Technology and Web 2.0 Across Institutions - Risk Mitigation

460 views
443 views

Published on

This was a 50 minute presentation to college administrators.

Published in: Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
460
On SlideShare
0
From Embeds
0
Number of Embeds
59
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Technology and Web 2.0 Across Institutions - Risk Mitigation

    1. 1. Technology and Web 2.0 Across Institutions: Impact and Opportunities Risk Mitigation – The Legal Perspective Dan Michaluk February 2, 2010
    2. 2. Outline <ul><li>Data breaches </li></ul><ul><li>Individual use of the “consumer cloud” </li></ul><ul><li>Outsourcing risks </li></ul><ul><li>Violence, harassment and Web 2.0 </li></ul>
    3. 3. Data breaches
    4. 4. Data breaches
    5. 5. Data breaches
    6. 6. Data breaches <ul><li>Risk 1 – Breach of duty to secure </li></ul><ul><ul><li>Comprehensive risk-based approach that includes an internal responsibility system </li></ul></ul><ul><ul><li>Be proactive - go after low-hanging fruit (USB keys, mobile devices, shredding practices) </li></ul></ul><ul><ul><li>Be proactive – engage in employee training </li></ul></ul><ul><ul><li>Be responsive - breach response that involves a documented root-cause analysis and remedial plan </li></ul></ul>
    7. 7. Data breaches <ul><li>Risk 2 – Breach of duty to warn </li></ul><ul><ul><li>Who makes the call about investigation? notification? mitigation offers? </li></ul></ul><ul><ul><li>Information must flow quickly to he/she who is accountable </li></ul></ul><ul><ul><li>That person will balance risk of harm versus need for information </li></ul></ul>
    8. 8. Individual use of the “consumer cloud” <ul><li>Common scenarios? </li></ul><ul><ul><li>Employee e-mails work home using free internet-based e-mail </li></ul></ul><ul><ul><li>Employee uses free internet based services to produce written work product </li></ul></ul><ul><ul><li>Instructor uses consumer service to create teaching environment </li></ul></ul>
    9. 9. Individual use of the “consumer cloud” <ul><li>Risks </li></ul><ul><ul><li>Loss of control over business information </li></ul></ul><ul><ul><li>Loss of control over regulated personal information </li></ul></ul><ul><ul><li>Loss of control over the educational environment, which has human rights compliance implications </li></ul></ul>
    10. 10. Individual use of the “consumer cloud” <ul><li>Risk mitigation </li></ul><ul><ul><li>Amend data security policy </li></ul></ul><ul><ul><li>Amend acceptable use policy </li></ul></ul><ul><ul><li>Demand that work is done on work computers with limited exceptions </li></ul></ul><ul><ul><li>Prohibit e-mailing work home with limited exceptions </li></ul></ul><ul><ul><li>Recognize remote computing investment as part of risk management </li></ul></ul>
    11. 11. Individual use of the “consumer cloud” <ul><li>Risk mitigation </li></ul><ul><ul><li>Or go with the flow by outsourcing to the “enterprise cloud” </li></ul></ul>
    12. 12. Outsourcing risks <ul><li>Two related risks </li></ul><ul><ul><li>Breach of duty to secure information </li></ul></ul><ul><ul><li>Breach of duty to control information </li></ul></ul>
    13. 13. Outsourcing risks <ul><li>Risk mitigation </li></ul><ul><ul><li>Build a good due diligence team and engage in due diligence </li></ul></ul><ul><ul><li>Enter a contract that controls the information </li></ul></ul><ul><ul><ul><li>Your content versus their business record </li></ul></ul></ul><ul><ul><ul><li>Use and disclosure controls </li></ul></ul></ul><ul><ul><ul><li>Retention controls </li></ul></ul></ul><ul><ul><li>And so on…. (see Alberta OIPC guide) </li></ul></ul>
    14. 14. Violence, harassment and Web 2.0 <ul><li>Duty to provide a safe and harassment free “college environment” </li></ul><ul><ul><li>Civil and statutory duties </li></ul></ul><ul><ul><li>Web 2.0 can be a tool for intimidation and harassment </li></ul></ul><ul><ul><li>Web 2.0 raises boundary issues </li></ul></ul>
    15. 15. Violence, harassment and Web 2.0 <ul><li>Managing the risk of disturbing posts </li></ul><ul><ul><li>A feature of Columbine, Dawson College and others </li></ul></ul><ul><ul><li>Threat assessment procedures are a key feature in managing the threat of violence </li></ul></ul><ul><ul><li>Be prepared to assess reports of postings </li></ul></ul><ul><ul><li>Look at postings in a threat inquiry </li></ul></ul><ul><ul><li>Duty to routinely monitor public writings of students is questionable </li></ul></ul>
    16. 16. Violence, harassment and Web 2.0 <ul><li>Managing the risk of negative posts </li></ul><ul><ul><li>This is a code of conduct issue </li></ul></ul><ul><ul><li>Your scope clauses should no be based on physical boundaries </li></ul></ul><ul><ul><li>The line between permissible and non-permissible may be subtle </li></ul></ul><ul><ul><li>Is it harassment? Defamation? Intimidation? </li></ul></ul><ul><ul><li>Or is it news? Fair comment? </li></ul></ul>
    17. 17. Dan Michaluk <ul><li>[email_address] (416) 864-7253 http://danmichaluk.wordpress.com </li></ul><ul><li>or LinkedIn </li></ul>
    18. 18. Technology and Web 2.0 Across Institutions: Impact and Opportunities Risk Mitigation – The Legal Perspective Dan Michaluk February 2, 2010

    ×