Having trouble viewing this email? View it in your browser.

Office of Audit, Compliance & Privacy

Case in Point:
Lessons for the proactive manager

February 2017
Vol. 9 No. 2
“To read without reflecting is like eating without digesting”

-- Edmund Burke

This month we begin our annual review of the past year, looking for any possible trends and emerging items. This is a good time to remind our readers of the purpose of Case in Point. Our goal in this publication is to encourage proactive risk management. We believe it is much less painful to proactively manage a risk than deal with a crisis.

While it may be cliché, it really is important to remember that if you ''see something, say something.'' Many of the events you see linked in our publication each month could have been prevented - or at least the impact dramatically reduced - had certain steps been taken. The risks we face in higher education are extremely diverse, and we believe it takes all stakeholders working together to help create a proactive culture we all benefit from.

During 2016, we linked to 449 stories. The breakdown among categories was as follows:

  • Info Security & Tech - 9%
  • Fraud & Ethics - 16%
  • Compliance & Legal - 47%
  • Campus Life & Safety - 26%
  • Other - 2%

As has been true the past few years, the Compliance & Legal category contained the most news articles. While we will delve deeper into each category over the coming months, Compliance & Legal will certainly be one we pay close attention to during 2017. Much of the impact from compliance related issues comes from the sub-regulatory guidance issued by various governmental agencies. Sub-regulatory guidance essentially lets us know how the government will enforce certain laws. This is important since these are the standards that external regulators will use to evaluate our operations. With the change in administration in Washington D.C., it is probable that substantial changes will occur with respect to sub-regulatory guidance. We will do our best to keep you informed of any major changes we note.

We again invite you to review the events occurring throughout higher education with a view towards proactive risk management. If you see areas of concern or risks you have influence over, take action before you become the crisis. As always, we invite your comments and suggestions.

M. Kevin Robinson, CIA, CFE
Associate Vice President
Office of Audit, Compliance & Privacy

Information Security & Technology Events

Feb 24, 2017: Vanderbilt University Medical Center will be sending letters to more than 3,000 patients whose personal information was inappropriately accessed by a pair of patient transporters. An audit of electronic patient files conducted by the VUMC Privacy Office found that two people who worked as patient transporters looked at 3,247 medical records between May 2015 and December 2016, according to a release from VUMC. The employees accessed information from adult and pediatric records, including names, birth dates, and medical record identification numbers. In a few instances one person had the ability to see social security numbers. (link)

Feb 20, 2017: More than 1.4 million emails--some divulging Harvard students' grades, financial aid information, and at least one individual's Social Security number--sent over Harvard Computer Society email lists were open to the public until Monday. Teaching fellows, resident tutors, College administrators, and thousands of undergraduates have used the email list service--which the student group made private Monday--for years. Emails sent over HCS lists contained the membership of certain BGLTQ undergraduate groups, bank account numbers for some student organizations, advance copies of a final exam, and answer keys to problem sets. At times, teaching fellows used the lists to discuss students' grades--a move some legal experts say may violate the Family Educational Rights and Privacy Act, a federal law designed to protect students' privacy. (link)

Feb 15, 2017: Rasputin, a Russian-speaking and notorious financially-motivated cyber criminal, continues to locate and exploit vulnerable web applications via a proprietary SQL injection (SQLi) tool. Rasputin's latest victims include over 60 (combined total) prominent universities and federal, state, and local U.S. government agencies. In November 2016, Rasputin penetrated the U.S. Election Assistance Commission (EAC) via SQLi. 15 plus years of SQLi attacks, and going strong; this prolific vulnerability remains one of the most popular exploits for opportunistic actors due to its ongoing success rate. (link)

Feb 13, 2017: It sounds like a sci-fi movie. Over 5,000 connected devices, including light bulbs and vending machines, were hacked to slow internet service at a university to a crawl. Poorly secured internet of things (IoT) devices have become gold mines for hackers looking to launch DDoS attacks to take websites and services offline. But this latest case, detailed in Verizon's Data Breach Digest 2017, is the rare example of gadgets attacking their own network. (link)

