Having trouble viewing this email? View it in your browser.

Office of Audit, Compliance & Privacy

Case in Point:
Lessons for the proactive manager

May 2017
Vol. 9 No. 5
“Whoever is careless with the truth in small matters cannot be trusted with important matters”

-- Albert Einstein

This month we continue our look back and analysis of 2016's Case in Point stories with a focus on the last year's largest category: Compliance and Legal. For the past five or so years, this category has seen tremendous growth.

Much has been written about the growing compliance burden within higher education, and some have speculated that higher education is perhaps the most regulated of industries. Whether we are first or not, we certainly face a vast number of requirements to navigate through.

In reviewing 2016's Compliance and Legal stories, we noted the following top ten topics in order of volume:

  1. Title IX (about a third of all stories)
  2. Sexual Assault
  3. Discrimination
  4. NCAA
  5. Life Safety
  6. Child Pornography
  7. Privacy
  8. Free Speech
  9. Labor Law
  10. Immigration

In an effort to navigate these regulations, we are working to ensure we have in place the best practices for organizational compliance. Ironically, these best practices are codified in the U.S. Federal Sentencing Guidelines. The best practices are:

  1. Standards and Procedures (including a Code of Conduct)
  2. Oversight
  3. Due Diligence over Delegation of Authority
  4. Communication and Education
  5. Monitoring and Auditing
  6. Enforcement and Discipline
  7. Response and Prevention
  8. Risk Assessment

Here at AU, we now have an Institutional Compliance Committee that meets regularly and is made up of the distributed compliance functions across campus. This helps the Office of Audit, Compliance & Privacy provide oversight from an institutional perspective that can then be communicated to the administration and board.

It takes our entire campus community to help ensure compliance with the volume of regulations we face. Every day decisions can have major compliance consequences so please feel free to contact us, or our distributed compliance partners with any questions. We are fortunate to have wise, dedicated, and professional people in these key roles across campus.

We again invite you to review the stories occurring across higher education through the lens of proactive management. If you have any comments or questions, please let us know.

M. Kevin Robinson, CIA, CFE
Associate Vice President
Office of Audit, Compliance & Privacy

Information Security & Technology Events

May 27, 2017: Augusta University says a phishing attack hit faculty email accounts containing the health information of patients. A spokesperson for A-U confirms less than one percent of patients are impacted by the security breach. Officials say an unauthorized third party broke into the medical faculty email accounts. The breach happened between September 7th and September 9th of last year. In addition to patients' full names, the e-mail accounts may have contained any of the following patient information: home address, date of birth, Social Security number, financial account information, medical record number, insurance information. (link)

May 25, 2017: UW Health says that 2,036 patients had information compromised after an employee's email account was used by an unauthorized user. UW Health says they learned on March 28, 2017 that a breach of information happened on March 16, 2017. Officials say an unauthorized individual got access to an employee's credentials and email account. In the review, UW Health found some of the emails compromised contained patient information which may have included patients' names; addresses; dates of birth; dates of service; providers' names; reason for visit; medical history and conditions, medications; diagnostic results and/or social history. (link)

May 25, 2017: Mark Zuckerberg is giving the commencement address at Harvard on Thursday after famously dropping out 12 years ago to create Facebook. And in an ironic turn of events, Harvard's student newspaper, The Harvard Crimson, was hacked on the same day to show fake stories trolling Zuckerberg. Many of the fake stories were quickly taken down, and the Crimson confirmed to Business Insider that it had in fact been hacked. (link)

May 17, 2017: UW-Madison officials had to wrestle back control over their Twitter account Wednesday morning after a hacker posted a series of bizarre and profane tweets to the university's 160,000 followers. Someone accessed the @UWMadison account and tweeted four times between 6:31 and 6:36 a.m., posting a YouTube link and a message that appeared to credit another Twitter user for the hack. Twitter has suspended that user's account. There were few details Wednesday of who took over the account or how the hack was carried out. (link)

