SI 510 - Special Topics: Data Security and Privacy: Legal, Policy and Enterprise Issues

Person typing on laptop with Lego wall around it

Image adapted from lloydi under a Creative Commons license:BY-NC-SA.

Term:
Winter 2010
Published:
August 24, 2010
Revised:
June 5, 2015

This course is no longer taught at the U-M School of Information. These materials are from an older iteration of the course.

As data collection and information networks expand (and stories of security breaches and the misuse of personal information abound), data security and privacy issues are increasingly central parts of the information policy landscape. Legislators, regulators, businesses, and other institutions of all kinds are under increasing pressure to draft and implement effective laws, regulations, and security and privacy programs under rapidly changing technological, business, and legal conditions. A strong need is arising for individuals with the training and skills to work in this unsettled and evolving environment. This course examines security issues related to the safeguarding of sensitive personal and corporate information against inadvertent disclosure; policy and societal questions concerning the value of security and privacy regulations, the real-world effects of data breaches on individuals and businesses, and the balancing of interests among individuals, government, and enterprises; current and proposed laws and regulations that govern data security and privacy; private-sector regulatory efforts and self-help measures; emerging technologies that may affect security and privacy concerns; and issues related to the development of enterprise data security programs, policies, and procedures that take into account the requirements of all relevant constituencies, e.g., technical, business, and legal.

Instructor: Don Blumenthal

dScribe: Meredith Raymond

Course Level: Graduate

Course Structure: Three hour class - once a week

Syllabus

Course Description

As data collection and information networks expand (and stories of security breaches and the misuse of personal information abound), data security and privacy issues are increasingly central parts of the information policy landscape. Legislators, regulators, businesses, and other institutions of all kinds are under increasing pressure to draft and implement effective laws, regulations, and security and privacy programs under rapidly changing technological, business, and legal conditions. A strong need is arising for individuals with the training and skills to work in this unsettled and evolving environment.

This course will examine: 1) security issues related to the safeguarding of sensitive personal and corporate information against inadvertent disclosure; 2) policy and societal questions concerning the value of security and privacy regulations, the real world effects of data breaches on individuals and businesses, and the balancing of interests among individuals, government, and enterprises; 3) current and proposed laws and regulations that govern information security and privacy; 4) private sector regulatory efforts and self-help measures; 5) emerging technologies that may affect security and privacy concerns; and 6) issues related to the development of enterprise data security programs, policies, and procedures that take into account the requirements of all relevant constituencies; e.g., technical, business, and legal.

This course is intended for students and professionals in information policy, public policy, law, business, computer science, and information science who have an interest in work or research in security and privacy fields, or in support of those fields. It also will be relevant to individuals with interests in other fields in which traditional responsibilities may have new security considerations; e.g., programming.

The course will include individual reading and writing assignments, class discussion, case studies, and a group assignment. Students will have some latitude to tailor the assignments to their skills and interests.

Course Objectives

The growth of importance of information security and privacy matters in the government and enterprise arenas has significantly broadened the scope of individuals who must be aware of relevant issues as part of their work. Security is becoming more of an element of existing roles such as records management, and new security roles such as Chief Information Security Officer are appearing in the enterprise. Finally, security considerations may become new elements of traditional responsibilities (e.g., programmers historically have been expected to document code, but now should be aware that failure to document may be a factor in a law enforcement investigation of whether a data breach was foreseeable).

This course will examine legal, policy, and enterprise issues and problems related to security and privacy. Electronic data will be the focus but other forms of information also will be considered. Discussions will take general approaches and also focus on specific technologies.

Learning Objectives

The course will provide students with:

  • A general background in concepts of privacy in American society.
  • An understanding of how automation is changing the concepts and expectations concerning privacy and the increasingly interconnected issue of security.
  • Knowledge of laws and regulations concerning information security from both data protection and law enforcement perspectives. Policy questions related to these laws and regulations will be examined as part of discussions and readings. United States federal laws and policies will be the focus of the course but comparison will be drawn to approaches taken by states and other nations and organizations.
  • Knowledge of the role of private regulatory and self-help efforts.
  • An understanding of how emerging issues are affecting society and business, with a concentration on how information security must shape corporate practices. These issues will be addressed largely through the context of examining mechanisms for the safeguarding of data.

At the end of the course, students in a variety of disciplines will have an understanding of the concepts and issues necessary to address emerging areas of security and privacy in their potential or current careers. Broadly defined roles include, but certainly are not limited to, systems managers, developers, and engineers; librarians, records managers and other archivists; business managers whose areas of responsibility include systems; data analysts; public and private sector policy professionals; and privacy and security professionals.

Course Format

Classes will consist of a lecture followed by a seminar discussion. Guest speakers, some still to be scheduled but hopefully including representatives of interest groups, private industry, and law enforcement, will be part of the course as availability and remote technologies allow. Students are expected to read the required readings for each class, be prepared to discuss the issues that they address, and raise questions and make comments pertaining to their content. Opportunities for students to initiate discussions of current issues and events related to information security and privacy also are important parts of the program.