Feb 11, 2017: A wave of nationwide phishing scams is targeting college students, according to reports from Louisiana State University, University of Wisconsin-Platteville, Amherst College, Wellesley College, Dartmouth College and more. At Dartmouth College, several thousand students received emails that appeared to be from President Phil Hanlon. The messages included links to websites with malware. Recipients were advised not to click on the links. (link)

Feb 08, 2017: A 41-year-old Chicago man pleaded guilty Monday in federal court to using personal information obtained by hacking into Bradley University's computers to obtain about $770,000 in false tax refunds. Gbadebo Adebiyi pleaded guilty to one count of conspiracy to commit mail fraud, a felony that could send him to prison for up to five years. His sentencing is set for May 3 in the courtroom of Senior U.S. District Judge Joe B. McDade. A second man, Idris Akande, 35, also of Chicago, remains a fugitive. (link)

Feb 07, 2017: Tuesday night, at least three racist emails were sent out to University of Michigan Computer Science and Engineering undergraduate students. The subjects of the first two emails was "African American Student Diversity" and the third read "Jewish Student Diversity." The emails were sent by three separate University uniqnames -- all of which are administrators of the listservs, potentially indicative the listservs via the University's online contact server, MCommunity, may have been hacked. (link)

Fraud & Ethics Related Events

Feb 23, 2017: The former Assistant Director of Operations for the Nebraska Transportation Center has been charged with stealing more than $11,000 from the University of Nebraska. The Nebraska Transportation Center connects University of Nebraska researchers, industry leaders, and government entities. Court documents reveal Laviania Thandayithabani is accused of stealing $11,335.73. The investigation determined Thandayithabani bypassed approval processes and paid for plane tickets using University funds. (link)

Feb 13, 2017: Two former Texas Southern University employees are accused of stealing more than $500,000 from the Houston college, according to authorities. Kennith Darden Jr. and Ashley Velasquez are each charged with felony aggregate theft after prosecutors say they worked together to squirrel away $534,379.71 stolen from the school in a little under two years, a Harris County District Attorney's Office spokesman confirmed Monday night. Authorities say the scheme started in January 2012, when Darden allegedly began submitting fake invoices through a shell company - and Velasquez, a senior administrative assistant, approved the fraudulent paperwork. (link)

Feb 11, 2017: A pharmacology professor at the University of Maryland School of Medicine will no longer conduct research there after eight of his articles were retracted by a major scientific journal for inaccuracies. The publisher of the Journal of Biological Chemistry retracted six articles written by Anil K. Jaiswal in early January, said Kaoru Sakabe, data integrity manager for the American Society for Biochemistry and Molecular Biology, which publishes the journal. (link)

Feb 10, 2017: A Galveston College instructor, who is also the director of electrical and electronic technology program at the schools, has resigned after a student alleged the instructor sent him tests and answers to those tests. Robert Shields earned a bachelor's degree from the University of Houston in 2011, according to his online school bio. "Very troublesome. Mr. Shields, head of the electrical electronics program voluntarily resigned," Dr. W. Myles Shelton, president of Galveston College, said. (link)

Feb 04, 2017: Authorities charged a former Iowa State employee with theft of over $68,000 in non-profit funds. The Story County Sheriff's Office arrested and charged Pamela Backstrom, 56, with first degree theft and ongoing criminal conduct. Backstrom is accused of taking university money from the Quantitative Nondestructive Evaluation (QNDE) Programs account. She worked in the research center from August 2013 to January 2016. (link)

Feb 03, 2017: A former Essex County College track coach was sentenced to three years in prison and ordered to pay restitution after admitting to stealing $150,000 from the school. Michael Smart, 62, of Roselle, also is barred from public employment ever again. Smart, however, is collecting an annual pension of $31,000 after retiring from the college two years ago. Prosecutors say Smart used the college team's debit card as a personal ATM card from 2012 to 2015, often withdrawing the $700 transaction maximum several times a day. (link)

