RAQs: Recently Asked Questions

Topic: Library Files - 1/24/2020
What recourse may a library board take, if a former director removes all library files from a libr...
Posted: Friday, January 24, 2020 Permalink

MEMBER QUESTION

What recourse may a library board take, if a former director removes all library files from a library owned computer that relate to the running of the public library?

WNYLRC ATTORNEY'S RESPONSE

Every employer struggles with this issue: give employees enough access to electronic information to do their jobs, but protect that information from accidental disclosure, file corruption, and theft.

Solid practices like routine security updates, back-ups, password re-sets, and employee training can help a library avoid the worst IT disasters.  But what if someone in a position of trust simply abuses their access?  What if a scenario like the member's question should arise?

There is a process to address this type of scenario.  In order to ease an adrenalized mind,[1] it is presented below in grid form.

Upon suspicion that files have been removed or inappropriately removed by a former library employee, follow these steps to assess what recourse a board might have:

Action

Why you do this

Results

1.  Upon suspicion that files have been removed, if possible, do not take further steps alone.

Create an "Initial Response Team" of at least two people to do the next four steps, and designate one of them as the note-taker and document-keeper.

If your library's computer system is supplied or supported by a cooperative library system, one of these people should be from the system.[2]

Organizing a time-line and take photos or screenshots of information showing the potential problem.

The facts you assemble and first steps you take may have far-reaching consequences for your library's response and recovery, as well as for the potential wrong doer.

At this stage, however, you'll just be documenting what appears to be missing.  No deep-dive investigation.   It should only take an hour or two.[3]

Initial Response Team formed and responsibilities of team members made clear.

Note-taker assembling information.

2.  Without letting it take more than an hour (or two) and without making any changes to your system, assess and create an informal list of what appears to be missing (file types, specific types of information, locations), when this was noticed, and what the first signs of the concern were.  This will be your "Initial Inventory."

You need to have a foundation for your next steps, so you're creating a quick description of the possible situation.

An Initial Inventory you will use in the next few steps.

Note: The "Initial Inventory" is not an attempt to assess what happened, just to list what might be missing, and a few initial details.

 

3.  Look over the Initial Inventory.  Could any of the missing files contain personal/private information, such as: name, address, date of birth, ssn, library card number, credit card information, contact information, banking information, health-related information, computer use, passwords, or circulation records?

If the answer is "yes," add the phrase "…possibly includes loss or compromise of private information and/or library patron records" to the Initial Inventory.

This part of the Initial Inventory will help those assessing the issue quickly appreciate the possible privacy and confidentiality  implications of the situation.

4.  Contact the library's insurance carrier, and alert them that you may have had a loss of data related to "unauthorized computer access that may involve a former employee."

If your Initial Inventory includes a "yes" to Step #3, also state: "The situation may have involve personal and confidential information."

If your initial contact is by phone, confirm the notice via a letter or e-mail.

Depending on your library's insurance type, you may be covered for this type of event.

Notifying your carrier and following up in writing will help the library determine if the carrier will provide coverage and/or assistance for the event.

Timely notice to the library's insurance carrier, enabling your carrier to let you know if you have coverage and if they can provide assistance in recovering from the event.

NOTE:  If the event is covered, some or all of the remaining steps could be impacted by the participation of the carrier.

5.  With the Initial Inventory complete and the carrier on notice, the board (or director, if the board has delegated the right amount of authority to them) must decide who is in charge of next steps: the full board, a board committee, the Director and a team, or any combination of people needed to assess the matter. 

This "Response Team" should have the power to appoint a qualified professional to assess the situation, to retain legal assistance if warranted, and to recommend a final course of action to the board.

In no event should a report to the board (or Executive Committee) extend the timeline for arranging a response beyond 3 business days.

Unauthorized computer access involving a former director (or any employee) is serious enough to warrant board involvement, whether or not personal and confidential information.

This is especially true since, in a worst-case scenario, the library may have to report a data breach, expend resources to re-create or retrieve the information, work with an insurance carrier to recover from the loss, consider if any aspects of the former employee's contract or severance apply (if there was either/or) and based on what is discovered, consider whether or not to file a report with law enforcement.

