Having trouble viewing this email? View it in your browser.

Office of Audit, Compliance & Privacy

Case in Point:
Lessons for the proactive manager

December 2017
Vol. 09 No. 12
“The first step towards getting somewhere is to decide that you are not going to stay where you are.”

-- J. Pierpont Morgan

This month concludes our 9th calendar year of publishing Case-in-Point: Lessons for the Proactive Manager. We appreciate you receiving our publication each month and always welcome suggestions for how this publication can be improved. It still boggles my mind to think that our first newsletter, which was sent to seventy-seven Auburn administrators in 2009, would grow into something that reaches coast to coast (and even a few institutions outside of the United States). We hope that this publication continues to be useful to you as you carry out your specific role in higher education.

Last month's column was a little different from the norm. I suggested you consider three questions as we near the end of the year:

  1. Why do we do things the way we do them?
  2. Are there changes we can make to do things more efficiently?
  3. Are there things we can do to make our institution better?

These questions took on a slightly different view for me a few days ago as I was listening to a compliance related podcast on the topic of ethical behavior. The speakers were discussing recent research on organizational ethics, and the conversation took a turn I didn't expect.

The discussion moved toward the topic of ''stupid rules.'' The researcher mentioned how most organizations have at least a few ''stupid rules'' which she defined as, ''onerous administrative requirements that are unnecessary and require people to make an effort to work around them.'' This working around the rules can set the stage for eventually moving toward working around the rules that are really necessary and important. One can easily see how this kind of thinking and ''working around'' can have a negative effect on our important controls and processes.

We are a highly regulated industry and there are clearly many things that are musts, but as I reflected on the podcast discussion, I thought that maybe those three questions take on a new light. They are definitely worth a few minutes of your consideration. In fact, if you come up with something that you believe is particularly in need of change, let me know. Perhaps we can assist you in evaluating and implementing your idea.

On behalf of the entire staff of OACP, we hope you have a great holiday season and look forward to reconnecting in 2018. We again invite you to scan the events happening throughout higher education with a view toward proactively managing risks. As always, we welcome your comments.

M. Kevin Robinson, CIA, CFE
Associate Vice President
Office of Audit, Compliance & Privacy

Information Security & Technology Events

Dec 15, 2017: LSU is mailing letters to approximately 5,500 individuals whose information may have been contained on a university-owned laptop that was recently stolen from an LSU employee. The laptop may have contained individuals' full names, dates of birth, Social Security numbers and/or driver's license numbers. The laptop may also have contained the names and credit card information for a very small number of individuals. (link)

Dec 14, 2017: Who knew that getting a great deal on snowflake socks or yoga mats could put your organization at risk? It's that time of year when the shopping frenzy is upon us. The holidays put everyone at a heightened risk for online scams, scareware, and phishing attempts. Your employees could be the perfect targets for cyber criminals to use phishing scams to infiltrate your company with malware or worse. Up to 95 percent of all attacks on enterprise networks are the result of successful spear phishing, according to a study by SANS. (link)

Dec 14, 2017: A team of three researchers from the University of California, San Diego (UCSD) has created a tool that can detect when user-registration-based websites suffer a data breach. In a live test, researchers said they registered accounts at over 2,300 sites. At the end of the study's period, scientists said that attackers accessed email accounts for 19 of these sites, including one with a userbase of over 45 million. (link)

Dec 13, 2017: A 21-year-old Fanwood man, a former Rutgers University undergraduate student, is facing prison after admitting to launching a cyber attack on the university's computer network that effectively shut down its server, impacting communication by staff, faculty and students. Paras Jha pleaded guilty to violating the Computer Fraud & Abuse Act on Wednesday before U.S. District Court Judge Michael Shipp, according to Acting U.S. Attorney William E. Fitzpatrict of the District of New Jersey. (link)

Dec 08, 2017: UNC Health Care is notifying 24,000 patients about a potential security breach at a UNC dermatology practice in Burlington. UNC said Friday that personal patient information was contained on a hard drive of a computer that was stolen from UNC Dermatology & Skin Cancer Center in October. The computer's hard drive is password-protected and contains information pertaining to patients seen by the practice through September 2015, when it was acquired by UNC Health Care. The computer's patient database contains patient names, addresses, phone numbers, employment status, employer names, birth dates and Social Security numbers. (link)

Dec 07, 2017: Clarion University was notified of an email compromise that occurred because of a criminal phishing scam that compromised two email accounts in the registrar's office.

Dec 06, 2017: The chief digital officer of Stanford's Graduate School of Business has resigned after the university failed to disclose a data breach of personal information.