Compliance/Regulatory & Legal Events

Feb 27, 2017: The U.S. Department of Education's Office for Civil Rights said in a letter that the University of Alaska System badly failed students and staff who were sexually harassed and assaulted. OCR began a Title IX investigation of the university system three years ago. The investigation focused on cases from 2011 to 2015. OCR made a list of 23 specific cases as examples of the university's Title IX failures. The schools responsible for each case weren't identified. The first problem in the list is the system's failure to investigate or finish investigating multiple reports of misconduct. (link)

Feb 23, 2017: The Trump administration on Wednesday night withdrew Obama-era protections for transgender students in public schools that let them use bathrooms and facilities corresponding with their gender identity. Last May, the departments of Education and Justice issued joint guidance directing schools to let transgender students use facilities that correspond with their gender identity. The "Dear Colleague" letter, addressed to school districts and colleges that receive federal funding, was based on the Obama administration's interpretation of Title IX, the federal law that bans sex discrimination in schools, to include gender identity. (link)

Feb 23, 2017: Ole Miss announced Wednesday that it will voluntarily take a one-year bowl ban for 2017 after an NCAA investigation uncovered 21 allegations of violations made by the football program. The self-imposed penalty is a result of an official notice of eight additional athletic compliance violations, in addition to 13 prior allegations the NCAA issued Ole Miss last year. The NCAA's initial investigation into the program was expanded following Laremy Tunsil's eventful NFL Draft night. (link)

Feb 14, 2017: Michigan State women's gymnastics coach Kathie Klages has been suspended, according to a letter sent to MSU gymnasts and obtained by MLive. The suspension comes on the heels of allegations in a civil lawsuit that claim Klages ignored at least one athlete's concerns about their treatments from MSU sports medicine Dr. Larry Nassar. More than 30 women have filed civil lawsuits against Nassar, claiming he sexually assaulted them. (link)

Feb 13, 2017: Tuskegee University plans to appeal a jury verdict that awarded nearly $2 million to the university's general counsel and vice president for legal affairs for breach of his employment contract. A jury, on Feb. 3 at the end of a five-day federal trial in Opelika, awarded Darryl E. Crompton $525,841 after finding the private historically black college and university (HBCU) breached the provision of Crompton's contract that provided for a five-year term of employment. The jury also awarded Crompton another $1,427,208 after also finding that the university breached another provision of the contract that provided Crompton would be granted tenure on the first day of his employment. (link)

Feb 11, 2017: Kean University should have given a professor more notice before its board voted to not renew her contract at a public meeting, a state appellate court ruled this week in a case that could change how the school does business. The public university violated the state's open public meeting law when it failed to send associate professor of nursing Valerie Hascup a warning letter before its trustees voted not to renew her contract at a 2014 meeting, the three-judge panel ruled. The "silent unexplained vote" was a violation of the state's Open Public Meetings Act, or OPMA, the judges wrote. (link)

Feb 10, 2017: A Riverside Superior Court jury has awarded a former UC Riverside counsel $2.5 million, finding that university officials violated state law when they fired her in retaliation for reporting allegations of sex discrimination against women. The jury found that university officials violated state labor code and the state Fair Employment Housing Act. (link)

Feb 07, 2017: A member of the Baylor University athletics department was arrested early Saturday morning in a prostitution sting. McLennan County Sheriff Parnell McNamara said Brandon Washington, 33, was arrested by deputies at a local hotel on a solicitation of prostitution charge, a Class B misdemeanor. The sheriff identified Washington as a strength coach at Baylor. Baylor confirmed that Washington was employed by Baylor when he was arrested early Saturday, but said he was immediately fired upon the school learning of the arrest. (link)

Feb 06, 2017: Pennsylvania State University and online retailer Amazon Inc. settled a lawsuit with the family of a former student who committed suicide in 2013. The settlement, which was reached on Jan. 30, ends a two-year long case relating to the suicide death of former Penn State nursing student Arya Singh. Singh's family filed a lawsuit against Amazon for allowing the student to purchase the poison and against PSU for negligence after Singh reported being sexually assaulted in a dorm in 2011. (link)