Clarity as to who is in charge, what level of authority they are working with, and who they will bring on to assist with the investigation and recovery.

6.  Alert the library's lawyer by sending them a copy of the Initial Inventory, and connect them to the Response Team, so they can assist at needed.

 

It will be the lawyer's responsibility to work with the Response Team and others to ensure the library is positioned to seek relief from the carrier or the former employee, to assess any relevant contracts (for instance, if the files were deleted from a cloud server), and to advise the board about filing a report with law enforcement, or pursuing civil remedies.

Attorney-client privileged input to help assess response options in the best interests of the library.

7.  The Response Team should retain a qualified IT/data security professional to assess and develop an "Incident Report" with a Final Inventory of what is confirmed as missing, a conclusion as to how it went missing, and if/how it can be recovered.

This should be done within 3 days of discovery and before there are any changes to the system.   Ideally, this work should only be performed after the library and the IT professional sign a written contract that is reviewed by the lawyer.

A contract with a qualified firm;

A certificate of insurance from the professional firm;

A written Incident Report from the firm.

8. Based on the value, sensitivity, and type of information in the Final Inventory, work with the IT professional and lawyer to assess any legal steps the library must take to recover or to give required notifications of data breach.

Depending on what went missing, the library could have concerns under any number of laws. 

The final recommendation should be a memo to the board, regarding any necessary steps (or confirming not are needed).

9.  Based on the complete Incident Report's assessment of what is  missing, how it went missing, and if/how it can be recovered, and any relevant details about the employee, develop a course of action.

For more on this aspect, see the rest of this RAQ.

Recourse.

What happens as part of number "9," is the actual answer to the member's question.  But until a library follows steps "1" through "8," it can't fully know its options under "9."

And what can happen as part of "9"?  The range of consequences for unauthorized computer access and/or data destruction is vast, running from criminal penalties to civil remedies.  And if considered with solutions for how a library can recover from the loss, there are further possibilities.

If I was on the board where a former director removed all the library files from a library owned-computer that relate to the running of the public library, at the end of the day, here's what I'd want get out of "The Files Are Gone" process:

  • Know if the files were simply removed, or if they were removed and accessed/disclosed beyond the library;
  • If they were disclosed beyond the library, what the library must do to address that (including special considerations if personal or confidential information was accessed);
  • If the files were only removed, know if they can easily be replaced, or if they were the library's only copy;
  • If they can't be easily replaced, how much it will cost to replace them, and any negative impacts we'll experience until we do;
  • How we have concluded the files were removed by the former employee, if they were an employee when they did it, and what the due process is for addressing that;
  • If (based on all the information gathered, and more that will be specific to the situation), the board should contact the police, or consider a civil claim against the former employee.

By demanding solid, well-documented and qualified answer to these questions (What happened?  how does it impact the library?  What can we do?) a board member is being a good fiduciary, and positioning the library to identify the best recourse.

Now let's say that, in the grand scheme of things, the "missing files" appear to be pretty minor (and do not involve private information).  Let's say that, for whatever reason, the outgoing employee deleted all the library's "standard operating procedures." Not the policies--those are on the library's website and backed up in numerous places - but all the details about (as the question says) "running the library:"  How to organize the courier manifest.  The templates for the volunteer letters and community meeting notices.  The budget template and calendar for strategic planning.  Their own emails on their library account.  Nothing private, no circulation or credit card information, but a body of work that represent hundreds of compensated hours…lost.

This may seem like the kind of loss that isn’t dire enough to warrant the steps I have outlined above, but it absolutely is.  First, only a professional can say when data is truly "lost" (especially emails).  And even if, at the end of the day, there is a board decision not to pursue any consequences (privately, civilly or criminally), such (in)action must be based on good information--not just the result of a decision not to investigate in the first place.

The budget for such response, if planned carefully, can be very modest (under $1500).[4]  Reaching out to a library's system and regional council to find the professional you need might help the library get those services at a reasonable price (and again, depending on the system-library service agreement, much more).

