either the law or the rules of the violating either the law or the rules of the school”.school”.



““Scope” (the second part of the test) is Scope” (the second part of the test) is satisfied when “the measures adopted for satisfied when “the measures adopted for the search are reasonably related to the the search are reasonably related to the objectives of the search and not excessively objectives of the search and not excessively intrusive in light of the age and sex of the intrusive in light of the age and sex of the student and the nature of the infraction”.student and the nature of the infraction”.


Federal and State LawFederal and State Law as applied to “sexting”: a lack of as applied to “sexting”: a lack of

choices for educatorschoices for educators

CASCAS



An enormous difference exists when a search An enormous difference exists when a search turns up a nude or semi-nude photograph that turns up a nude or semi-nude photograph that could be of a minor:could be of a minor:

Both the Federal Child Pornography law and Both the Federal Child Pornography law and various Ohio laws can apply to persons who various Ohio laws can apply to persons who possess, copy, or distribute such images.possess, copy, or distribute such images.



Consider the “Zip-Loc Bag” approach – Consider the “Zip-Loc Bag” approach –

Secure the evidence and immediately turn it over to Secure the evidence and immediately turn it over to the appropriate administrator.the appropriate administrator.

Any other actAny other act, no matter how reasonable or kind, , no matter how reasonable or kind, may place the discoverer at risk under these very may place the discoverer at risk under these very stringent laws. stringent laws.



Administrators receiving such evidence must immediately Administrators receiving such evidence must immediately inform law enforcement and transfer the evidence to them. inform law enforcement and transfer the evidence to them.

Do not copy (even for safekeeping) or show to others Do not copy (even for safekeeping) or show to others (distribution). (distribution).

Do students have email or network storage spaces in your Do students have email or network storage spaces in your District?District?

You must act, even if you disagree with penalties as they are. You must act, even if you disagree with penalties as they are.


Challenges we soon Challenges we soon must solve - where must solve - where law and technology law and technology

mixmix


The problem of e-mail: how to The problem of e-mail: how to index it for retrieval and how long index it for retrieval and how long

to keep itto keep it


The Problem of E-Mail

• “Managing Electronic Mail: Guidelines for State of Ohio Local Governments,” Ohio Historical Society:– Simply backing up the e-mail system onto

tapes or other media or purging all messages after a set amount of time are not appropriate strategies for managing e-mail.(!)


Four Categories of E-Mail Retention

• Non-record messages

• Transitory messages

• Intermediate messages

• Permanent messages


Non-Record Materials

• E-mail messages that do not meet the criteria of the Ohio Revised Code definition of a record may be deleted at any time, unless they become part of some official record as a result of special circumstances.


Transient Retention

• Includes telephone messages, drafts and other limited documents which serve to convey information of temporary importance in lieu of oral communication.

• Suggested Retention: Until no longer of administrative value, then destroy. No RC-3 required.


Intermediate Retention

• These may include (but are not limited to):– General Correspondence: includes

internal correspondence (letters, memos). This correspondence is informative (it does not attempt to influence policy). Suggested Retention: 1 year, then destroy.

– Monthly and Weekly Reports: Document status of on-going projects and issues; advise supervisors of various events and issues. Suggested Retention: 1 year, then destroy.


Permanent Retention

• Executive Correspondence: Correspondence dealing with significant aspects of the administration of their offices. Correspondence includes information concerning agency policies, program, fiscal and personnel maters. Suggested Retention: 2 years, then appraise for historical value.


Social engineering attacks: the Social engineering attacks: the greatest threat to your data greatest threat to your data

securitysecurity

CASCAS


Types of Cyberattacks, by percentage (FBI)

Financial fraud: 11%Sabotage of data/networks: 17% Hacked from the outside: 25%Unauthorized access by insiders: 71%Employee abuse of privileges 79%Viruses: 85%


What was done to insiders caught misusing company information?

Oral admonishment 54.3%Written admonishment 20.9%Suspended 5.4%Resigned 6.2%Fired 8.5%Referred to Law Enforcement 1.6%Out-of-Court settlement 0.0%No action 3.1%Other 0.0%


• Here are some definitions of social engineering:– The art and science of getting people to

comply with your wishes.– An outside hacker’s use of psychological

tricks on legitimate users of a computer system in order to obtain information he/she needs to gain access to the system.

– Getting needed information (e.g., a password) from a person rather than breaking into a system.

Protecting your Computer Systems:Immediate, no cost, high-yield


• Many experienced security experts emphasize this fact: No matter how many articles are published about network holes, patches, and firewalls, security experts can only reduce the threat so much.

• Beyond that, it is up to those who have access to the system not to allow themselves to be taken advantage of.



• The most prevalent type of social engineering attack is conducted by phone.

• A hacker will call up and imitate someone who is either in a position of authority or an otherwise relevant person and gradually pull the information out of the target of the attack (your employee).



• Help desks are a gold mine for social engineering because they are there to help people with their problems.

• Most help desk employees are minimally focused on the area of security.

• This can create a huge security hole.



• A huge amount of information can be collected through dumpsters.

• Potential security leaks in the trash include:– phone books: names and numbers of

people the attacker can impersonate.– policy manuals: show hackers how

secure or insecure the entity really is.– calendars of various kinds: tell the

attacker when people might be out of town.



– Printouts of sensitive data or login names and passwords.

– Printouts of source code.– Outdated hardware: particularly

hard drives.– Organization charts: show people

who are in positions of authority.



• The Internet is fertile ground for social engineers looking to harvest passwords.

• The primary weakness is that many users often repeat the use of one simple password on every account.

• One way in which hackers have been known to obtain passwords is through on-line forms. Naïve users are asked to provide a name, e-mail address, and password.



• Employee training is essential.• Many entities make the mistake of

only planning for attacks on the physical side.

• That leaves them open to social engineering types of attacks.

• Management must understand the importance of developing and implementing well-rounded security policies and procedures.



• Several signs of possible trouble according to the Computer Security Institute:– Refusal to give contact information– Rushing– Name-dropping– Intimidation– Misspellings– Odd questions– Requesting forbidden information



Questions?

Sue W. Yount614.227.2336

[email protected]

C. Allen Shaffer614.227.4868

[email protected]

Technology and the Law Presented at the Greene County Educational Service Center Bricker & Eckler...

Documents

Transcript of Technology and the Law Presented at the Greene County Educational Service Center Bricker & Eckler...