Cisco defines information security (infosec) as “the processes and tools designed and deployed to protect sensitive business information from modification, disruption, destruction, and inspection.”
But you're just a college employee; how could this term possibly apply to you?
If you explore the fine print, you'll realize that many colleges and universities have specific policies regarding information security. They spell out what employees can and cannot access, handle, and disseminate information. As a college employee, you likely have contractual obligations related to all forms of information.
These policies are completely necessary. Universities preside over large amounts of sensitive data, from students' identifying details to proprietary, federally-funded research. Even the most minor breach can be disastrous for a university.
If you are or become the focus of an alleged information security violation, know what potential sanctions you face. Universities' earnestness about info security may be reflected in merciless punishments directed towards you.
Hiring an attorney-advisor like Joseph D. Lento to defend you against a university's formidable resources can help level the playing field.
Why Do Universities Protect Information So Stringently?
America's most prominent research universities are not the only schools with a stake in data security—they may have the greatest stake, though.
The information security risks associated with research universities illustrate why colleges across the country have clear infosec policies. The FBI’s Higher Education and National Security report explains that American universities' culture of openness and freedom may:
- Make colleges vulnerable to data theft
- Allow foreign adversaries to illicitly capitalize on American universities' research and development
- Lead to espionage through the corruption of university networks (digital or otherwise)
- Compromise students through informational means
The leaking of a single student's social security number could be disastrous. That being said, the fact that universities are often the sites of sensitive, proprietary research makes the issue of info security even more pressing.
The American Association of Medical Colleges (AAMC) expresses concern that, in recent years, “...federal science agencies, and the media have highlighted concerns about the impact of undue foreign influence on federally funded research in the US”. It is alluding to research completed on college campuses, as so much research is.
Though many college employees do not participate directly in such high-stakes research, they are bound by the same infosec guidelines as those employees that do handle the sensitive information.
When you consider the complete picture of what goes on within a university's physical and digital limits, it becomes clear why schools take information security so seriously.
What Are Some High-Profile Cases of Infosec Violations at the College Level?
Even the most well-regarded American universities fall victim to infosec shortcomings. The US Department of Justice announced on January 28, 2020 that Harvard professor Dr. Charles Lieber had allegedly:
- Been paid $50,000 per month (and other significant expenses) by the Chinese government while serving as Harvard's Chair of the Department of Chemistry and Chemical Biology
- Lied about this affiliation despite being legally required to report such affiliations (being in a position of such influence)
These charges have provoked questions about whether sensitive research from Harvard became compromised under Lieber's watch. The same Justice Department report details the arrest of two Chinese nationals accused of stealing biological research from American universities.
These cases put real faces to the threats that the FBI speaks about in its Higher Education and National Security report. They are far from the first cases of University-owned information being compromised.
University of Tennessee professor Reece J. Roth is another notorious case of collegiate information security malevolence. While Roth was working on military-grade drone research, he “knowingly provided export-controlled defense information to a Chinese graduate student on his research team,” per the US Air Force Office of Special Investigations.
Are these cases indicative of the information security violation that you face? Perhaps not. You may have simply failed to follow procedures or made a genuinely innocent mistake.
However, these cases again reinforce why you need representation for your case. Universities have experienced embarrassing, national security-compromising cases of information insecurity. To avoid the perception of leniency, they could handle your case with a heavy hand.
What Are Federal Laws Governing Information Security?
Though universities generally have independent infosec policies, certain federal laws may apply to you as a college employee. This is not to say you are facing any criminal charges, only that universities generally follow practices that reflect these laws.
Relevant laws include:
- Family Educational Rights and Privacy Act of 1974, commonly known as FERPA
FERPA (20 USC § 1232g; 34 CFR Part 99) students aged 18 and older the right to:
- See their academic records
- Determine who can (and cannot) view their educational record
- Request amendments to their educational record
For information security purposes, FERPA's privacy-related sections may be most relevant.
- Federal laws related to individual privacy
The National Center for Education Statistics (NCES) states that “Most private and public colleges and universities are also subject to federal privacy laws because they receive federal funds from the US Department of Education.”
It cites the Protection of Pupil Rights Amendment (PPRA), which provides certain protections to parents whose college student is a minor.
NCES explains that while the Freedom of Information Act (FOIA) of 1966, the Privacy Act of 1974, and the Computer Matching and Privacy Protection Act of 1988 do not apply to educational records, many states have rules that replicate the spirit of these laws.
What Do Colleges Say About Information Security Violations by Employees?
Every college or university with an infosec policy may have unique phrasing, rules, and sanctions. We'll present some examples of individual policies. Collectively, they give an idea of how universities define and categorize information security.
Massachusetts Institute of Technology (MIT)
One of the leading technological institutes in the world, MIT applies a “reasonable” standard to information security:
“Individuals who manage or use IT resources required by the Institute to carry out its mission must take reasonable steps to protect them from unauthorized modification, disclosure, and destruction. Data and software are to be protected, regardless of the form, medium, or storage location of the information. The level of protection shall be commensurate with the risk of exposure and with the value of the information and of the IT resources.”