Dec 04, 2017: A series of cybersecurity vulnerabilities at Stanford University exposed thousands of sensitive files containing details of sexual assault investigations, disciplinary actions and more. The details of what happened - and why it should be an object lesson for higher education. (link)

Dec 04, 2017: An attack on a single IV infusion pump or digital smart pen can be leveraged to a widespread breach that exposes patient records, according to a Spirent SecurityLabs researcher."Perpetuators can use this patient information to file false insurance claims as well as to buy medical equipment and drugs using a fake ID. These products are then easily sold on the black market," Harit says. "What makes medical data more lucrative than the financial data is the low and slow detection rate of the fraud itself. While a credit card fraud can be detected and blocked in a matter of minutes these days, medical data fraud can go undetected for months, if not more." (link)

Fraud & Ethics Related Events

Dec 15, 2017: A Clemson University student and former treasurer of the school's sailing club is accused of using the organization's credit card to pay for his tuition, rent and a spring break trip to Key West, Florida. Mateo Gomez, 22, was arrested Friday and charged with a breach of trust, according to the South Carolina Law Enforcement Division. (link)

Compliance/Regulatory & Legal Events

Dec 17, 2017: A Roanoke College coach faces drug-related charges, according to court documents. On Tuesday, Dec. 12 police arrested and charged David Sampson with a felony and misdemeanor count of possession of a controlled substance. As 10 News previously reported, Roanoke College strength and conditioning coach Sampson was found with multiple steroid-related supplies in his office and home earlier this year. (link)

Dec 16, 2017: South Carolina State University and two university-related groups will pay nearly $438,000 to settle a wrongful-death lawsuit filed after a student shot and killed a member of the school's football team. The lawsuit alleged the university knew that sophomore Justin Singleton had a history of violent conduct but allowed him to continue as a student at the school where his mother worked. (link)

Dec 14, 2017: The University of Louisville has filed a counterclaim to former basketball coach Rick Pitino's lawsuit and is seeking monetary damages from vacated games and bonuses. The counterclaim noted that the NCAA ordered the school to return money it received for some basketball tournaments. The counterclaim filed Wednesday in U.S. District Court said the school also wants any bonuses and other compensation "wrongly paid" to Pitino for the tournament appearances. (link)

Dec 14, 2017: Radford police have arrested 17 men after an alleged hazing incident. The incident happened September 14 in the 1200 block of Downey St. A college student and potential pledge was branded at a rogue fraternity party near Radford University. According to search warrants, the male student was forced to drink a large amount of liquor, then was burned after he passed out. (link)

Dec 13, 2017: Oberlin College has filed a motion to dismiss a lawsuit against the institution from Gibson's Bakery, which is asking for more than $200,000 in damages stemming from a November 2016 incident in which a student attempted to steal wine from the shop and a community uproar followed. Gibson's suit names the college and Meredith Raimondo, vice president and dean of students, as defendants. The complaint accuses the college of libel, slander, interference with business relationships, interference with contracts, deceptive trade practices, intentional infliction of emotional distress, negligent hiring and trespass. (link)

Dec 13, 2017: A former Mercyhurst University official has been indicted on charges he falsely claimed on a visa form that a student had been accepted to a Mercyhurst master's degree program. He is now employed as the associate director of Gannon University's office of global admissions and outreach. The defendant, 47-year-old Daniel Cabanillas, of the 4100 block of West 38th Street, is charged with two felony counts of visa fraud, the U.S. Attorney's Office in Erie announced Tuesday. The indictment charges Cabanillas submitted false information indicating an individual, identified in court records as H.V., had been admitted to Mercyhurst's master's program in data science. He knew that H.V.'s acceptance letter into the program was fabricated, according to the indictment. (link)

Dec 11, 2017: UConn police have charged a Quinebaug College adviser with attempted theft and disorderly conduct after Lucian Wintrich's contentious speaking engagement late last month. Catherine Gregory, 33, of Willimantic, was charged with attempted sixth-degree larceny and disorderly conduct. She was arrested over the weekend. She is accused of stealing Wintrich's speech from the lectern during his engagement last month at UConn. An ensuing scuffle led to charges for Wintrich, a conservative commentator. (link)

Dec 08, 2017: Law enforcement has arrested the man who allegedly posed as an rideshare driver to pick up young women, including University of South Carolina students, and held them against their will. Farris Kaloti, 28, was arrested in a suburb of Miami Thursday, according to a report verified by Jeff Stensland, USC's Director of Public Relations. Kaloti was arrested by the Pinecrest Police Department on two outstanding arrest warrants, one for assault and the other for domestic violence, both unrelated to any incident involving USC students, according to USC. (link)