Students may be called upon at least once during the semester to assume leadership roles (in conjunction with the instructor) in guiding individual class sessions. As part of this assignment, students will be required to prepare 1-2 page analyses of the week’s readings for distribution to the class. These analyses may be distillations of what a student regards as the primary points of the readings or opinion pieces on issues raised.

Students also will be expected to complete two individual writing assignments and participate in a group project.

Required Texts

International Guide to Privacy – American Bar Association (Privacy)

International Guide to Cyber Security – American Bar Association (Cyber Security)

Roadmap to an Enterprise Security Program - American Bar Association (Roadmap)

The Executive Guide to Information Security – Egan and Mather (Guide)

Case studies from the Harvard Business School. These materials are available from http://cb.hbsp.harvard.edu/cb/access/5263390

These materials should be on reserve in the library, except for the case studies. In addition, I have requested reserve copies of

Security Metrics: Replacing Fear, Uncertainty, and Doubt – Jaquith

Information Assurance for the Enterprise: A Roadmap to Information Security – Shoemaker and Schou

In addition, anyone who has or develops a particular interest in the increasingly important area of cloud computing may want to look at

Security Guidance for Critical Areas of Focus in Cloud Computing V2.1. (Download at no charge fromhttp://www.cloudsecurityalliance.org/csaguide.pdf )

Other readings are identified in the syllabus. In the interest of keeping up to date in evolving fields, the instructor also will supply materials of interest that are discovered or published during the course. Some supplemental materials on the list below will drop out along the way.

Readings will include laws, regulations, and technical standards. These materials will be used as part of the framework to address the core issues in the course. Students will not be expected to master legal or technical intricacies.

Guest speakers from the public and private sectors also will show up on the syllabus as their schedules permit. Guests in the past have included representatives from UM, the FBI, FTC, and an e-commerce privacy certification organization (the person now is with DHS). I hope to have someone from a security auditing firm this year.

Assignments

Writing Assignment 1: Prepare a 4-6 page, double spaced, paper which explores the approach of the federal government toward issues of privacy and security and compares it to the ideas followed by states or international governments and organizations. This paper may be an overview or focus on specific subjects and laws. Due by midnight of the Friday of the week 6 class, 2/12.

Writing Assignment 2: Prepare a 4-6 page, double spaced, paper exploring security risks and potential consequences of breaches in any of the data or system topics discussed in the class. Present your views concerning appropriate roles of industry self-regulation or law enforcement with respect to the problem that you discuss. Due by midnight of the Friday of the week 10 class, 3/19.

Group Project: The group project will require examination of enterprise settings in which to examine the concepts of integrated enterprise security planning discussed in the course. Students will be required to study interdisciplinary approaches to ensuring the security and integrity of systems and information, with reference to business issues, technology, and relevant laws, regulations, and law enforcement precedent. The instructor will assign groups to study real-world enterprises, which will involve in part interviews with staff of the organizations.

The final products will be group class presentations in Week 13 and 14, and a group 10-12 page double spaced paper due by midnight of the last day of class of a date TBD during the finals period.

All written materials shall be submitted in electronic form to CTools drop boxes or to the instructor by email.

Grading

Formal assignments will count for 30% each. Class participation, through questions, comments, current issue discussions, posts to CTools Forums and Discussions, and possible short presentation assignments, will be 10%.

Accommodations for Students with Disabilities

If you think you need an accommodation for a disability, please let me know at your earliest convenience. Some aspects of this course, such as the assignments, the in-class activities, and the way I teach may be modified to facilitate your participation and progress. As soon as you make me aware of your needs, we can work with the Office of Services for Students with Disabilities (SSD) to help us determine appropriate accommodations. SSD (734-763-3000; www.umich.edu/~sswd ) typically recommends accommodations through a Verified Individualized Services and Accommodations (VISA) form. I will treat any information you provide as private and confidential.

General Writing Requirements - Original Work

All written submissions must be your own original work. You may incorporate selected excerpts from publications by other authors, but they must be clearly marked as quotations and must be attributed. If you build on the ideas of prior authors, you must cite their work. You may obtain copy editing assistance, and you may discuss your ideas with others; collaborative learning is valuable. However, all substantive written work and ideas must be your own, or be attributed explicitly to another.

See the Rackham Graduate policy on Academic and Professional Integrity at www.rackham.umich.edu/policies/gsh/appb for the definition of plagiarism, and associated consequences.

Writing Guidelines

These guidelines should help in framing your writings. Some of them are standard advice. Others reflect my own biases.

1) Put your name on the paper and in the filename of electronic assignment submissions.

2) Follow the assignment. If you have other ideas or topics that you really want to explore, talk to me first.

3) Be clear and, most important, concise; frame your topic, follow it with a discussion, and then wrap it up in a final paragraph or two.

4) Don’t make conclusory statements. Support statements of fact with citations or arguments with logical steps that led you to your belief; present conclusions rather than opinions.

5) Don’t let your biases get in the way. Let the thesis fit the facts; don’t force the facts into a preconceived notion. The latter approach often leads to “facts” that cannot be documented.

6) Avoid being overbroad. “Always,” “never,” etc., may work but are risky in general.

