Having trouble viewing this email? View it in your browser.

Office of Audit, Compliance & Privacy

Case in Point:
Lessons for the proactive manager

August 2020
Vol. 12 No. 08
“True prevention is not waiting for bad things to happen, it's preventing things from happening in the first place.“

-- Don McPherson

Last month we concluded our annual tradition of reviewing the prior year's events by category. I suppose our 2020 review will be unique since nothing about 2020 has been normal or expected. One thing that is still the same is the need for proactive risk management. Our operations in higher education may be slightly different now and range from all online to some unique mix, but no matter where your institution is on that spectrum, the need for proactive and agile risk management is more important than ever.

I thought this month would be a good time to remind our readers of some basics on how we suggest you use this monthly publication. Keep in mind the mode of operation has changed for us all so that needs to be factored into this evaluation.

  1. Scan the headlines and stories from the entire newsletter, not just the area or topics for which you are responsible. If you see an interesting story, forward the newsletter to your colleague who you believe owns that specific risk and let them know you thought the story might be of interest. Developing a risk-intelligent institution takes each of us working together to help educate and inform each other. Who knows? Perhaps you will share information with a colleague that will help prevent your institution from becoming a headline.
  2. Read the articles that detail any specific risks or topical areas that apply to you. Think honestly about your own operations and whether you have proactive processes, procedures, or activities in place that reduce the risk to a level that you can live with.
  3. Talk to your employees who are responsible for managing any specific area of risk that catches your eye in the newsletter. Don't make the assumption that they are aware of what is happening at other institutions. In conversation, send the message that proactive action is important to you and your institution. You may learn that the proactive actions you think are occurring have not made it to those doing the daily work.

We hope you will take our suggestions as you review the events from the prior month. As always, we welcome your comments or suggestions.

M. Kevin Robinson, CIA, CFE
Associate Vice President
Office of Audit, Compliance & Privacy
Follow us onTwitter

Information Security & Technology Events

Aug 31: Ransomware: When threat actors gave Greenville Technical College in South Carolina until September 4 to respond to their ransomware demands, the college didn't worry. They had decided not to pay because they were able to recover from the attack without paying for a decryption key. But there was a second part to the ransomware attack -- the threat actors had claimed to have successfully exfiltrated personal information of staff and students. And today, the threat actors are claiming that the college has lied to its staff, its students, and the public in claiming that it successfully dealt with the attack. (link)

Aug 21: Ransomware payment: The University of Utah paid nearly half a million dollars to stop a data leak after a ransomware attack, according to a posting on the university's website. The ransom payment prevented hackers from releasing stolen student and employee information from servers in the university's College of Social and Behavioral Science. (link)

Aug 17: Health Care Data Breach: The director of the health clinic at the University of Lethbridge says she has taken steps to ensure patient information remains secure after a data breach earlier this summer. The breach was caused by a spreadsheet that was mistakenly sent to a student with the same name as a staff member. (link)

Aug 16: Identity Theft Prevention: For college freshmen leaving home for the first time, summer can be a frenzied time of shopping for dorm room essentials, packing up clothes and saying goodbye to high school friends. In the midst of this hustle and bustle, parents need to make time to talk to their students about money and protecting themselves against identity theft while they're on or off campus during the pandemic. (link)

Aug 10: ProctorU Hack: ProctorU, a proctoring platform for online exams, has disclosed that it was the victim of a major data breach. ProctorU allows teachers to ensure that students don't cheat when they take part in online exams. The ProctorU database apparently contains the details of 444,000 people, including names, home addresses, emails, cell phone numbers, hashed passwords and organization details, according to Bleeping Computer, which had a look at the stolen information. Presumably, the majority of records pertained to current or recent college students. (link)

