Having trouble viewing this email? View it in your browser.

Office of Audit, Compliance & Privacy

Case in Point:
Lessons for the proactive manager

February 2016
Vol. 8 No. 2
Quotable...
“Let us not look back in anger or forward in fear, but around in awareness.”

-- James Thurber

This month we continue our review of the events included in Case in Point during 2015. Information Technology is clearly a substantial risk within higher education and there are numerous opportunities to run into trouble. It is important to remember that our analysis is simply of the news articles we gathered and not a scientific study of this topic. We should also note that we categorize these items based on the limited information that is reported in the story; however, we do think we provide a good overview of the pulse of each topic for our industry.

As we look back at the IT category, we note that the events reported in 2015 were relatively consistent with what we have seen in previous years. The Information Security & Technology Events category can be broken down as follows:

  • Hack/Breach 55%
  • Accidental Disclosure/Loss of Data 23%
  • Questions over Appropriate Use of IT/Resources 14%
  • Phishing 5%
  • Other 3%

For our purposes, a "hack/breach" generally involves someone inappropriately accessing a system or data without the authority to view this information. More often than not this inappropriate access is from someone external to the institution; however, we have noted cases where employees were the source of a breach in this manner.

"Accidental Disclosure/Loss" is almost always when an employee simply makes a mistake. This is one risk area over which you as an employee have substantial control. Often, this issue can be something as simple as losing a laptop with protected data. Vigilance is always important for smart phones, lap tops, thumb drives and other portable devices that contain protected data.

There were several stories questioning the role of technology and the use of social media. There will no doubt always be some differences in opinion in what people view as appropriate; however, in today's world it is critical that we at least evaluate how we are using technology in an effort to anticipate and mitigate any issues it may bring.

Phishing is listed at only 5% but we caution you not to underestimate its importance. Even within the past month, phishing has been a substantial problem in higher education. Phishing by definition "is a scam by which an e-mail user is duped into revealing personal or confidential information which the scammer can use illicitly." There have been recent cases in which scammers used the current tax season in an attempt to obtain private information. The people operating these scams are very good at making their e-mails look legitimate so it is always best to proceed with caution and ask questions from security professionals if you have any doubt.

The EDUCAUSE IT Issues Panel recently ranked Information Security as the greatest risk facing information technology within higher education for 2016. The Panel recognized the ''need to develop funding models that focus on information technology as an investment instead of a cost.'' The Panel's report also correctly asserts that "institutional information security is everyone's job."

Certainly, Information Technology is an area that deserves our attention and vigilance, but as you know from reading our publication, IT is but one category of many in which we need proactive risk management. Review the selected news items from higher education and ask yourself one basic question, ''how can I pro-actively prevent a similar problem within my area of influence?'' As always, we welcome your feedback on this publication or related items.

M. Kevin Robinson, CIA, CFE
Associate Vice President
Office of Audit, Compliance & Privacy



Information Security & Technology Events

Feb 10, 2016: On December 6, 2015, an OHSU research student's car was broken into and a hard drive was stolen. The hard drive may have contained health information about Neonatal Intensive Care Unit patients admitted to the unit in 2013 who were enrolled in a research study about the potential effect of aminoglycoside antibiotics on hearing. The information included the patient's full name, date of birth, medical record number, diagnosis, doctors name, and some clinical information related to the research. The information did not include address, phone number, any insurance information, social security number, or other identifiers that we believe would result in financial harm to patients or their families. Patient contact information, address or other identifiers were not included. (link)

Feb 04, 2016: In an unprecedented data breach at University of Central Florida (UCF), about 63,000 Social Security Numbers (SSN) and names of former and current students and UCF staffs were hacked, revealed the University official on Thursday. Among those affected include about 600 current student-athletes, former student-athletes who last played sports in 2014-15, student staff managers for the teams and other related positions. However, the bulk of those whose information was compromised are current UCF employees as well as those who worked at UCF as far back as the 1980s. (link)