7) Avoid sentence fragments. Make sure that the sentence has an object, subject, and verb.

8) Proof read. It often helps to have a colleague read your paper. Reading a printed version yourself also will catch mistakes that you might not see on the screen.

9) I’m not a stickler for citation form or location. However, the citation must have enough information for me to find it online or on a shelf.

10) The first two assignments are academic policy essays.

a. Be assertive. State your position or conclusions without, for example, “I think” or “I believe.” For example, “Google will rule the world someday,” not “I think that Google will rule the world someday.”

b. Stay away from first and third person; e.g., I will examine, we will analyze, you would expect.

Rules for research papers, such as the final project, are different with respect to #10. Research can produce “we discovered,” “the subject told us,” etc., statements.

Online Research Guidelines

1) Cite the complete URL and date retrieved. Include a page number or section name if the article has discrete links to pages or sections.

2) Wikipedia and other wiki-based materials are not acceptable primary resources; do not cite them in your papers. They can be useful as guides to research but, by their nature, are not authoritative. So that you don’t think I’m being a complete Luddite, I will add that encyclopedias never have been acceptable primary sources in academic writing.

3) Make some attempt to vet your sources. The fact that somebody has a keyboard and a broadband connection doesn’t automatically make the person worth citing or quoting.

Learning Objectives

The course will provide students with:

  • A general background in concepts of privacy in American society.
  • An understanding of how automation is changing the concepts and expectations concerning privacy and the increasingly interconnected issue of security.
  • Knowledge of laws and regulations concerning information security from both data protection and law enforcement perspectives. Policy questions related to these laws and regulations will be examined as part of discussions and readings. United States federal laws and policies will be the focus of the course but comparison will be drawn to approaches taken by states and other nations and organizations.
  • Knowledge of the role of private regulatory and self-help efforts.
  • An understanding of how emerging issues are affecting society and business, with a concentration on how information security must shape corporate practices. These issues will be addressed largely through the context of examining mechanisms for the safeguarding of data.

At the end of the course, students in a variety of disciplines will have an understanding of the concepts and issues necessary to address emerging areas of security and privacy in their potential or current careers. Broadly defined roles include, but certainly are not limited to, systems managers, developers, and engineers; librarians, records managers and other archivists; business managers whose areas of responsibility include systems; data analysts; public and private sector policy professionals; and privacy and security professionals.

Reading List

Required Texts

International Guide to Privacy – American Bar Association (Privacy)

International Guide to Cyber Security – American Bar Association (Cyber Security)

Roadmap to an Enterprise Security Program - American Bar Association (Roadmap)

The Executive Guide to Information Security – Egan and Mather (Guide)

Case studies from the Harvard Business School. These materials are available fromhttp://cb.hbsp.harvard.edu/cb/access/5263390

These materials should be on reserve in the library, except for the case studies. In addition, I have requested reserve copies of

Security Metrics: Replacing Fear, Uncertainty, and Doubt – Jaquith

Information Assurance for the Enterprise: A Roadmap to Information Security – Shoemaker and Schou

In addition, anyone who has or develops a particular interest in the increasingly important area of cloud computing may want to look at

Security Guidance for Critical Areas of Focus in Cloud Computing V2.1. (Download at no charge fromhttp://www.cloudsecurityalliance.org/csaguide.pdf )

Other readings are identified in the syllabus. In the interest of keeping up to date in evolving fields, the instructor also will supply materials of interest that are discovered or published during the course. Some supplemental materials on the list below will drop out along the way.

Readings will include laws, regulations, and technical standards. These materials will be used as part of the framework to address the core issues in the course. Students will not be expected to master legal or technical intricacies.

Person typing on laptop with Lego wall around it

Image adapted from lloydi under a Creative Commons license:BY-NC-SA.

Term:
Winter 2010
Published:
August 24, 2010
Revised:
June 5, 2015

Syllabus

Document Title Creator Downloads License

Syllabus

Don Blumenthal

Lectures

Document Title Creator Downloads License

Week01: Early (more or less) Security and Privacy: Privacy Issues and Protections

Don Blumenthal

Week02: Privacy Meets Security – Data Protection Statutes

Don Blumenthal

Week03: Approaches by Other Jurisdictions

Don Blumenthal

Week04: Public/Private Interrelation

Don Blumenthal

Week05: System Hacks and Attacks

Don Blumenthal

Week06: Data Security Enforcement

Don Blumenthal

Week07: Self-Regulation and Privacy

Don Blumenthal

Week08: Enterprise Roles

Don Blumenthal

Week09: Standards and Best Practices

Don Blumenthal

Week10: Real World Considerations

Don Blumenthal

Week11: Enterprise Security Program - People and Processes

Don Blumenthal

Week11: How Did This Mess Arise? A brief history of computers and the Internet

Don Blumenthal

Week12: Data Disruption

Don Blumenthal

Week12: Enterprise Security Program - Technology and Planning

Don Blumenthal

Miscellaneous

Document Title Creator Downloads License

Course/Resource Archive in Institutional Repository (October 2010)

Don Blumenthal