Aug 10: Privacy: Alabama's colleges and universities now have another way to help track COVID-19 cases on campus. It's an app called GuideSafe. The University of Alabama at Birmingham, in partnership with Google and Apple, created it to alert students who may have had close contact with someone who tested positive. "We will be asking students to do it, but not necessarily requiring them to do it," said Abel. App users will self-report if they test positive for COVID-19. The app will use Bluetooth technology to determine if you've been in contact with someone who's tested positive within 14 days. UAB acknowledges the privacy concerns some may have. (link)

Aug 10: Data Breach: An unauthorized party gained access to Michigan State University's online store, shop.msu.edu, and placed malicious code to expose shoppers' credit card numbers between Oct. 19, 2019 and June 26, 2020. The intrusion was a result of a vulnerability in the website which has since been addressed. Once the university was notified, an initial investigation determined the exposed information included names, addresses and credit card numbers of about 2,600 customers. (link)

Aug 03: Privacy: Oakland University will require residents to wear a "BioButton" in residence halls when students return to campus this fall amid the coronavirus pandemic. The "BioButton" is wearable technology that monitors your vitals, including temperature and heart-rate, in real time. It can last for up to 90 days. It's meant to be worn on the chest and connects to your mobile device. "The individual data will remain private to the wearer and is not shared with others," the university states on its website. A group of Oakland University students have launched a petition against the policy, citing an intrusion of privacy and data. (link)

Fraud & Ethics Related Events

Aug 28: Admissions Scandal: So far, 55 defendants have been charged in connection with the college admissions scandal, and of those, 41 have either pleaded guilty or agreed to plead guilty, according to the US Attorney's Office. Of those, 28 parents, including Loughlin and Giannulli, initially pleaded not guilty. Twenty parents have been sentenced, while 13 others, including coaches, administrators, members of Singer's group and Mark Riddell, the expert test taker, have pleaded guilty or agreed to plead guilty. (link)

Aug 28: HIPAA Insider Threat: The next crop of health care professionals has a price when it comes to illegally releasing confidential medical information, according to researchers at Florida Atlantic University, Baylor University and the State University of New York at Buffalo. While many of the graduating students interviewed believed there would be a high probability of getting caught, they said they still would be willing to violate regulations of the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996, the research showed. (link)

Aug 18: Student Load Fraud: A former employee in the admissions office of Tennessee State University in Nashville has been sentenced to 32 months in federal prison for fraudulently receiving and misappropriating more than $84,500 in student loan payments. Renauld Clayton pleaded guilty earlier this year to to student loan fraud, aggravated identity theft and wire fraud. Clayton admitted that during the 2014-15 school year, he obtained the personal identifying information of Tennessee State students and others and applied for student loans in their names. (link)

Aug 17: Admissions Scandal: A former employee of the Houston Independent School District agreed to plead guilty Thursday in connection with her involvement in the college admissions scandal that rocked the country last year, according to a release from the U.S. Attorney's Office. Niki Williams administered the SAT and ACT tests at the high school in Houston where she worked. She is accused of pocketing thousands in bribes from parents all across the country to help their children get a better score on the ACT and SAT. (link)

Aug 11: Theft: University of Colorado Boulder Police are looking for six people they believe stole "several memorabilia items" from the university's Events Center. The six entered the center about 1:30 a.m. Monday, according to a tweet from police. One of the items stolen was a signed basketball. Police spokesman Scott Pribble said he could not disclose what other items were stolen. Police tweeted photos Tuesday of the six people that were taken from security cameras, and believe there were three women and three men. (link)

Aug 10: Embezzlement: A former Texas Southern University dean has been charged with theft after being accused of stealing from the university. According to authorities, 52-year-old Edward Wayne Rene is accused of awarding double tuition scholarships to at least two students and then making them return the extra money, which he allegedly took. Rene, who is a former assistant dean at TSU law school, has been charged with theft by a public servant of $30,000 to $150,000, which is a second-degree felony. (link)

