Visit
Apply
Give

Department of Internal Audit and Compliance

The Compass MARCH 2023 Vol 13

Guidance for University leaders on governance topics facing UToledo and our peer institutions

Thought for the DAY

I’m not upset that you lied to me, I’m upset that from now on I can’t believe you.” 
- Friedrich Nietzsche

GLBA aND CYBER

For those of you (like me) that follow such things, under the Gramm-Leach-Bliley Act (GLBA), organizations defined as “financial institutions” must keep customer information secure and confidential. The Federal government updated the Safeguards Rule, one of three sections of GLBA December 9, 2021. With this update, the Federal Trade Commission notes that an organization “engaging in an activity that is financial in nature or incidental to such financial activities” is considered a “financial institution” and must comply. Key changes to the Safeguards Rule will take effect June 9th of this year.

Though historically considered a “corporate” regulation, the Safeguards Rule now expands the definition of “financial institution” to include institutions of higher education, primarily because colleges and universities administer financial aid. And while our friends in Financial Aid are prepared for these requirements, it is our friends in Information Technology that are most affected by the Safeguards Rule, as it requires that must implement various security practices and then review, and periodically update formal policies and procedures. To learn more about GLBA and the Safeguards Rule, click here.

And even though GLBA primarily impacts our Financial Aid and IT colleagues -- IT security and cybersecurity are a responsibility we all own, whether we are a student, faculty, or staff member. We are fortunate to have an IT Security team that does an excellent job of regularly educating us via email on leading practices on protecting the University’s, as well as your digital assets. Hopefully, you read these messages and follow the guidance contained in them.

Please also know that your Internal Audit and Institutional Compliance teams (including the Privacy Office) are additional resources available to you in understanding how to “do the right thing” when it comes to cybersecurity (and GLBA).

David L. Cutri, CPA, CISA, CIA
Executive Director of Internal Audit and Chief Compliance Officer
Internal Audit and Compliance

 

DID YOU KNOW?

In case you weren’t aware, Institutional Compliance developed a self-service tool some time ago where supervisors can check on the status of compliance training courses on demand. The system can be found in the following directory, which you should have access to. The tool is menu-driven. Simply click on the division you are interested in, and a spreadsheet will be produced, which you can then save, manipulate, and distribute to your team(s). The data underlying this report is refreshed on a nightly basis. If you have questions about the tool, please feel free to contact Brad King or Elliott Nickeson at any time.

Z:\InternalAudit\ComplianceTrainingReport\Compliance Reporting Menu.xlsm

 

UTOLEDO UPGRADES TO MULTIFACTOR AUTHENTICATION PROTECTION

With identity theft and phishing crimes on the rise, The University of Toledo has introduced a new multifactor authentication to strengthen and expand security protection for UToledo faculty, staff, and students. Most Federal regulators now require multifactor authentication technology, as well as the State of Ohio cyber insurance policy that covers UToledo.

Check out this recent UToledo News story that provides further details. Kudos to our compliance partners in IT Security for their efforts in keeping our sensitive data private and safe!

UToledo Upgrades to Multifactor Authentication Protection

 

DATA BREACH

Xavier University's computer network experienced a cyberattack last month, potentially compromising students and employees' personal information, according to an email sent Thursday to students and staff. University President Reynold Verret said in the email that a network disruption on November 22nd prompted Xavier to hire cybersecurity experts to investigate. The disruption was determined to be an "encryption event," Verret said. "We have since learned that malicious actors claimed to have stolen personal information from students and employees during the event." Verret added that officials are now identifying and notifying those who might have had their data stolen.

Data Breach

 

RESEARCH MISCONDUCT

A professor at the University of Michigan received allegations of “research misconduct” and the university has reached out to multiple medical journals to retract the implicated studies. University spokesperson Kim Broekhuizen confirmed with News 8 that a gastroenterology researcher with Michigan Medicine, is no longer employed as of January 2nd. According to nonprofit group "Stop Animal Exploitation Now!" an internal investigation by the university found that the professor worked on four studies that included falsified or fabricated data. Those studies used more than $5 million in federal grants.

Research Misconduct

 

HAZING DEATH LAWSUIT

As Stone Foltz laid on his hospital bed, waiting for the copious amounts of alcohol to flush from his body so his family could donate his organs, Shari and Cory Foltz made a promise to their son: they would do everything they could to eradicate hazing. The family will be able to continue that work even more now after the announcement Monday that Bowling Green State University has settled a lawsuit with the Foltz family for $2.9 million over the March 2021 death of their son, a 20-year-old sophomore, in a hazing connected with Pi Kappa Alpha fraternity. The settlement is the largest payout by a public university in a hazing case in Ohio history, according to Rex Elliott, the family's attorney.

Hazing Death Lawsuit

 

NCAA VIOLATIONS

The Michigan football coach and current and former staff members, face allegations of NCAA rules violations for which severe punishment may apply. The alleged rules violations occurred in 2021 and involve NCAA restrictions regarding in-person recruiting contacts during the COVID-19 pandemic, an anonymous source close to the situation told The Detroit News. These allegations of impermissible contact with recruits during the COVID dead period are serious in nature and considered Level I and Level II violations. The earliest the NCAA would deliver a Notice of Allegations to Michigan is later this month, according to the source.

NCAA Violations

 

THE CHRONICLE OF HIGHER EDUCATION -- OTHER DEVELOPMENTS YOU SHOULD WATCH

This The Chronicle article discusses:

    • Grad-Student Organizing is Gaining Steam
    • Colleges Betting on Master Programs May Be Disappointed
    • More Politicians are Likely to Become College Presidents
    • The NCAA Looks to Congress
    • The New Colorblindness

The Chronicle of Higher Education -- Other Developments You Should Watch

 

STATE HIGHER EDUCATION FUNDING RISES AGAIn.  CAN IT LAST?

This Inside Higher Education article notes that state support for public higher education will increase this fiscal year, aided by the last burst of federal stimulus money. But some worry the boom times are coming to an end.

State Higher Education Funding Rises Again.  Can It Last?

 

ADVOCATES URGE NC-SARA TO ADD MORE CONSUMER PROTECTIONS FOR ONLINE STUDENTS

This Higher Ed Dive article notes that a dozen policy experts and higher education groups are calling for changes at NC-SARA, an organization controlling a key interstate distance learning pact.

Advocates Urge NC-SARA to Add More Consumer Protections for Online Students

 

PANDEMIC RELIEF FUNDS KEPT MILLIONS OF COLLEGE STUDENTS ENROLLED IN SCHOOL

The United States Department of Education released new data showing the American Rescue Plan and other pandemic relief funds kept millions of college students enrolled in school.

Pandemic Relief Funds Kept Millions of College Students Enrolled in School

Last Updated: 5/1/23