Fraud & Ethics Related Events

Feb 15, 2016: A former Grand Valley State University office employee has admitted to embezzling from the university. Authorities alleged Lynnea MacGeorge, 44, embezzled more than $76,000 from the university between 2012 and 2015 while she worked in Athletic and Recreation Facilities Management. She was responsible for making deposits for the recreation center. MacGeorge, who resigned in June amid a criminal investigation, pleaded guilty earlier this month to one count of embezzlement by an agent or trustee of $20,000 or more, according to court records. The felony is punishable by up to 10 years in prison. (link)

Feb 05, 2016: A McKinney woman has pleaded guilty to federal theft charges related to a university embezzlement scheme, the U.S. Attorney's office announced this week. According to information presented in court, from December 2014 to April 13, 2015, Heather Elizabeth Mercado, 42, was employed by the University of Texas Southwestern Medical Center in Dallas as director of talent acquisition with the Human Resources Department. Mercado also controlled and operated a company, Alliance Consulting Partners (ACP), purportedly in the business of hospital staffing. Mercado devised and executed a scheme in which she represented to UT Southwestern Medical Center that ACP recruited nurses and other personnel to work at UT Southwestern, thereby leading to fraudulent invoices causing UT Southwestern Medical Center to pay ACP more than $483,000, according to authorities. (link)


Compliance/Regulatory & Legal Events

Feb 20, 2016: The University of Utah roiled fans across the state -- and in the Capitol -- when it yanked Brigham Young University from next season's basketball schedule. Now, lawmakers are taking the Utes to task with a sweeping probe of the college's sports department. The "efficiency and effectiveness" review is the first-ever state audit of a single athletic office. The breadth of the new request distinguishes it from other more routine reports, including a brief state financial analysis of all eight public colleges each year. A four-member panel approved the new report without discussion in the final moments of the Feb. 1 public Legislative Audit Subcommittee meeting -- less than a month after Utah shelved the state's signature rivalry. (link)

Feb 16, 2016: Indiana University plans to begin reviewing 18 sexual misconduct cases this week, following allegations that the school's associate dean of students sexually assaulted a woman at a December conference. In an open letter published Feb. 4, Jill Creighton accused Jason Casares of sexually assaulting her in December at a conference in Fort Worth, Texas. Creighton is the assistant director of global community standards at New York University and a board member of the Association for Student Conduct Administration. Casares, who is also the school's deputy Title IX coordinator, was placed on administrative leave immediately after Creighton published the letter. He has denied the allegations. University Provost Lauren Robel has requested a review of all sexual misconduct cases from the past academic year that went to hearings with Casares on the hearing panel. (link)

Feb 17, 2016: The state of Montana will pay Jordan Johnson $245,000 under a settlement in which the former University of Montana quarterback agreed to drop claims that the school and its officials mishandled a rape investigation against him. In addition to UM and the Montana University System, UM President Royce Engstrom, former Dean of Students Charles Couture and former university legal counsel David Aronofsky are listed as having all potential claims against them resolved under the settlement. David Paoli, Johnson's attorney, said in a statement Tuesday that Couture predetermined guilt on Johnson's part after he was accused of sexual assault by a female student in 2012, and that Couture went on to "act as a biased investigator, prosecutor and judge in spite of being required by all rules and regulations to be impartial and provide fairness and equal treatment in the process." (link)

Feb 16, 2016: The head swim coach at a Maryland university has been arrested on charges that he exchanged nude photographs with a child he met on the Internet. Andre Rudolph Barbins, 45, of Solomons in Calvert County, was arrested Friday and is no longer coaching the swim team at St. Mary's College of Maryland. The university said in a statement Tuesday that an assistant coach has taken on Barbins's role at the college. It declined to comment further, except to say that it was working with investigators to protect students' safety. The victim in the case was a minor whom Barbins only had contact with online, not someone he coached, Maryland State Police Cpl. DaVaughn Parker said. (link)

Feb 12, 2016: The University of Iowa is facing a federal civil rights investigation, looking into accusations the school does not provide equal opportunities for female athletes. Court documents show the federal Office for Civil Rights is investigating gender bias allegations, including how the Iowa athletic department awards scholarships, allocates equipment and schedules practices and games. If discrimination is found, the case could result in a settlement requiring the university to change its policies and allocate more funds to women's sports. (link)