Why am I adamant about this follow-through, even for a "small" incident?  Because sometimes a "small" incident is only the tip of a much larger iceberg.  Unauthorized data destruction by a former employee could be a serious breach of their duty, the law--and even their oath of office.  But it might not be.  The right response, and the fair response, can only be formulated through careful documentation and analysis.

This is what positions the board to know what recourse it can take, when presented with such a serious situation.

Thank you for trusting "Ask the Lawyer" with this sensitive question.

 



[1] If you are reading this while working on this type of issue, take a deep breath.  You've got this.

[2] There are too many types of IT supply/support arrangements out there for me to be more precise than this.  Some systems are essentially the IT department for their member libraries. Others are not.  This aspect will be governed by the System's member contract…but generally, a good place to start is on the phone!

[3] In keeping with the question, this chart addresses what to do if the person involved is former employee.  If the person is a current employee, the Response Team should include someone qualified to assess an appropriate response that ensures 1) due process for the employee; 2) security for the investigation; and 3) stability for ongoing operations of the library.

[4] Is this a low-ball figure?  Could it be much bigger?  Yes. But if it gets much bigger, that should be because it's actually a big problem that needs to be solved.

Tags: Data, Ethics, Management, Security Breach

Topic: NYS Shield Act and Libraries - 12/5/2019
With the NYS Shield Act taking effect in March 2020 what changes or precautions should l...
Posted: Thursday, December 5, 2019 Permalink

MEMBER QUESTION

With the NYS Shield Act taking effect in March 2020 what changes or precautions should libraries be thinking about to comply with the law and minimize the risk of data breaches?

WNYLRC ATTORNEY'S RESPONSE

There are many technical aspects to this question, and this answer will explore many of them.  But first, I invite each reader to sit back, close their eyes, and envision the types of information their library takes in, maintains, or manages digitally.

Name…address…phone number…e-mail…library card number and account information.  Perhaps a driver’s license, or other photo ID.  Credit card information? Job applicant information, payroll, and employee data….  Donor information.  Survey responses.  Licensed lists.  Content related to digitization.   And (of course) every digital record related to a library’s core function: providing information access.

Now envision what someone with less-than-ethical intentions could do if they accessed or appropriated that digital information:

Disclose confidential library records…sell active credit card information on the dark web...use the information to design a very convincing phishing[1] scheme….

And I bet you can easily think of more. 

Scary?  You bet it is.  This is the type of risk-management New York’s lawmakers had in mind when they enacted the SHIELD Act[2], a far-reaching amendment to the state’s laws governing data security.

And as the member points out, the changes will impact your library.

So, what does this law require?

A lot. 

And here is where we get technical.  Because the law will hit different types of institutions differently, this “Ask the Lawyer” can’t give you a word-by-word recital of the precise obligations the SHIELD Act will impose on your institution.   But it can give you a plain-language DIAGNOSTIC FORM to help your board, your director, and your (internal or external) IT team a tool to start assessing your obligations.

So here, without further ado, is the ‘ASK THE LAWYER’ SHIELD ACT DIAGNOSTIC FORM.  If you have a buddy to fill this in with, I suggest you invite them to help, this is not the type of exercise to do alone.[3]

 

 

Diagnostic question

 

[NOTE: Any member of a library council in the State of NY is licensed to make a copy of this form for diagnostic purposes. However, THIS IS NOT INDIVIDUALIZED LEGAL ADVICE and no legal conclusion about the obligations of your institution should be made without the input of a lawyer.   That said, filling this out will help that lawyer help you a lot faster.]

Your Answer

 

Significance

 

1.

 

Does your library collect electronic versions of “personal information” as defined by SHIELD?

 

Here is the definition of “personal information”:

"Personal information" shall mean any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.

 

 

 

 

If your library collects “Personal information” as defined by SHIELD, it may be subject to SHIELD’s requirements. 

 

So, if you marked “yes,” keep going!

 

 

 

2.

 

Does your library’s network or equipment collect electronic versions of “private information” as defined by SHIELD?