May 16, 2017: College information security officers returned to work on Monday with their fingers crossed. Universities in the U.S. dodged the initial wave of a massive cyberattack that, among other disruptions, paralyzed hospitals in Britain, shut down telecommunications services in Spain and brought a temporary halt to Renault's production line in France. Brazosport College in Lake Jackson, Tex., was one of the few institutions in the U.S. that reported cases of the WannaCry attack Friday. The public college, which has about 4,300 students, discovered a total of two computers infected with the malware, said Ron Parker, director of information technology. Both computers were wiped clean, he said. (link)

May 11, 2017: In early December 2016, Adam was doing what he's always doing, somewhere between hobby and profession: looking for things that are on the internet that shouldn't be. That week, he came across a server inside New York University's famed Institute for Mathematics and Advanced Supercomputing, headed by the brilliant Chudnovsky brothers, David and Gregory. The server appeared to be an internet-connected backup drive. But instead of being filled with family photos and spreadsheets, this drive held confidential information on an advanced code-breaking machine that had never before been described in public. (link)

May 05, 2017: A hard drive containing the personal information of 2,200 LSU Health New Orleans patients was stolen in March, and while police quickly made an arrest, the hard drive has not been recovered, the LSU Healthcare Network said Friday. The network said the theft occurred in the Department of Neurology Research on or around March 6. Law enforcement was notified immediately, and a suspect was arrested March 7. The hard drive contained patient lists for research studies done between 1998 and 2009, including names, dates of birth, and diagnosis and treatment codes. (link)

May 03, 2017: The details of a recent data breach affecting 100,000 taxpayers were revealed in testimony before the House of Representatives Oversight and Government Reform Committee in Washington on Wednesday. The data breach involved the IRS's data-retrieval tool that is used to complete the online Free Application for Federal Student Aid (FAFSA). Before it was shut down in March, the data-retrieval tool allowed students and parents to access their adjusted gross income (AGI) information through an interface with the IRS and to complete the FAFSA by transferring the AGI information directly onto their FAFSA form. (link)

Fraud & Ethics Related Events

May 30, 2017: University clarifies that Title IX coordinator, Chris Loschiavo was fired for buying porn on UF account, but Dean Jen Day Saw praised him to next employer. It has been learned that using a university-supplied email, he also bought pornographic videos with titles that included erotic torture and rough sex, cyborg sex, threesome sex and more. Loschiavo was recently hired as the Title IX coordinator of Florida Polytechnic University. His UF supervisor, Jen Day Shaw, gave him an effusive recommendation. Now, both are out of a job. (link)

May 30, 2017: An investigation into outgoing Chancellor Nicholas Dirks' misuse of public funds, which revealed he failed to pay $4,990, cost the university a total of $57,671 to carry out -- more than 10 times the cost of the misused funds -- according to invoice documents obtained by The Daily Californian. The UC Office of the President hired the independent firm Public Interest Investigations, Inc., based out of Los Angeles, to conduct the investigation in April 2016, as previously reported by the Daily Cal. (link)

May 29, 2017: The University of California will no longer pay for its governing board members to throw themselves dinners and parties after a Chronicle report showed that the regents regularly billed the university for their festivities. Although the events were charged to a private endowment, and thus not covered by public money or tuition, the practice will stop "to avoid any question over use of university or university-associated funds," Board of Regents Chair Monica Lozano and UC President Janet Napolitano said in a statement Sunday. (link)

May 24, 2017: A group of Minnesota journalists is asking the University of Minnesota Board of Regents to drop its investigation into news leaks about an alleged sexual harassment case in the school's athletics department. A petition by members of the Minnesota Newspaper and Communications Guild calls on the administration to concentrate on the issue of sexual harassment rather than pursuing any individuals who may have shared information with the media. (link)