Feb 11, 2016: Reopening a long-delayed fight for his reputation, former Penn State President Graham Spanier filed separate lawsuits Wednesday against the university and its chief Jerry Sandusky investigator, Louis Freeh. The suits, both filed in Centre County Court, are born of the same set of circumstances. Spanier claims Penn State trustees and Freeh colluded to make him, his top administrators and former Penn State head football coach Joe Paterno fall guys for the Sandusky child sex scandal that rocked the university, Pennsylvania and the college football world in 2011 and 2012. Freeh's report did allege that Penn State officials did not respond appropriately to early allegations of sexual misconduct by Sandusky, to be sure. (link)

Feb 10, 2016: Six women filed a federal lawsuit on Tuesday claiming the University of Tennessee has created a student culture that enables sexual assaults by student-athletes, especially football players, and then uses an unusual, legalistic adjudication process that is biased against victims who step forward. In making its case that the university enabled an environment of bad behavior and used a disciplinary system that favored the players, the lawsuit cited more than a dozen incidents involving football players that included underage drinking, sexual harassment, assault, armed robbery and sexual assaults that did not involve the Jane Doe plaintiffs. Some of the incidents cited have previously never been reported. The plaintiffs say that UT violated the Title IX laws, which protect students from gender discrimination in federally funded education programs. UT created a hostile sexual environment for female students by showing "deliberate indifference and a clearly unreasonable response after a sexual assault that causes a student to endure additional harassment," according to the lawsuit. (link)

Feb 06, 2016: A former University of Central Florida student body president and member of UCF's Board of Trustees filed a class action lawsuit against the university Friday after being victimized in UCF's massive Social Security number hack. The lawsuit was filed in federal court, in the Orlando division, one day after UCF admitted 63,000 Social Security numbers of current and former students and staff were stolen. The lawsuit states "UCF owed a duty to Plaintiffs and the Class to notify them about the breach within a reasonable amount of time under the circumstances, which it failed to do, exposing the Class to additional harm." The lawsuit seeks an order finding UCF "breached its duty" on several issues, including failing to "timely notify Plaintiffs and the Class about the breach" and failing to "safeguard and protect" personal information of the victims. (link)

Feb 06, 2016: The president of a Cornell University fraternity was arrested after an alleged sexual assault in his fraternity house bedroom, according to court documents. Wolfgang Ballinger, 21, is charged with attempted rape in the first degree, criminal sexual act in the first degree, and sex abuse in the first degree, documents in Tompkins County, New York, say. The fraternity was suspended on Monday as a result of "alleged sexual misconduct taking place at the fraternity house," according to a statement by Travis T. Apgar, senior associate dean of students at the University. The suspension is invoked when "details of a credible report compel the university to cease activities of the organization for the safety of the members, those joining or guests," Apgar said. During this suspension, the chapter "may not engage in any activities other than operation of its residence," according to the statement. (link)

Feb 05, 2016: A 60-year-old Mishawaka man who worked as a nighttime janitor at Saint Mary's College has been charged with nine felonies related to possession of child pornography and child exploitation. Luis Morales, 60, was arrested Friday on allegations of downloading child pornography on his computer. According to the St. Joseph County prosecutor's office, police found in his home several flash drives and computer memory cards containing more than more than 100,000 images. Investigators said Morales allegedly utilized Saint Mary's College's computer wi-fi network to view and download some of the images, but there was no evidence that students, faculty or staff at the college were harmed or exploited. (link)

Feb 04, 2016: A Martinsburg man who police said admitted to embezzling from Valley College to pay restitution for a previous embezzlement conviction was sentenced after pleading guilty to one felony count of embezzlement in Berkeley County Circuit Court. Bradley Scott Martin, 31, was sentenced by 23rd Judicial Circuit Judge John C. Yoder to not less than one or more than 10 years in prison. Authorities have alleged that Martin was working as a contract employee for the college when he altered multiple time slips, which resulted in him being overpaid by Manpower, court records said. Police also alleged that Martin forged 60 checks identified by Valley College and uttered them, records said. (link)