Aug 06: Property Theft: A Utah State University employee accused of stealing computer hardware from the school was charged Thursday. Terry Jason Trinkella, 34, of Hyrum, Cache County, was charged in 1st District Court with four counts of burglary and theft, both third-degree felonies; theft, a class A misdemeanor; and three counts of theft, a class B misdemeanor. According to a search warrant affidavit, USU police had been investigating "a series of computer hardware thefts from three buildings on the USU campus located in close proximity to one another. The thefts include computer hard drives, wireless network cards and an Apple Surface Studio computer. The thefts occurred in classrooms that are used for the purpose of transmitting USU courses electronically and are thus kept in an unlocked and accessible state." (link)

Compliance/Regulatory & Legal Events

Aug 31: Export Control: The US Department of Justice (DoJ) has charged a Chinese researcher at the University of California, Los Angeles for allegedly destroying evidence relating to a federal investigation into the possible illegal transfer of US technology to China. The charged individual, Guan Lei, allegedly threw a hard drive into a dumpster nearby his US residence prior to attempting to board a flight to China. (link)

Aug 28: Foreign Influence: An Indiana University doctoral student from China has been arrested by federal agents who say he lied on his visa application and was working for the Chinese government. The student was indicted and charged on Aug. 4 in federal court with a visa violation and lying to U.S. government officials about his connection to the Chinese government. The indictment specifically says he met with officials from the Consulate of the People's Republic of China on July 17 and lied to FBI agents about it the next day. (link)

Aug 28: Theft of Trade Secrets: A Chinese national conducting research at the University of Virginia was arrested Friday and charged with two federal crimes, according to the US Attorney's Office. The researcher is charged with theft of trade secrets and accessing a computer without authorization, or exceeding authorization to obtain information from a protected computer. (link)

Aug 27: Sexual Harassment: Members of the Yale Law School faculty received a terse message from their provost informing them a professor ''will leave his position as a member of the YLS faculty for a two-year period, effective immediately,'' and that upon his return, he would be barred from teaching ''small group or required courses. He will be restricted in social gatherings with students.'' Three people familiar with the investigation that led to the suspension said it stemmed from the university finding a pattern of sexual harassment of several students. The allegations, which spanned decades, included verbal harassment, unwanted touching, and attempted kissing, both in the classroom and at parties at the professor's home. (link)

Aug 27: NCAA Investigation: The NCAA says LSU men's basketball coach Will Wade either arranged for or offered "impermissible payments" to at least 11 potential recruits or others around them, according to documents obtained Wednesday by ESPN. The documents say the NCAA's enforcement staff received information that Wade ''arranged for, offered and/or provided impermissible payments, including cash payments, to at least 11 men's basketball prospective student-athletes, their family members, individuals associated with the prospects and/or nonscholastic coaches in exchange for the prospects' enrollment at LSU.'' (link)

Aug 27: UCLA is suing Under Armour Inc. for more than $200 million after the Baltimore sportswear maker attempted to terminate its recording-breaking sponsorship deal with the school. The lawsuit filed in California District Court Wednesday claims that Under Armour breached its contract by attempting to end the 15-year, $280 million agreement using the ongoing novel coronavirus pandemic as "pretext" to get out a deal that "seemed too expensive for the financially-troubled sportswear company." (link)

Aug 27: Terrotistic Activity: A former St. Catherine University student who was charged with attempting to provide information to a terrorist group in 2018, changed her plea to guilty Wednesday. According to charging documents, prosecutors believe she attempted to provide information to al-Qa'ida, and was engaging in terroristic activity in 2017. She has now pleaded guilty to this charge. She was also charged with attempting to destroy the St. Mary Hall building at St. Catherine University by starting a fire, and providing false statements to federal agents. (link)