 

Here is the type of data that, when combined with “personal information” becomes “private information” protected under SHIELD:

(1) social security number;

(2) driver's license number or non-driver identification card number;

(3) account number, credit or debit card number, in combination with any required security code, access code, [or] password or other information that would permit access to an individual's financial account;

(4) account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual's financial account without additional identifying information, security code, access code, or password; or

(5) biometric information, meaning data generated by electronic measurements of an individual's unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical

representation or digital representation of biometric data which are used to authenticate or ascertain the individual's identity; or

(ii) a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.

 

 

 

If your library collects “private information” as defined by SHIELD, it may be subject to SHIELD’s requirements. 

 

So if you marked “yes,” keep going!

 

 

 

 

 

 

 

 

 

 

 

(NOTE: if any libraries out there are using biometric records like retina scans in place of library cards, please let me know, because that is Bladerunner-level cool).

 

 

3.

 

Does the “private information” your library collects include information from residents of New York?[4]

 

 

 

If your library collects “private information” relating to New Yorkers, it may be subject to SHIELD’s requirements. 

 

So if you marked “yes,” keep going!

 

 

4.

 

Is your library part of a larger institution such as a school, college, university, museum, religious institution, or hospital?

 

 

 

If the answer is “yes,” then STOP.

 

Your work on SHIELD ACT compliance should be coordinated with your full entity, who should be sensitive to not only your library’s obligations under CPLR 4509, but your institution’s obligations under SHIELD and other data security laws like FERPA and HIPAA.[5]

 

Don’t go rogue!

 

 

5.

 

Does your institution contract with another entity, like a library system, to maintain private information? 

 

EXAMPLE: When a person applies for a library card, does the personal information supplied stay on the local library’s network, or does it simply flow through a terminal at the local library to a system’s network? This is a very common arrangement in NY.

 

 

If “yes” list and attach the contracts, along with the information maintained by the contractor.

 

This question applies to both parties.

 

If the answer is “yes,” gather the contract(s) governing the arrangement(s), and be ready to check the contracts for assurance of SHIELD compliance. This includes assurance of “reasonable security requirements,” and a clause governing data breach notification.

 

 

6.

 

Now, aside from information maintained on another entity’s network as listed in #5 above, (library system, payroll service, credit card service provider, etc.) does your institution maintain any computer system with private information?

 

 

 

 

 

 

If yes, list the information gathered and where it is maintained:

 

 

 

 

 

If the answer is “no,” you only have to follow step #7, below.

 

If the answer is “yes,” make an appointment with your IT team, and be ready to do steps #7 through #15, too.

 

7.

 

Contract compliance check:

 

If you answered “yes” to #5, above, the contracts governing that relationship would be clear about SHIELD Act compliance, including the notification procedures for data breach.

 

 

Who is the person at your institution who will do this work with your contractors?

 

 

 

This is a smart step because contract vendors must meet this standard:

Any person or business which maintains computerized data which includes private information which such person or business does not own shall notify the owner or licensee of the information of any breach of the security of the system immediately following discovery, if the private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization.

 

 

8.

 

Okay, so it looks like my institution has to comply with the SHIELD Act.  What does that mean?

 

Well, firstly:

Any person or business which conducts business in New York state, and which owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization.

 

So, does your institution have a policy for data breach notification?

 

 

 

Your institution may already have one! If so, it should be updated to reflect the changes in the law. 

 

If it doesn’t have one, now is a good time to get a policy in motion.

 

The law lists the steps and requirements for notification.  Among other things, those requirements  can depend on the size and nature of the breach.

 

NOTE: a data breach response is something a library should respond to with a qualified IT team and, if there are concerns about liability and compliance, a lawyer and your insurance carrier.

 

 

 

9.

 

Secondly:

 Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.

 

Does your institution have a policy to implement these “reasonable security requirements?”

 

 

 

Your institution may already have one. 

 

If so, it should be updated to reflect the changes in the law. 

 

If it doesn’t have one, now is a good time to get a policy in motion!

 

NOTE:  ***I have put the SHIELD Act’s criteria for a data security program next to three asterisks in the text following this form.