Feb 03, 2016: A Northwestern University police lieutenant who is facing child pornography charges has been placed on administrative leave. Ronald Godby, 53, was charged with manufacturing child pornography, possessing child pornography and grooming, all felonies, according to Cook County court records. Godby, a lieutenant with the Evanston university's police department, has been placed on administrative leave and banned from campus, according to a statement from Northwestern spokesman Alan Cubbage. (link)

Feb 02, 2016: Eight students were arrested at Georgia State University when they refused to leave a protest Tuesday over a Georgia Supreme Court decision rejecting lower tuition for immigrants without legal status. The protesters had occupied the first floor of Centennial Hall since Monday, students and university officials said. "The eight arrested refused to leave," she said in a statement. "Police said the protesters had been disruptive earlier this morning, and they were concerned about possible disruption in the building at the start of the university's workday." The protest followed a ruling Monday by Georgia's highest court. The court rejected an appeal aimed at allowing immigrants without legal status to pay substantially lower in-state college tuition rates, The Atlanta Journal-Constitution earlier reported. (link)

Feb 02, 2016: A prominent molecular biologist at the University of Chicago has resigned after a university recommendation that he be fired for violating the school's sexual misconduct policy. His resignation comes amid calls for universities to be more transparent about sexual harassment in their science departments, where women account for only one-quarter of senior faculty jobs. The professor, Jason Lieb, made unwelcome sexual advances to several female graduate students at an off-campus retreat of the molecular biosciences division, according to a university investigation letter obtained by The New York Times, and engaged in sexual activity with a student who was "incapacitated due to alcohol and therefore could not consent." (link)

Feb 02, 2016: Despite being a private school, Baylor is required by federal law -- Title IX -- to thoroughly investigate allegations of sexual violence, and provide security, counseling services and academic help to those who report assaults. Part of the law's goal is to help keep victims in school. Yet an investigation by Outside the Lines found several examples in Tanya's case, and others at Baylor, in which school officials either failed to investigate, or adequately investigate, allegations of sexual violence. (link)

Jan 29, 2016: The NCAA has formally charged the University of Mississippi with dozens of rules violations in three sports, multiple sources told Yahoo Sports. The school has received a Notice of Allegations from the NCAA enforcement staff alleging roughly 30 violations in football, women's basketball and track and field, sources told Yahoo. It is unclear at present what the breakdown is in terms of violations by sport. The NCAA does not comment on current, pending or potential investigations. (link)

Jan 30, 2014: The University of California has admitted its negligence was a substantial factor in the 2014 death of Cal football player Ted Agu, who died after a strenuous team workout. The admission comes after testimony in a lawsuit brought by Agu's parents raised questions about the actions of Cal football personnel in the events that preceded his death. The testimony, given in confidential depositions, also detailed allegations that campus officials did not provide the Alameda County coroner's office with all police and medical records after Agu died, including some that indicated he had sickle cell trait -- a blood abnormality that experts believe can lead to death under extreme exertion. (link)


Campus Life & Safety Events

Feb 19, 2016: Buffalo police are investigating the death of a SUNY Buffalo State student, who may have suffered internal injuries from an alleged off-campus hazing incident. Bradley D'Oyley, 21, of Brooklyn, died Thursday night at Buffalo General Medical Center, after having come down with an unexplained illness late last month. He apparently was pledging for the local chapter of a national fraternity at the time he became ill. College officials suspended the charter of the Delta Epsilon chapter of Alpha Phi Alpha as a result of the investigation. The officials also said they are supportive of the Buffalo Police Department's investigation. (link)


Other News & Events


If you have any suggestions, questions or feedback, please e-mail me at robinmk@auburn.edu. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at https://www.auburn.edu/administration/oacp.

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at gotterw@auburn.edu.

Back to top


Office of Audit, Compliance & Privacy
Auburn University
304 Samford Hall
M. Kevin Robinson, Assoc. VP
robinmk@auburn.edu
334.844.4389

© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Office of Audit, Compliance & Privacy is listed as the source.