May 23, 2017: Questions, and controversy, continue to mount about a 2015 golf junket to Scotland in which the University of New Mexico used public funds to pay for three employees and three private donors. This week, it was revealed that UNM paid much of the expenses for the three private donors. The state Constitution's anti-donation clause prohibits state entities from making gifts to private citizens. UNM also hid the fact it paid for private donors by failing to release that information when it was requested by the Journal several weeks ago. (link)

May 19, 2017: Johnson C. Smith University is investigating its own students after officials said some may have used stolen funds on their student flex cards to buy food on campus. Flex cards hold money that students can use to purchase food at dining establishments on campus.Some students received messages from the school notifying them that they were under investigation for illegally receiving funds from Red Mango and/or Burger King on campus by using their meal card. One student, who didn't want his identity revealed, told Channel that employees at the restaurants are able to illegally add money to student cards. (link)

May 11, 2017: Missing iPads. Unnecessary travel. Improper credit card purchases. A recent audit of the University of Iowa athletics department found that administrators failed to adequately monitor information technology purchases, allowing wasteful spending and creating major risks for equipment theft. The department's IT director, Patrick Delin, left his job in February as auditors were nearing the conclusion of an inquiry that was sharply critical of his practices, Iowa confirmed this week. (link)

May 11, 2017: The University of Minnesota Board of Regents held an emergency meeting Thursday morning regarding a sexual harassment investigation of a top fundraiser in the university's athletics office who violated the school's policy. Board Of Regents Chair Dean Johnson announced the board is launching an investigation into the source of KSTP's report on the sexual harassment investigation. The board is asking each of its 12 members, as well as university employees who had access to the memo provided to KSTP, to sign affidavits that they did not share it. (link)

May 07, 2017: Federal investigators are looking into allegations that Sen. Bernie Sanders' (I-Vt.) wife, Jane Sanders, falsified loan documents while she served as the president of Burlington College, according to a Friday Daily Caller News Foundation report. The small Vermont liberal-arts school closed down in May 2016, after going bankrupt and failing to meet accreditation standards. Jane Sanders has been accused of falsifying the information on the loan documents in order to expand the college grounds. (link)

May 03, 2017: A black rhinoceros horn stolen from a locked room at the University of Vermont is likely destined for the international black market, said a law enforcement agent with the U.S. Fish and Wildlife Service who has worked on rhino horn trafficking cases in the United States and Europe. Special agent Robert Rothe said Wednesday a drill was used to disable a lock on the door at the university's Torrey Hall in Burlington, where the black rhino horn had been hanging for decades. The theft was discovered April 27. (link)

May 03, 2017: The odds were long, but a couple of University of Kentucky students decided it was worth the risk to climb through the ceiling ducts to a teacher's office to steal a statistics exam. Unfortunately for them, the teacher is a night owl. Shortly after police arrived, one of the students returned and confessed. Henry Lynch II, a 21-year-old junior majoring in biosystems engineering, gave police an earful, including that he'd climbed through the building's air ducts to the ceiling above Cain's office and dropped down into the room, then unlocked the door and let in his friend, sophomore Troy Kiphuth, 21, who was not in Cain's class. (link)

Compliance/Regulatory & Legal Events

May 26, 2017: A lawsuit against a UW-Madison official, brought by a student who said the official withheld key information from her while counseling her over her mother's death, has been settled for $200,000, a state Department of Justice spokesman said Friday. UW-Madison student Megan Mengelt sued UW-Madison College of Letters and Science assistant dean Tori Richardson last year after learning that Richardson had been texting with former Lutheran bishop Bruce Burnside shortly before Burnside struck and killed Mengelt's mother, Maureen Mengelt, on April 7, 2013, but never told her. (link)

May 24, 2017: A Towson University student accused of hazing a fellow student has been found guilty. Alexander Cantor was convicted Tuesday on one misdemeanor count of hazing, but he was found not guilty of reckless endangerment, according to the Baltimore County State's Attorney's Office. Cantor and Evan Francis are accused of organizing and leading a fraternity event where a member was forced to drink an unknown substance that destroyed his tongue, esophagus, intestinal liner and stomach. (link)

