IT Security in Higher Education
With the increasing use of technology in higher education, it is important to analyze the laws in place with the aim of strengthening the Information security in these institutions. It is important to note that although there are numerous acts which are supposed to protect electronic information the lack of a single and standard set of rules applicable to all entities may be a reason why such acts fail today. Some of these acts except certain entities from being bound by these acts and they usually exist at multiple levels some of which contradict each other. My analysis will be restricted to the following acts: FERPA, HIPAA, ECPA, CPAA.
Family Educational Rights and Privacy Act
The FERPA is the keystone federal privacy law in many institutions. It prohibits university personnels from disclosing "personally identifiable education information," of students without their consent. Informations such as grades and financial aid information of students are protected by such acts and apply to the same degree for both electronic and non-electronic copies. This law also gives students the right to request and review their educational records and for changed to be made appropriately. Any institution who violates this act ceases to receive any federal form of funding.However, given the nature of the educational system where certain data is supposed to be made public to foster the free spirit and educational atmosphere of an academic institution and the increase in the amount of information being digitaized, it is now complex to determine which information is protected by FERPA and which isn't. This therefore results in violation.
The HIPAA protects all patient information and prevents discolusre of medical information without the consent of the patient. All health iinstitutions are therefore required to submit data regarding the use of patient information and which personnels have access tothis information. Providing detailed imformation about the HIPAA it requires all entities subject to the HIPAA to (i) adopt written privacy procedures that describe, among other things, who has access to protected information, how such information will be used, and when the information may be disclosed; (ii) require their business associates to protect the privacy of health information; (iii) train their employees in their privacy policies and procedures; (iv) take steps to protect against unauthorized disclosure of personal health records; and (v) designate an individual to be responsible for ensuring the procedures are followed .Given that most academic institution operate with a health care plan via a heath care institutions, this institutions are therefore expected to reveal submit this information as well. However, this becomes problematic because this patient information is then made available to multiple parties and institutions and thus making it vulnerable.
The ECPA covers a broader range as it is not restricted to certain entities as stipulated by the FERPA ad HIPAA .It prohibits the unauthorized use or interception by any person of the contents of any wire, oral or electronic communication. However, this does not personalize individuals who disclose information about the existence of such electronic information or individuals involved in the exchanges. The monitoring of students' network use or of network usage patterns by institutions would not be prohibited by the ECPA. This therefore makes poses a problem as such information could be "unconsciously" used to deny the student of resources they would have otherwise had access to it. It also excepts law enforcements personnels from this act.
The CFAA criminalizes unauthorized access to a "protected computer" with the intent to obtain information, defraud, obtain anything of value or cause damage to the computer. A "protected computer" is defined as a computer that is used in interstate or foreign commerce or communication or by or for a financial institution or the government of the United States.