Aug 24: Foreign Influence: A criminal complaint has been unsealed today, charging Zhengdong Cheng of College Station, Texas, for conspiracy, making false statements and wire fraud. Cheng allegedly led a team conducting research for NASA. According to the criminal complaint, for several years he willfully took steps to obscure his affiliations and collaboration with a Chinese University and at least one Chinese-owned company. The terms of Cheng's grant prohibited participation, collaboration or coordination with China, any Chinese-owned company or any Chinese University, according to the charges. (link)

Aug 24: Foreign Influence: Attorneys for University of Kansas chemist FengTao have filed motions to dismiss the federal case against him for fraud and making false statements stemming from his interactions with China. A June 24 indictment alleges that, while employed as a KU chemical engineering professor with funding from US agencies, Tao concealed that he also secured a full-time faculty position at Fuzhou University in China. The indictment charges him with seven counts of wire fraud involving several emails and submission of inaccurate KU forms. The indictment also charges Tao with three counts of making false statements on KU conflict-of-interest forms and to the US Department of Energy (DOE). (link)

Aug 17: Discriminatory Practices Lawsuit: A lawsuit filed in New Hanover County Superior Court alleges that UNCW discriminated against a Black contractor, breaking a contract with him and instead awarding work to a less experienced white contractor. The lawsuit is being brought by Robert Dorsey, who alleges that after years of dorm-painting work for UNCW the University broke a contract with him to pay another contractor to do the work. (link)

Aug 17: Tuition Lawsuit: Northwestern University has been sued in federal court over its decision to charge full tuition in Spring Quarter while shifting entirely to remote classes due to the COVID-19 pandemic, according to a lawsuit filed Friday. The plaintiff, Nathaniel Polley, is a recent graduate who seeks ''for himself and the putative class members, a return of a prorated portion of the tuition, fees and other related costs, proportionate to the diminished value of online classes, campus services and access to campus facilities,'' according to the lawsuit, filed in the U.S. District Court for the Northern District of Illinois. (link)

Aug 17: Misuse of University Resources: A UC San Diego doctor violated a litany of university policies while developing and researching his experimental brain treatment, according to a recently concluded UCSD and UC Office of the President inquiry. That two-year investigation into Dr. Kevin Murphy found he misused university resources to promote and benefit his private companies, falsely claimed ownership over an invention, provided patient care without authorization and repeatedly violated university policies about disclosing his business interests. (link)

Aug 14: Title IX Changes: College officials across the country have been debuting plans over the past week to abide by new federal rules for responding to complaints of sexual misconduct on campus. The rules go into effect today as many colleges are preparing for the start of the fall semester or have already begun the new academic year. (link)

Aug 13: Civil Rights Violation: The Department of Justice today notified Yale University of its findings that Yale illegally discriminates against Asian American and white applicants in its undergraduate admissions process in violation of Title VI of the 1964 Civil Rights Act. The findings are the result of a two-year investigation in response to a complaint by Asian American groups concerning Yale's conduct. The Department of Justice found Yale discriminates based on race and national origin in its undergraduate admissions process, and that race is the determinative factor in hundreds of admissions decisions each year. For the great majority of applicants, Asian Americans and whites have only one-tenth to one-fourth of the likelihood of admission as African American applicants with comparable academic credentials. (link)

Aug 13: Title IX Lawsuit: A former Shippensburg University student has filed a sexual harassment complaint against the school, claiming it failed to protect her against unwanted sexual advances from a supervisor. In a lawsuit filed Aug. 11 in the U.S. Middle District Court in Harrisburg, the woman details the "overt sexual advances" she faced from an assistant dean who served as her supervisor for her graduate assistantship. The lawsuit claims the university violated Title IX regulations including quid pro quo sexual harassment, causing intentional infliction of emotional distress and negligent supervision. (link)

Aug 11: Misconduct Allegations: Fisk University President Dr. Kevin Rome Sr. has been placed on leave after allegations from a local man who said he was drugged and threatened by the university official. Fisk University said in a statement that officials learned of the allegations unrelated to the school on Monday. The university said it could not comment on the specifics of the incident. (link)