Feb 01, 2017: A student who was allegedly raped by one of her professors at the University of California Santa Cruz has received a $1.5 million settlement, attorneys told KSBW Tuesday. The case was settled by the University of California Regents before a civil lawsuit or criminal charges were filed. Neither the student's attorneys, nor the university, released the professor's name. (link)

Campus Life & Safety Events

Feb 27, 2017: A faculty member at California State University, Fullerton has been suspended after striking a College Republicans member during a campus protest earlier this month. (link)

Feb 24, 2017: State police have charged six University of Connecticut students with alcohol-related offenses in connection with the October death of student Jeffny Pally, who was killed when she was run over by a UConn Fire Department vehicle. State police said the students charged were involved in hosting an off-campus party at a house affiliated with Kappa Sigma fraternity that Pally, 19, of West Hartford attended prior to the fatal incident. Kappa Sigma fraternity was suspended by UConn on Feb. 1 after an investigation found that the organization violated UConn's student code by providing alcohol to minors and engaging in disruptive and endangering behavior, according to university records. (link)

Feb 23, 2017: A fraternity at Loyola University has been suspended as the school investigates the organization for hazing, making it the second local chapter of the fraternity to be shut down this month. Sigma Alpha Epsilon has been ordered to temporarily stop operations after administrators received "credible information alleging that the chapter is engaged in hazing activity," Loyola spokeswoman Kristin Trehearne Lane said Thursday. Earlier this month, leaders at Northwestern University issued a campus security alert saying they received anonymous reports that as many as four female students were given a date-rape drug during a Jan. 21 event at the Sigma Alpha Epsilon house. (link)

Feb 22, 2017: Rollins College officials have suspended all six of its fraternities after concerns over "high risk behaviors" surfaced this week, a spokeswoman said Wednesday. The suspension was announced as Winter Park Police investigate a reported battery and burglary that led to a Rollins student being taken to the hospital. The incident happened at 7:58 p.m. Sunday a few blocks from campus, according to a Winter Park police report. No charges have been filed against what the report described as three offenders. (link)

Feb 21, 2017: Police are searching for two Charlotte area suspects after roommates were robbed at gunpoint in a dorm room at Catawba College in Salisbury. The two roommates were robbed on Feb. 15 at Stanback Hall in the 2300 block of West Innes Street, police said. An adjoining dorm room had just been broken into and ransacked, according to police. A day earlier, clothing, electronics and jewelry were stolen from another dorm room in Stanback Hall. (link)

Feb 17, 2017: Seattle Pacific University gunman Aaron Ybarra was sentenced Friday to 112 years in prison for the shooting spree that saw one student killed at the close-knit Christian college. Ybarra's sentencing came nearly three years after the June 2014 shooting that rocked the Queen Anne campus. He was convicted in November on all counts, including first-degree murder for the death of 19-year-old Paul Lee. (link)

Feb 17, 2017: University of Minnesota police are investigating the latest of several recent incidents involving anti-Semitic postings on the Minneapolis campus. Social media on Friday captured the image of a flier taped to a pole inviting people to the neo-Nazi website the Daily Stormer. University officials said Friday that police are aware of the incident and are investigating. On Thursday, University of Minnesota police arrested a student for allegedly vandalizing a public area of a residence hall with anti-Semitic graffiti. (link)

Feb 15, 2017: A Tempe church that sprang from a controversial campus ministry in Tucson is under investigation by Arizona State University, accused of stalking, hazing and other misconduct. Seven disciplinary charges are pending against Hope Christian Church for suspected violations of the state university system's student code of conduct, public records obtained by the Arizona Daily Star show. (link)

Feb 15, 2017: Twenty-one college-aged students were taken by ambulance from the Miami University area to hospitals for alcohol-related problems last weekend, a spike that is causing concern among city and university officials. Jon Varle, who has been an Oxford Police sergeant for more than two decades, tells wcpo.com that he's never seen the drinking problem so bad at Miami. He said the increase in drinking is challenging the city's emergency services. (link)