 

 

10.

 

Thirdly, are you a small library and feeling panicked about your security requirements?

 

Don’t worry, if you’re a “small business,” the law has a provision related to your obligations.

 

Here is the SHIELD Act’s definition of a “small business”:

"Small business" shall mean any person or business with (i) fewer than fifty employees; (ii) less than three million dollars in gross annual revenue in each of the last three fiscal years; or (iii) less than five million dollars in year-end total assets, calculated in accordance with generally accepted accounting principles.

 

So (deep breath) are you a “small business?”

 

 

If the answer is “yes,” then your “reasonable security requirements” are tempered:

…if the small business's security program contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business's activities, and the sensitivity of the personal information the small business collects from or about consumers.

 

This analysis is why having an inventory of the private information maintained by your library (or for your library) is critical; depending on the “sensitivity” (or use) of what you maintain, your plan can adjusted for what is “appropriate.”

 

 

11.

 

Just to reiterate: if you have gotten this far into the assessment diagnosis, you should probably have a “data breach” plan—even if it is just for coordinating with the entity who holds most of your data.

 

So: do you have a “Data Security and Data Breach Notification Policy and Procedure?”

 

 

 

 

As can be seen in the factors cited in the sections above, policy and procedures related to data security and data breach notification cannot be a cookie-cutter based simply on what other libraries do.  Your policy and practices will be governed by many factors.

 

 

12.

 

Are you insured for data breach and recovery?

 

 

This is a great question to ask your insurance carrier!  You should also be familiar with their notice requirements in the event of a hack or breach.

 

 

13.

 

Who at your institution is responsible for coordinating your data security program?

 

 

 

This responsibility should be confirmed in a job description and reinforced with regular training.  Working with your system or other larger supporting entity may be important, too.

 

 

14.

 

Who are your outside contractors assisting with emergency response in the event of data breach?

 

 

 

This is a good standing contract to have, and one that systems and councils might consider jointly negotiating for on behalf of members (and hopefully it is a service you never need to invoke!).

 

 

 

 

15.

 

Did you ever think, when you chose a library career, you’d get to moonlight in IT?

 

 

 

IT and libraries: two great tastes that go great together….with enough planning.

 

 

And that’s the SHIELD Act.[6]

How does a small not-for-profit tackle this expansion of data security laws?  Like anything else: inventory your status under the law, establish a goal for compliance, develop a budget and a plan, make sure the responsibility is appropriately allocated, confirm insurance coverage alignment, use all the resources at your disposal (your system, council, insurance carrier, and board members who have lived through data breach compliance) and get it done. 

In practical terms, this is also means:

  • If your library makes a practice of getting a copy of every member’s photo ID, and stores it on an Excel spreadsheet on an unsecured computer, now is a great time to stop doing that.
  • If your library maintains a list of users, credit card numbers, CCV numbers and expiration dates on your network, now is a great time for a network security assessment.
  • If your library uses an outside IT contractor, now is a great time to review their contract and make sure it provides assurance that services will be SHIELD Act-compliant.
  • If you have no idea if your institution’s insurance covers data breach (and recovery), now is a great time to ask your agent, broker, or carrier.  They might even have some resources to help you with SHIELD Act compliance.

The penalties for violation of the SHIELD Act are $5,000 per violation, in an action brought by the New York Attorney General (the law doesn’t create a private right to sue).  Other changes to the law make it easier for the AG to learn of data breaches, and to coordinate with other law enforcement agencies trying to combat them.  As we envisioned at the beginning of this article, the states for a breach are high.

But don’t worry.  No matter where your diagnosis falls, remember: libraries have been operating under heightened privacy obligations since before there were computers.  That mindset—awareness of an ethical duty to protect privacy--is the most important part of a program to minimize the risk of breaches. 

You’ve got this.

Thanks for a great question.