Aug 08: Inappropriate Sexual Relationship?:The University of Massachusetts is reviewing whether congressional hopeful and Holyoke Mayor Alex Morse's alleged inappropriate sexual behavior with college students during his time as a university lecturer was in violation of university policy or federal Title IX law. (link)

Aug 06: Title IX Lawsuit: Rose McAvoy and her attorney filed a lawsuit on July 31 against Dickinson College, alleging that more than two years after the assault, the college deletes recordings of interviews even before the conclusion of Title IX cases and does not accurately report sexual misconduct in its annual safety report. The accusations stem from an October 2017 incident on the college campus in which McAvoy alleges she was assaulted and touched inappropriately by another student. After speaking with an acting Title IX coordinator at the college in early November, McAvoy asked to proceed with a formal investigation. (link)

Aug 05: Discrimination Lawsuit: Following the revelation in June of a lawsuit filed against the Board of Regents of the University System of Georgia and the Georgia Southern football program alleging discrimination, the Herald has obtained personnel files and documents pertaining to the 2019 termination of a football team employee. John Christopher Ball was employed as the football team's video coordinator beginning in 2013, until he was terminated on March 11, 2019 for what was described in his personnel file as a "Violation of University Policy." While Ball acknowledges a mistake in reporting hours, he contends that the true reason for his dismissal stems from his inability to carry out responsibilities that were added to his job description following a surgery that left him disabled. (link)

Aug 05: Misconduct: Days before student-athlete Lauren McCluskey was killed, a University of Utah police officer showed off explicit photos that McCluskey had taken of herself to at least three of his male co-workers without a work-related reason, according to a monthslong investigation from the Utah Department of Public Safety. One staffer recounted that Officer Miguel Deras commented specifically about getting to "look at them whenever he wants." And that employee admitted that he, too, made crude remarks when seeing the images, which McCluskey had given Deras as evidence in her extortion case. (link)

Aug 04: Nassar-related Sentence: A former Michigan State University head gymnastics coach was sentenced Tuesday to 90 days in jail for lying to police during an investigation into former Olympic and university doctor Larry Nassar. Kathie Klages, 65, was found guilty in February of a felony and a misdemeanor for denying she knew of Nassar's abuse prior to 2016 when survivors started to come forward publicly. She also was sentenced to 18 months of probation. (link)

Campus Life & Safety Events

Aug 31:Covid19 Response: New restrictions on bars and Greek houses emerge as some colleges report 500-plus cases. With more than 100 cases each, SUNY Oneonta and Temple revert to online instruction for two weeks. Officials warn outbreaks aren't just linked to parties. (link)

Aug 29: Protests: Students marched and chanted for hours Saturday on the campus of the University of Chicago and in the nearby Hyde Park and Kenwood neighborhoods. Protesters called for defunding the university police force, and funding more student programs. (link)

Aug 28: Fraternity Expelled: A University of North Florida fraternity has been expelled from campus after a sexual assault allegation against one of its members. According to documents a UNF investigation found that a member of the Kappa Sigma fraternity was found to be responsible for sexual misconduct, harassment, endangerment and conspiracy, among other allegations. (link)

Aug 28: Hazing: Two more members of a now-defunct fraternity at Ohio University have pleaded guilty to charges stemming from hazing that led to a student's death two years ago. Freshman Collin Wiant was found dead on Nov 12, 2018 after ingesting nitrous oxide during a hazing incident at the now-defunct Sigma Pi fraternity. (link)

Aug 13: Free Speech: A University of South Florida police officer was fired after an investigation concluded her racist Twitter bio could harm the reputation of the police department. Presley Garcia, an officer hired in 2018, was placed under investigation in early July after a BayNews 9 reporter contacted the police department with screenshots of the Twitter account "@presleyyyg," which has since been deleted. The account's bio read "KKK member." Garcia, 26, was fired last week, and said she felt let down by the agency. (link)