Feb 15, 2017: Police in Eagle Rock are searching for an intruder, accused of breaking into dorms at Occidental College, stealing underwear and engaging in lewd behavior. Campus safety officials released a surveillance photo of the suspect. He managed to get into three residence halls on campus last Friday morning. Students said he stole women's underwear, performed lewd acts in the dorms' bathrooms and left crude messages on whiteboards. (link)

Feb 15, 2017: A top attorney working for Florida State University has been arrested by federal authorities and charged with attempted enticement of a minor. Court records show FSU associate general counsel Dayton Cramer was arrested on Tuesday. FSU spokeswoman Jill Elish said Cramer resigned prior to the university firing him. Cramer was earning more than $156,000 a year at his job. (link)

Feb 14, 2017: An Orange Coast College student who secretly videotaped his instructor making anti-Trump statements was suspended from school and told to write a letter of apology as well as a three-page essay about the incident. The college suspended Caleb O'Neil for the current semester and the summer term, saying he violated a Coast Community College District policy prohibiting recording someone on district property without that person's consent. William Becker, an attorney representing O'Neil, said the sanctions are excessive and the student's legal rights have been violated. (link)

Feb 13, 2017: Four people, including two students, were robbed on the Cleveland State University campus in a 12-day span, school officials said. The robberies, which officials believe are unrelated, all happened between Jan. 25 and Feb. 5. One arrest was made in the Feb. 5 robbery but no one else has been arrested in connection with the crimes. Cleveland State President Ronald Berkman said in a Monday email to students, faculty and staff that the school is increasing police patrols around campus in a response to the recent uptick in robberies. (link)

Feb 11, 2017: A 19-year-old Creighton University student is accused of slashing another student's neck with a knife inside a dormitory early Saturday. Teresa Spagna, 18, who also attends Creighton, suffered a non-life-threatening injury in the cutting about 1 a.m., Omaha Police Lt. Kyle Steffen said. Spagna was cut inside Gallagher Hall, near 27th Plaza and California Street -- just to the north of downtown Omaha -- and taken to the hospital. (link)

Feb 09, 2017: The bus driver for a college basketball team playing against St. Bonaventure University was arrested for DWI after the team's bus went missing Wednesday. State Police said they were called to St. Bonaventure University around 10:45 p.m. for a missing tour bus for the St. Louis University Basketball team. The team had arrived on the campus. The driver - Linda Edmister, 56, of Gasport - failed roadside sobriety tests and was arrested for DWI. She registered a .22 BAC when being processed at State Police headquarters in Olean. (link)

Feb 08, 2017: Almost two months after a secretly recorded video of an Orange Coast College professor's post[-]election comments about President Trump touched off a firestorm, signs reminding students that in-class recordings are prohibited without instructors' permission have been posted for the spring semester. The classroom signs cite the Coast Community College District's student code of conduct and the California Education Code, which prohibit recordings without permission. (link)

Feb 07, 2017: East Tennessee State University is trying to fire a tenured music professor following an internal investigation that found he sexually harassed two faculty members, according to university records. While he fights his proposed termination, David Champouillon remains on paid suspension. Hundreds of pages of ETSU records show faculty and students have accused Champouillon of lewd and inappropriate behavior. The university initiated an internal investigation after two faculty members filed sexual harassment complaints in late 2016, records revealed. (link)

Feb 07, 2017: Northwestern University is investigating anonymous reports that allege at least three students were sexually assaulted and may also have been drugged at fraternity houses in recent weeks, school officials said. Administrators at the Evanston campus issued a security alert to students Monday after being told that as many as four female students may have been given a date-rape drug during an event Jan. 21 at the Sigma Alpha Epsilon fraternity house. Two of those women believe they were then sexually assaulted, according to the report, though it's not clear how the person who reported the alleged incidents knew of them. (link)