Dec 08, 2017: Larry Nassar -- the disgraced ex-gymnastics doctor accused of assaulting more than 140 women and girls, including several Olympic stars -- was sentenced Thursday to 60 years in federal prison on pornography charges. Nassar, who's pleaded guilty to 10 counts of sexual assault, was sentenced in a separate case Thursday in which he was found to have received and possessed 37,000 images of child pornography and attempted to destroy pictures to avoid charges. Federal Judge Janet Neff said Nassar, 54, ''should never again have access to children.'' (link)

Dec 08, 2017: A burglary investigation led to the arrest of college professor on child pornography charges. California State University, Bakersfield professor Theodore Ishida was arrested Friday after an investigation into the burglary of his home found that he possessed child pornography, which he downloaded to his personal computer from a CSUB computer. (link)

Dec 08, 2017: An employee at California State University, Bakersfield has pleaded no contest to a felony count of grand theft of property and a misdemeanor count of embezzlement. Angela Mora was charged after $44,000 was taken from the university's Wells Fargo account. (link)

Dec 07, 2017: Northwestern University is being sued by a student who contends that the university denied him his right to due process when it concluded that he had sexually assaulted a fellow student and then kicked him out of school last year. Filed in federal court in September, the suit argues that Northwestern's sexual misconduct policies so heavily favor accusers that respondents have little ability to defend themselves. He contends that Northwestern's procedures denied him a fair hearing and that the punishment ruined his reputation and career prospects. Neither student is named in the lawsuit. The case is just one of many across that nation that have put universities in the midst of a roiling debate over how to handle allegations of sexual misconduct in higher education. (link)

Dec 04, 2017: A Broomall man is found guilty of several charges that were filed against him after he was caught secretly videoing people inside a bathroom at Villanova University. Vincent Kane celebrated his 20th birthday with an appearance before Delaware County judge James Bradley, who found Kane guilty of 10 counts, including child pornography and invasion of privacy. The investigation started when police say Kane's phone was found recording in a unisex bathroom in a Villanova dorm. Investigators say they found a drive hidden in Kane's closet with more than 51,000 similar images or videos. (link)

Nov 30, 2017: Former University of Louisville basketball coach Rick Pitino is asking for more than $35 million in a federal breach of contract lawsuit filed Thursday against the school's athletic association. Pitino was fired in a unanimous vote by the University of Louisville Athletic Association board on Oct. 16. The move came in connection with a national college basketball recruiting scandal, part of which federal investigators said included a scheme to pay the families of Louisville recruits. (link)

Nov 30, 2017: A sixth woman has accused Howard University of mishandling a sexual assault allegation, becoming the latest to raise concerns about how the institution has dealt with such cases in recent years. The woman's allegations are detailed in court documents, which seeks to expand a federal lawsuit against the university to include her case. Months ago, five other women sued Howard, accusing the Northwest D.C. university of a ''discriminatory and retaliatory response to multiple complaints of sexual assault and harassment.'' The women, all Howard students or former students, are identified in court documents as Jane Does 1 through 6. They allege the sexual assaults were perpetrated by male Howard students and employees, and happened between 2014 and 2016. (link)

Campus Life & Safety Events

Dec 18, 2017: Sacramento State students may be among the first people in the capital region to take a ride on the robot car revolution, if a handful of local leaders can turn a recent brainstorm into reality. University, transit and city transportation officials have begun talking about setting up an autonomous shuttle bus system to ferry students between campus and the 65th Street light rail station a mile away. The idea, first reported by the State Hornet student newspaper, is in its early stages, with plenty of hurdles, including the fact that it is not yet legal in California to operate an autonomous vehicle on city streets unless there is someone sitting in the driver's seat ready to take over, in case something goes wrong. (link)

Dec 15, 2017: The University of Tennessee Knoxville deleted a tweet Thursday responding to concern over hate speech on the Rock in the midst of calls for the university to do more to condemn it. The response came after someone painted the words "white pride" on the boulder, which serves as a campus message board. Students and others were quick to condemn the message. (link)

Other News & Events

If you have any suggestions, questions or feedback, please e-mail me at robinmk@auburn.edu. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at https://www.auburn.edu/administration/oacp.

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at gotterw@auburn.edu.

Back to top

Office of Audit, Compliance & Privacy
Auburn University
304 Samford Hall
M. Kevin Robinson, Assoc. VP

© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Office of Audit, Compliance & Privacy is listed as the source.