Aug 11: Abuse Allegations: Colorado State athletic director Joe Parker suspended all football-related activities indefinitely and asked school president Joyce McConnell to expand a recently announced investigation into the athletic department to include allegations of racism and verbal abuse in the football program. Parker said in a statement Friday that he decided to pause all football activity, including practice, workouts and team meetings, after learning of "extremely troubling allegations of racism and verbal abuse from CSU's athletic administration generally and in the football program specifically." (link)

Aug 06: Coronavirus: Three University of Louisville soccer players have been kicked off the men's team for organizing a party over the weekend that officials believe was the source for a rash of COVID-19 cases, the school said. Three others were suspended. The dismissed athletes, who were not identified in a university statement Thursday, are believed to be "primarily responsible" for the off-campus party that was called the primary source of 29 infections among the men's and women's soccer teams as well as the field hockey and volleyball teams. The university shut down all activities related to those four sports because of the cases and possible exposure. (link)

Aug 06: Coronavirus & Suspensions: Less than a week after officially welcoming its first students back to campus, Syracuse University has placed a group of students on interim suspension for violating the state's mandatory quarantine rules, the school said Thursday. Students arriving from 34 states are currently subject to the state's mandatory two-week quarantine. Students quarantining off campus are not permitted on SU's campus until they have gone through the quarantine process. (link)

Aug 05: Abuse Allegations: In a series of season-ending exit interviews, players alleged a culture of abuse in the Texas Tech program since Stollings took over in April 2018. They say a toxic atmosphere has prompted an exodus of players, including 12 of 21 leaving the program, seven of whom were recruited under Stollings. Two players detailed these allegations to the NCAA and were granted waivers allowing them to play the next season. USA TODAY Sports collaborated with The Intercollegiate, a college sports investigative media outlet that obtained Texas Tech's exit interviews with players from the past two seasons via public records requests. (link)

Aug 05: Coronavirus: Joyce McConnell, president of Colorado State University, said Tuesday she was launching an "immediate and objective" investigation into the athletic department following allegations that student-athletes have been intimidated and threatened as leaders sought to disregard COVID-19 protocols. Coaches, players and sports medicine staff at Colorado State University told ESPN that athletic department leaders are discouraging athletes from being tested for COVID-19, are failing to provide accurate information to local and state health officials and are ignoring guidelines to quarantine athletes who might have been exposed. (link)

Aug 03: Sexual Assault: A former Miami University employee pleaded guilty to charges of gross sexual imposition, abduction and felonious assault in connection with the sexual assault of a student in Oct. 2018, court documents say. Oxford Police arrested Gilbert after a 21-year-old woman ran toward a stopped patrol car and told an officer that she had just been sexually assaulted by a man she just met but didn't know. At the time, he was an employee with Miami University. (link)

Aug 03: Racial Issues: The Iowa football program's culture has suffered from racial bias against Black players and bullying by a small number of current and former coaches, according to an investigation report released Thursday. University of Iowa President Bruce Harreld said the report by an outside law firm shows that the "climate and culture must and will change within our football program." The university hired the Husch Blackwell law firm in June to review the program after dozens of former players, most of them Black,, spoke out on social media to allege racial disparities and mistreatment. (link)

Aug 02: Coronavirus & Racial Issues: Several hundred college athletes have announced their intention to sit out the coming season as the coronavirus pandemic continues across the United States, and as confirmed case rates rise in almost every state. Sunday, hundreds of football players from the Pac-12 Conference, which is made up of 12 Western schools, announced they would not participate in training camps or games this fall unless their conference negotiates with them on certain demands, including the implementation of health and safety procedures, creating protections for other conference sports, and addressing racial injustice. (link)

If you have any suggestions, questions or feedback, please e-mail me at robinmk@auburn.edu. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site.

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at gotterw@auburn.edu.

Back to top

© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Office of Audit, Compliance & Privacy is listed as the source.