Feb 06, 2017: Washington University in St. Louis lifted its suspension of the men's soccer team Monday after an internal investigation found that the squad didn't violate the school's sexual harassment policy. The men's team was suspended in December for what the private university called complaints of "degrading and sexually explicit" comments and other inappropriate behavior toward the women's team. Details have not been disclosed. But Lori White, the school's vice chancellor for student affairs announced Monday that a review by the university's Office of Student Conduct and Community Standards determined that not all the men took part in the questioned activities. (link)

Feb 05, 2017: Authorities warn about a group of men who robbed two individuals at gunpoint on the Rowan University campus. The university sent out an alert about the robbery Sunday night. The robbery occurred around 8:40 p.m. in from of Winans Hall on Route 322. Two men were walking outside the hall when a four-door sedan pulled up to them. Inside the sedan was four men. One of the men, described as having a red hooded sweatshirt and gray pants pulled out a handgun and demanded money. (link)

Feb 03, 2017: The University of Minnesota panel that heard the case of alleged involvement by 10 football players in a sexual assault on campus cleared four students, eased the sanctions on one player and upheld the punishments for the other five. Attorney Lee Hutton III, a former Gophers wide receiver representing nine of the players, confirmed Friday that quarterback Seth Green (one-year suspension), running back Kobe McCrary (one-year suspension), cornerback Antonio Shenault (probation) and safety Antoine Winfield Jr. (one-year suspension) had recommended punishments dismissed. (link)

Feb 03, 2017: People protesting a University of California Berkeley event by the controversial right-wing speaker Milo Yiannopoulos caused more than $100,000 in damage to the campus Feb. 1. There were over 1,500 people on campus to protest the event, but university officials blamed around 150 "masked agitators" who they say joined otherwise peaceful protests and caused the destruction. (link)

Feb 03, 2017: Eleven people have been arrested outside New York University during a heated protest against a conservative comedian who gave a speech at the school, police said on Friday. A group that organized the protest against Vice Media co-founder Gavin McInnes said he was known for using incendiary language, according to local media. The protesters face charges of disorderly conduct, resisting arrest and criminal mischief after they were taken into custody during a demonstration against McInnes, who made an appearance at the university late on Thursday, a New York City Police Department spokesman said. (link)

Feb 02, 2017: City of Beloit police have arrested a Beloit College student who reported derogatory racial and religious graffiti on the door of his dorm after he admitted to writing the messages himself, according to a City of Beloit Police Department news release. Michael Kee, 20, was arrested on charges of obstruction, disorderly conduct and criminal damage regarding the incident, which was reported Jan. 30, according to the release. (link)

Feb 01, 2017: Amid an apparently organized violent attack and destruction of property at UC Berkeley's Martin Luther King Jr. Student Union, the UC Police Department (UCPD) determined it was necessary to evacuate controversial speaker Milo Yiannopoulos from campus and to cancel his scheduled 8 p.m. performance. Yiannopoulos had been invited by the Berkeley College Republicans. Fires that were deliberately set, one outside the campus Amazon outlet; Molotov cocktails that caused generator-powered spotlights to catch fire; commercial-grade fireworks thrown at police officers; barricades pushed into windows and skirmishes within the crowd were among the evening's violent acts. (link)

Feb 01, 2017: Ohio University police arrested about 70 protesters on charges of criminal trespass Wednesday night, after they refused to leave a sit-in demonstration inside Baker University Center, police said. The protest, over President Donald Trump's policies on immigration, started in front of the Athens County Courthouse in downtown Athens, Athens police said. There were about 300 participants at that time, according to a local newspaper. (link)

Other News & Events

If you have any suggestions, questions or feedback, please e-mail me at robinmk@auburn.edu. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at https://www.auburn.edu/administration/oacp.

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at gotterw@auburn.edu.

Back to top

Office of Audit, Compliance & Privacy
Auburn University
304 Samford Hall
M. Kevin Robinson, Assoc. VP

© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Office of Audit, Compliance & Privacy is listed as the source.