Business Continuity Focus: Information security laws you need to know during an unplanned work interruption or crisis

Ohio University’s Office of Emergency Programs offers business continuity planning guidance for colleges, departments and planning units to help anticipate and mitigate the effects of an unplanned interruption of business due to a crisis or disaster. 

The office also offers Business Continuity Brown Bag sessions each semester, which are available to all OHIO employees and focus on topics related to business continuity planning and disaster preparedness at work, at home and in the community. 

This Compass series seeks to highlight important topics covered at the regular brown bag sessions and is intended to keep faculty and staff “in the know” regarding best practices for being prepared. 


Unplanned interruptions to regular business can have an immediate and long-term impact on an individual department or organization. Challenges such as staffing shortages, displacement and relocation, technology deficits and weather-related factors can inflict complications on day-to-day work as an office recovers from a disaster. 

In addition, legally mandated policies and procedures for handling sensitive information can also take a backseat to recovery efforts and the need to continue serving students, customers and other stakeholders. However, this kind of improvisation of standard practices can become its own challenge when it turns into non-compliance. 

As an institution, OHIO handles a significant amount of potentially sensitive information including personally identifying information (names, addresses, social security numbers, etc.), health-related information through its clinics and medical partners, payment and credit card information, and information related to student grades. All of these types of information carry a legal obligation on the part of the information holder to take measures to protect and disclose only when appropriate. It is imperative that these procedures continue to be followed both during and after a disaster or interruption in business. 

Unintentionally disclosing sensitive data during a crisis can happen in a number of ways: 

  • In the event of a network outage, a professor posts names and grades on his or her office door;
  • A point-of-sale system outage results in taking down credit card information on Post-it notes;
  • A work-from-home scenario results in an employee storing patient records on a personal laptop;
  • Files with personal information are placed at risk in the event of interior construction work that leaves cabinets and doors unlocked. 
  • Laws and policies related to information security

FERPA
The Family Educational Rights and Privacy Act is a federal privacy law that protects education records. At the University level, FERPA rights accrue to the student when he or she enrolls in University classes, regardless of age. At OHIO, considerations with regard to FERPA impact to whom the institution releases information regarding student grades, schedules and other education records. 

PCI
Ohio University has contracts with banks and credit card companies to process credit cards at on-campus and University locations and uses Payment Card Industry Data Security Standard (PCI DSS) to protect this data.

HIPAA
The Health Insurance Portability and Accountability Act is a law enacted in 1996 that regulates and protects the electronic exchange, privacy and security of health information through standards publicized by the U.S. Department of Health and Human Services. Related to HIPAA is the Health Information Technology for Economic and Clinical Health (HITECH) Act, which promotes the adoption and meaningful use of health information technology. 

Specific information regarding University policies and HIPAA can be found on the HIPAA page on the Office of Legal Affairs website.

Classified Data, International Traffic in Arms Regulations, Export Administration Regulations
These regulations govern federally controlled information regarding classified data, international security and exports. While most offices at OHIO do not need to be familiar with these special regulations, there are some instances when they may need to be considered by an office, department or planning unit. 

What can you disclose? 

  • Student information and FERPA: All legal requirements must be met, although there are special cases for disclosing information in support of the efforts of government agencies.
  • Student information and HIPAA: All legal requirements must be met, although there are special cases for disclosing health and safety information in support of the efforts of government agencies.
  • Credit cards and PCI: There are no special disaster cases for credit card processing and all requirements must be met at all times. 
  • Classified information: Information that meets the standards to be considered federally classified data requires disaster planning for fire, natural disaster, civil disturbance and terrorist activity. Options include protect, relocate (may require special approval, containers and alarm system) and destroy.

In all instances, disasters and interruptions to regular business do not negate the need to continue to protect sensitive information as required by law or contract. Offices and departments that handle sensitive information should develop their own familiarity with the laws and contracts pertaining to their area and work with the Office of Legal Affairs and IT Security when appropriate to ensure compliance. 

Ohio University Policies 
Any exceptions to existing University policy relating to data and information security relate to Policy 01.003: Exceptions to or Restrictions of University Policies. Exceptions cannot violate laws and viable alternatives sometimes exist.

Making information security a priority
When developing a unit’s business continuity plan, employees and leaders should be thinking about the types of sensitive data involved in the day-to-day operations and building in backup security considerations as part of the BCP. 

Physical security measures – including locked doors, safes and document destruction plans – should be considered alongside data security measures including encryption, software, network segmentation and backups. 

What’s next? 
To update an existing or create a new business continuity plan, contact Bev Wyatt, business continuity coordinator with Facilities Management and Safety, at wyatt@ohio.edu

Bruce Tong, MCTP, CISA, PMP, ITIL, senior auditor with Internal Audit, contributed information for this story. Information contained in this story is only intended as a guide and not as legal advice. Employees with specific questions should consult the Office of Legal Affairs, IT Security (security@ohio.edu) or the Office of the Registrar (FERPA).  

Published
March 16, 2018
Author
Staff reports