University of California - Berkeley
UC-Berkeley’s information security policies include the following rules:
- Employees must secure information in a way that is commensurate with the data's sensitivity
- Owners of a network device must adhere to UC-Berkeley's security protocols and standards
- Employees must immediately report security incidents and suspicious activity
The university also requires employees to clearly define personal and work information when confusion could arise.
Ohio University
Not every employee faced with an alleged information security violation will work for an elite university. Ohio University's infosec policies provide a window into how state schools handle infosec concerns.
Ohio U. outlines specific standards for:
- Encrypting information in university computers
- Reporting data breaches
- Securing mobile devices on the university network
You must know the information security standards specific to your university. This is crucial to defending yourself from a charge of insufficient or improper information security.
What Are Your Information Security Mandates as a University Employee?
As a university employee, the rules you are subject to may depend on:
- Your specific job title
- Your professional responsibilities
- The types of information you come into contact with
- The specific policies of the university where you work or worked
Generally, you may need to handle all information in accordance with federal laws, university rules, and the standards of reasonable care.
What Qualifies as an Information Security Violation?
The answer to this question can vary from one college to another. Some actions and failures may qualify as an information security violation in most cases. This includes:
- Sharing a student's information in a way that is not permitted
- Handling sensitive information on an unsecured device or network
- Maliciously sharing sensitive information with a third party
- Failing to report a data breach in a timely manner
- Trying to conceal a violation of the college's information security policies
- Accessing information that you are not authorized to access
- Archiving school-owned records on your own device
These are just some of the actions and shortcomings that could lead to sanctions against you.
What Sanctions May You Face for an Infosec Violation?
Sanctions for an information security violation will likely depend on:
- The nature of the allegation against you
- Whether you have been accused of any violation in the past
- The school's specific policies on handling alleged information security violations
Potential consequences include:
- Official reprimand
- Disciplinary probation
- Mandatory completion of a course related to your alleged violation
- Suspension without pay
- Firing
Your employer may maintain a permanent record of an information security violation in your human resources file. Depending on the nature of the allegation against you, the college could initiate criminal procedures.
Professional sanctions may contribute to or directly cause:
- Loss of income
- Loss of future earning power
- Loss of healthcare benefits
- Emotional distress
- Relationship problems
- Health problems
- Lost quality of life
- Loss of freedom
An information security violation is a serious allegation. Do not underestimate the potential consequences that you face.
What Process Can You Anticipate for Your Case?
Every university may have a unique policy for handling alleged information security violations. The large-picture view of what should occur in your case is:
- The university should investigate the incident
- The university should notify you of an investigation into your conduct
- The university should notify you of its conclusion and any sanctions against you
For allegations of wrongdoing against students, there is generally a clear policy on how the student can defend themselves and appeal an adverse decision. As you can see from The University of Alabama - Birmingham’s policies, employees may not generally have the same protections.
However, you do always have some type of recourse. There are real consequences to professional sanctions. Employment law helps defend you from unfair or unduly harsh action, and an attorney can explain what your options for justice are.
What Can You Do to Defend Yourself?
Hire attorney-advisor Joseph D. Lento, for starters. Attorney Lento and his team at the Lento Law Firm will:
- Review the allegations against you
- Pursue any evidence that supports your defense
- Handle every possible aspect of your case
- Seek the most positive outcome possible based on the facts of your case
Importantly, Attorney Lento will conceive and execute your defense against an allegation of impropriety. In the meantime, do not make any on-the-record statements, and definitely do not admit any wrongdoing.
What Are Possible Defenses Against an Information Security Allegation?
Research published by Binghamton University suggests that information security policies (ISPs) are often the problem. It found that these policies can:
- Fail to account for the realities of your job
- Lead employees to disobey information security rules because they are onerous
- Ultimately expose the organization to data breaches
- Result in unjustified sanctions on employees, as it is the policy that is the problem
Such findings may be the basis for your defense—that an outdated, unrealistic, or unclear policy is to blame for your violation.
Our team will review your case to determine if any additional or alternative defenses are necessary.
What Can an Attorney-Advisor Do for You?
A college is generally funded by students tuition, alumni donations, athletic programs, and other sources of income. They can do much with these resources, including wage a fight against your livelihood and reputation.
It is wise to retain a resource of your own—a skilled attorney-advisor who knows how to defend you from the allegations levied against you. You may be in uncharted waters, and an attorney can keep you from capsizing.
Attorney Joseph D. Lento is dedicated to defending school employees' rights. He will stand tall to those who have accused you of wrongdoing.
Call the Lento Law Firm Today
Attorney Joseph D. Lento and his team are ready to speak with you about your case. Contact the Lento Law Firm today at 888-535-3686 to schedule a consultation.