May 24, 2017: Federal prosecutors say a former music teacher at the University of Alabama has agreed to plead guilty to child pornography charges. Authorities say 41-year-old Nikos Pappas of Tuscaloosa was found with hundreds of photos and videos of child pornography on his home and university office computers. (link)

May 23, 2017: The Nebraska Supreme Court has upheld a ruling that Peru State College was not liable for the 2010 disappearance of one of its students. The court issued its ruling Friday in the lawsuit filed by the parents of Tyler "Ty" Thomas against the Nebraska State College System's governing board. The wrongful death lawsuit contends the college failed to protect Thomas from harm. Thomas was a freshman at the southeast Nebraska college when she disappeared in December 2010 after leaving a party. (link)

May 19, 2017: The University of Iowa will pay $6.5 million to settle lawsuits asserting it discriminated against former Field Hockey Coach Tracey Griesbaum and former Associate Athletics Director Jane Meyer, the UI announced Friday. The settlement, which includes the $1.43 million a jury awarded Meyer earlier this month, came after both sides agreed earlier this week to delay motions seeking additional damages in the Meyer case. (link)

May 17, 2017: A former Baylor volleyball player who says she was gang-raped by several football players in 2012 filed a federal Title IX lawsuit against the university on Tuesday, in which she and her attorneys contradict several statements Baylor's administration had previously issued about her alleged assault. The woman's lawsuit asserts that the members of the Baylor football team had "already developed a system of hazing their freshman recruits by having them bring or invite freshman females to house parties hosted by members of the football team. At these parties, the girls would be drugged and gang raped, or in the words of the football players, 'trains' would be run on the girls." (link)

May 17, 2017: A Cal State Chico fraternity has been charged with cutting and damaging 32 trees in the Lassen National Forest during an initiation ceremony for new pledges, federal authorities said. The university's Pi Kappa Alpha chapter and its president, Evan Jossey, are facing 32 counts of cutting or damaging any timber, which was destroyed at the Deer Creek Trailhead campground during the weekend of April 21, according to Nancy Barrera, a spokeswoman for the Lassen National Forest. (link)

May 17, 2017: The man who spent years ruling on Wesleyan University's sexual misconduct hearings has been charged with trying to meet with a minor for sex. Scott Backer, 39, was arrested four months after a man not connected with the police posed as a 15-year-old girl on the phone messaging app "Yik Yak," the Hartford Courant reports. Prior to his arrest, Backer was fired from his position as Wesleyan's associate dean of students hours after a Boston Globe reporter asked administrators whether they knew that Backer had been, in the same year that he was hired by Wesleyan, fired from his position at a Vermont boarding school for "propositioning" a teenage girl through numerous text messages. (link)

May 15, 2017: Auburn University is paying almost $30,000 to end a lawsuit that cleared the way for a white nationalist to speak on campus. A university statement says officials will pay $29,000 in legal fees for Cameron Padgett. The Georgia man filed suit to reverse the school's decision barring Richard Spencer from speaking at Auburn last month. A federal judge in Montgomery dismissed the lawsuit in an order Friday after attorneys for Padgett and Auburn filed a joint agreement. (link)

May 11, 2017: Bipartisan Tennessee lawmakers passed a free speech law Tuesday that protects students' First Amendment rights on college campuses. GOP Tennessee Gov. Bill Haslam signed the Campus Free Speech Protection Act after the state's House of Representatives passed it in a 85-7 vote and the Senate unanimously approved it, Foundation for Individual Rights in Education (FIRE) reported Wednesday. The law will ban the establishment of "free speech zones," used by administrators to confine controversial speech to specific areas on campus. (link)

May 10, 2017: Lynn University decided not to take its chances with a jury after a federal judge gave the green light to a lawsuit against it by a student accused of rape. "John Doe" filed his due process lawsuit nearly a year ago, after the private Florida university suspended him and revoked his academic and athletic scholarships -- weeks before his hearing -- following an accusation that local police deemed "unfounded." One day ahead of a scheduled hearing on Lynn's motion for summary judgment, the university reached a confidential settlement with Doe. (link)

