Learning Curve
NYU Associate General Counsel Leona Chamberlin talks via e-mail about the university's data protection strategy.
April 30, 2009 at 08:00 PM
4 minute read
Read the full data breach feature here.
—
Educational institutions are at risk for data breaches just like any other organization that holds the personal information of its customers and clients. In 2008, breaches affected educational institutions in 131 separate incidents. New York University encountered some minor data breaches a number of years ago and used its experience to focus administrative and technical resources on upgrading its security and business processes. NYU Associate General Counsel Leona Chamberlin talks via e-mail about the university's strategy.
Q: What are the biggest challenges NYU has faced regarding data breach issues?
A: The biggest challenge in a large, decentralized institution such as NYU is that sensitive data may be distributed and stored at many levels, so it is difficult to know exactly what needs to be protected and where it is located. Data is stored locally, and people having responsibility for the data do not necessarily delete what is no longer is necessary to retain. NYU continually seeks to identify and purge unnecessary data and to establish standards for data that must be retained.
Q: What are the best solutions you've come up with for operating in the university environment?
A: Rather than utilizing a “top down” management style that imposes a set of rules and prohibitions, NYU has relied upon policy development and user education. In situations where data storage and retention are central to a department's function and which involve servers that we know we can control, we have developed policies that lead to a risk-based determination of how systems should be configured to reduce or eliminate the possibility of a data breach. At the same time, we have implemented a program of education and training for end users at all levels to create awareness of and personal responsibility for data in their custody. NYU is fortunate to have a highly professional Technology Security Services (TSS) department within its Information Technology Services division that identifies issues with regard to data handling and has the forensic skills necessary to determine if a breach may have occurred and the nature of any unauthorized systems activity. For purposes of assessing notice obligations, TSS is the primary watch dog and ties in the Office of Legal Counsel if ever there is a suspected data breach. The Office of Legal also supports TSS in policy development and reviews contracts for services in which data security is an element.
Q:Where is NYU looking to improve its data breach prevention policies and practices?
A: We are continually attempting to reduce the number of places where we use and store data where legal consequences could result if there were a data breach. We also are striving to improve awareness of NYU data protection policies among users. In furtherance of these goals, last year NYU conducted a university-wide survey to determine how and where sensitive data is being used and stored. The survey produced valuable information about use patterns and identified a number of areas where education and awareness could reduce risk.
Q: Please explain the changing use of social security numbers at NYU.
A: In spring 2004, NYU launched a project to replace the social security number–which we then used as the primary personal identifier–with a unique NYU ID number not derived from the SSN. That project was completed for the start of the 2004-2005 academic year, when approximately 50,000 new ID cards were issued with NYU ID numbers. Since that time, all NYU systems have been modified to accept the NYU ID number so that SSNs are accessible only to authorized persons with appropriate security permissions. All routine NYU business now is conducted using the NYU ID.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllFinancial Watchdog Alleges Walmart Forced Army of Gig-Worker Drivers to Receive Pay Through High-Fee Accounts
GC Pleads Guilty to Embezzling $7.4 Million From 3 Banks
In Lawsuit, Ex-Google Employee Says Company’s Layoffs Targeted Parents and Others on Leave
6 minute readGC With Deep GM Experience Takes Legal Reins of Power Management Giant
2 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250