 

***A data security program includes the following:

 (A) reasonable administrative safeguards such as the following, in which the person or business:

(1) designates one or more employees to coordinate the security program;

(2) identifies reasonably foreseeable internal and external risks;

(3) assesses the sufficiency of safeguards in place to control the identified risks;

(4) trains and manages employees in the security program practices and procedures;

(5) selects service providers capable of maintaining appropriate safe-guards, and requires those safeguards by contract; and

(6) adjusts the security program in light of business changes or new circumstances; and

 

(B) reasonable technical safeguards such as the following, in which the person or business:

(1) assesses risks in network and software design;

(2) assesses risks in information processing, transmission and storage;

(3) detects, prevents and responds to attacks or system failures; and

(4) regularly tests and monitors the effectiveness of key controls, systems and procedures; and

 

(C) reasonable physical safeguards such as the following, in which the person or business:

(1) assesses risks of information storage and disposal;

(2) detects, prevents and responds to intrusions;

(3) protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and

(4) disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

 


[1] “We just need your bank information to refund your library fees since 1987 with interest!”

[2] SHIELD stands for "Stop Hacks and Improve Electronic Data Security".

[3] Why?  Well, if you’re lucky, it’s because it will be boring.  But chances are, it will be all too exciting, as you discuss the different types of data your library maintains and explore the data security obligations that come with it.  And if that happens, you’ll need one person filling in the form, while the other one looks up information—and you’ll both want someone to share your sense of urgency when it’s over.

[4] NOTE:  This is a huge change in the law, which used to only apply to businesses in New York.  Now it applies to any business that collects the information of New Yorkers; a big difference and one that impacts businesses out-of-state.

[5] Institutions subject to HIPPAA have special provisions to ensure disclosure obligations aren’t redundant.

Tags: Data, Digital Access, Laws, Policy, SHIELD Act

Year

0

2016 4

2017 24

2018 29

2019 42

2020 41

Topics

501c3 2

Accessibility 3

ADA 6

Association Libraries 1

Branding and Trademarks 1

Broadcasting 1

Budget 1

Circular 21 1

Contact tracing 1

CONTU 1

Copyright 66

COVID-19 26

CPLR 4509 3

Crafting 1

Criminal Activity 1

Data 2

Defamation 1

Derivative Works 3

Digital Access 8

Digital Exhibits 1

Digitization and Copyright 9

Disclaimers 2

Discrimination 1

Dissertations and Theses 1

DMCA 2

Donations 3

E-Books and Audiobooks 1

Ed Law 2-d 1

Elections 2

Emergency Response 25

Employee Rights 5

Ethics 3

Executive Order 3

Fair Use 27

Fan Fiction 1

Fees and Fines 3

FERPA 5

First Sale Doctrine 3

Forgery and Fraud 1

Friends of the Library 1

Fundraising 1

Hiring Practices 1

Historic Markers 1

HRL 1

IRS 1

Labor 3

Laws 18

LibGuides 1

Library Buildings 1

Library Programming and Events 6

Licensing 2

Local Organizations 1

Management 15

Meeting Room Policy 3

Microfilm 1

Movies 5

Municipal Libraries 4

Music 9

Newspapers 3

Omeka 1

Online Programming 10

Open Meetings Law 1

Oral Histories 1

Overdrive 1

Ownership 1

Parodies 1

Photocopies 15

Policy 27

Preservation 2

Privacy 10

Property 3

PTO, Vacation, and Leave 1

Public Domain 7

Public Health 1

Public Libraries 3

Public Records 2

Quarantine Leave 1

Reopening policies 1

Retention 2

Retirement 1

Ripping/burning 1

Safety 2

Salary 2

School Ballots 1

School Libraries 5

Section 108 1

Section 110 1

Section 1201 1

Security Breach 1

Sexual Harassment 2

SHIELD Act 1

Smoking or Vaping 2

Social Media 4

SORA 1

Story time 3

Streaming 11

Swank Movie Licensing 3

Taxes 4

Teachers Pay Teachers 1

Telehealth 1

Textbooks 3

Trustees 2

Umbrella Licensing 2

VHS 4

Voting 1

W3W 1

WAI 1

Yearbooks 2

Zoom 1

The WNYLRC's "Ask the Lawyer" service is available to members of the Western New York Library Resources Council. It is not legal representation of individual members.