May 08, 2017: A former Miami University police sergeant was indicted on charges of gross sexual imposition, kidnapping and two counts of abduction last week. Dustin Young, 36, was investigated by Miami University after another school employee made allegations of sexual misconduct, a university spokeswoman said Monday. Court documents show that the alleged incidents occurred August through November of 2016. (link)

May 07, 2017: Texas Gov. Greg Abbott signed a sweeping ban on "sanctuary cities" into law on Sunday, giving police officers new authority to question a detained person's immigration status and blocking local entities from passing laws that would prohibit these questions from officers. Senate Bill 4 applies to officers across the state, including on college campuses. It excludes those who are contracted by religious groups and schools, government mental health care facilities and hospitals. (link)

May 05, 2017: Eighteen Penn State fraternity brothers have been charged with crimes ranging up to involuntary manslaughter in the death of a pledge who authorities say repeatedly fell down a flight of stairs after he and others were made to run a gantlet of drinking stations guzzling vodka, beer and wine. Beta Theta Pi members resisted getting help for 19-year-old Timothy Piazza, causing him to suffer for hours and possibly making his injuries worse, a prosecutor said Friday in announcing the results of a grand jury investigation. (link)

May 04, 2017: A Polk County jury handed Jane Meyer a sweeping victory Thursday in her discrimination lawsuit against the University of Iowa, awarding her $1.43 million in damages. The jury of five women and three men ruled in Meyer's favor on all five of her claims -- gender and sexual orientation discrimination, retaliation and whisteblower violations, and unequal pay. (link)

May 04, 2017: A Milwaukee County Circuit judge ruled Thursday that Marquette University had the legal right to suspend a tenured political science professor who opened a student up to threats by criticizing her by name on his politically conservative blog. In a 33-page ruling, Judge David Hansher found that because John McAdams named the graduate student instructor in a November 2014 blog post criticizing her handling of a confrontation with a student, it could bring negative attention to her, and he was prohibited from doing that. (link)

Campus Life & Safety Events

May 26, 2017: Beginning July 1, a new law in the state of Georgia will allow fans with concealed firearm permits to carry handguns during tailgating events at public universities, but guns will still not be allowed inside athletic events. As a result, University of Georgia chancellor Steve Wrigley addressed how the law would affect Bulldogs football games. There are six home contests slated for Sanford Stadium in 2017, beginning Sept. 2 against Appalachian State. (link)

May 24, 2017: Middlebury College has disciplined 67 students for their involvement in protests that shut down a lecture by conservative writer Charles Murray in March, the college said Tuesday, as local police opted against bringing criminal charges. A total of 67 students were disciplined by the school for violating its policies on protests and general conduct, which prohibit "negligent or reckless use of physical force" and "prevention of another's ability to communicate or move freely." The sanctions ranged from probation to "official college discipline," a more serious measure that places a permanent record in the student's file, the college said. (link)

May 21, 2017: Thirteen students at Carleton College have been suspended for an entire school year. Administrators said it's because of a hazing incident involving extreme alcohol consumption. It happened in the early morning hours of April 28. They said the group was trying to initiate at least 13 people into a secret, social club. Northfield police are also getting involved after a sexual assault allegation followed the incident. It's a story many never would have expected to come out of their college. (link)

May 20, 2017: A Saturday morning stabbing at the University of Maryland left one man dead in what police are calling a "totally unprovoked" attack. The man killed was a Bowie State University student who was waiting for an Uber ride with two friends, said David B. Mitchell, the chief of police at the College Park campus. The suspect in the slaying is a U-Md. student. The suspect and student stabbed did not know each other, Mitchell said. (link)

May 18, 2017: The University of Kentucky has suspended a fraternity for six years for paddling pledges and other forms of hazing, according to disciplinary records. Kappa Alpha Psi, a historically black fraternity at UK, was suspended on March 28, 2017, according to a March 28 letter from Dominick Williams, the acting director of the Office of Student Conduct, to Kappa Alpha Psi president Dwayne Sutton, who accepted responsibility for the behavior that occurred in the spring 2017 semester. (link)

May 18, 2017: Police have arrested four suspects in an aggravated assault reported Wednesday, May 17 on the University of Michigan campus. The University of Michigan canceled its crime alert Thursday, May 18, announcing the arrest of four individuals about 10 p.m. Wednesday. Police believe the attack began about 1:30 a.m. Wednesday when a student pedestrian was approached by two women who began punching her near the West Hall Arch, near the 1000 block of South University Avenue at East University Avenue. (link)

May 10, 2017: The horrific death of Penn State University student Tim Piazza, who died 12 hours after drinking heavily and falling down a flight of stairs at the Beta Theta Pi fraternity, may finally bring to light a deeply troubling subculture of hazing at Penn State and colleges around the country. And that would be long overdue. But just as likely, this case will end like so many before it, as a missed opportunity to truly change the way campuses deal with crime. (link)

May 10, 2017: Illinois has suspended three football players indefinitely after their arrests on charges of home invasion and armed robbery. Offensive lineman Darta Lee and tight end Zarrian Holcombe, both sophomores next season, and offensive lineman Howard Watkins, a freshman who enrolled in January, were arrested after an incident Wednesday morning in a university dormitory, Champaign police confirmed to the Tribune. According to a police spokeswoman, Lee, 18; Holcombe, 19; and Watkins, 18, entered the victim's dorm room wearing masks after 3 a.m. and announced a robbery. (link)

May 10, 2017: For the second time in 10 days, USF football player LaDarrius Jackson has been charged with forcing a woman to have sex. Two women and two law enforcement agencies have now leveled charges against the 22-year-old junior defensive end, who was kicked off the team after the second arrest Wednesday, USF said. He spent four nights in jail after his first arrest but only an hour after his second. He was released Wednesday on a $9,500 bond, the same amount that won his release on the initial charges. (link)

May 09, 2017: Officials with the University of Arizona have withdrawn recognition for the Alpha Sigma Phi Fraternity chapter after multiple violations including allegations of hazing. The allegations included assault on a pledge member, endangerment and providing alcohol to minors. A release from the school says the University of Arizona Police Department arrested one student in connection to the assault. (link)

May 02, 2017: A former Roanoke College student has been charged with aggravated sexual battery in an incident in a campus dormitory last month, according to court records. James Douglas Caruso, 19, is charged with aggravated sexual battery in which the victim is incapacitated, object sexual penetration and sodomy against a helpless victim, according to online court records. Roanoke College spokeswoman Theresa Gereaux said Caruso was a student at the time of the incident but is no longer enrolled at the college. (link)

May 02, 2017: The University of Texas at Austin resumed classes Tuesday after a violent attack on campus Monday left one student dead and three wounded. Harrison Brown, a freshman from Texas, was killed in the attack, according to officials at his former school district. The suspect, Kendrex White, who is also a student at UT, was taken into custody within minutes of his sudden attack with a knife on campus, police said. (link)

May 01, 2017: A University of Iowa student has been charged with threat of terrorism after police say he threatened to bring a gun to graduation. Soliman Obaid B. Altamimi, 25, went to the university's International Programs Office at the University Capitol Center around 11:30 a.m. on Friday and asked to make a speech at the graduation ceremony, according to UI police complaints. When staff told Altamimi he couldn't give a speech, he replied that he "will bring a gun to the final ceremony." (link)

Other News & Events

If you have any suggestions, questions or feedback, please e-mail me at robinmk@auburn.edu. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at https://www.auburn.edu/administration/oacp.

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at gotterw@auburn.edu.

Back to top

Office of Audit, Compliance & Privacy
Auburn University
304 Samford Hall
M. Kevin Robinson, Assoc. VP

© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Office of Audit, Compliance & Privacy is listed as the source.