Compliance Chats
To help make compliance a little more relevant to the everyday, “Compliance Chat” videos are informal conversations where Senior Institutional Compliance Liaison Mary Gower meets with subject matter experts covering frequently asked compliance questions and issues in quick, bite-sized clips.
Compliance Training Videos
University Compliance
UA Confidential Hotline
[November 2024] The UA Confidential Hotline serves as an intake mechanism to hear from employees, faculty, students, contractors, and community members about concerns. The UA Confidential Hotline is a third-party, system-wide mechanism for receiving tips on risks and issues that could jeopardize the University of Alaska’s financial health, safety or reputation.
Prefer to call? Use the toll-free telephone number: 855-251-5719
Visit www.alaska.ethicspoint.com.
Today we're talking about the UA Confidential Hotline. It's important that we all know how to report instances of non-compliance or suspected unethical practices.
00:30
One way the University of Alaska demonstrates its interest in hearing about issues is by making sure the hotline is available to everyone, this includes employees, students, contractors, and community members.The hotline offers confidentiality and the option to remain anonymous, making it a safe space for those who may be concerned about the potential for retaliation.
First I would like to emphasize the importance of reporting issues to your supervisor. However if you don't feel comfortable going to your supervisor, the UA Confidential Hotline is available as a confidential and anonymous reporting tool. That said, if you see anything that just doesn't look right, please say something. You can help the University of Alaska by being situationally aware, asking questions, and familiarizing yourself with university policies and reporting any concerns.
01:28
The most frequent issues reported through the UA Confidential Hotline include: misuse of University resources, conflicts of interest, discrimination, harassment, and ethical violations.
Employees may encounter compliance related issues that warrant reporting as well. For instance in the area of accounting and finance, an employee might be concerned about the potential for fraudulent activities, such as falsification of financial records, or misappropriation of funds. In the area of diversity and equal opportunity, an employee could observe potential biased incidents or discrimination related to race, gender or other protected classes.
Information security issues may also arise, including data breaches, malicious use of technology, or unintentional use of insecure technology processes, any of which could threaten the Integrity of sensitive University information, or cause a privacy breach.
Additionally risk and safety matters may involve reports of unsafe working conditions, or environmental hazards that threaten employee wellbeing.
02:46
When a report is submitted, hotline administrators triage it to determine the next steps, including which department should be notified, to ensure proper followup of the reported situation. From here follow-up is performed to gather facts. An investigation is performed if necessary, as based on the facts of the situation. Corrective action is taken to address the issue and prevent future problems. One challenge is that to maintain confidentiality the reporter may not be aware of the substantial enforcement efforts occurring behind the scenes. Unfortunately this lack of visibility can lead to the perception that no action is being taken.
03:29
Speaking of anonymous reporting, how does the university ensure confidentiality and protect against retaliation?
Once a report is submitted through the hotline, whether by phone or online, it's assigned a case number. This provides tracking throughout the processes of triage, followup, and if warranted, investigation. The report is assessed and researched, and confidentiality is maintained to the extent practical at every step. If the individual chooses to remain anonymous, they can still communicate through the system without revealing their identity, allowing for follow-up questions if more information is needed.
The university will take steps to respect the identities and privacy of those involved. Absolute confidentiality may not be maintained in all circumstances, especially in cases where the university must take action to protect the safety of others. Care is taken that information is not shared beyond those with the need to know. The university operates in accordance with the Alaska Whistleblower Act to protect employees from being retaliated against in response to reporting concerns in good faith. Retaliation is not tolerated. In fact, retaliation itself can be subject to investigation and disciplinary action.
04:50
What role does the hotline play in fostering a culture of transparency and accountability at the university? Have there been any notable improvements as a result of the hotline reports?
The confidential hotline allows for open anonymous reporting which encourages people to speak up sooner rather than later. This has led to improvements such as clarification and communication of policies and procedures, stricter policy enforcement, better resource management, and increased awareness around issues like workplace conduct and conflicts of interest. Overall it has helped to build trust; where every one knows their concerns will be taken seriously, and handled appropriately.
05:34
What advice would you give to employees that are hesitant about using the hotline?
For anyone feeling unsure, I'd emphasize the hotline is there to protect both the individual and the university. The hotline is designed with confidentiality and anonymity in mind, meaning that no one should fear retaliation for coming forward. The university takes every report seriously and handles them with care and professionalism. There are strong anti-retaliation protections in place so no one will feel negative consequences for reporting. Using the hotline creates a safer and more ethical workplace, and can lead to positive changes for everyone.
06:15
Thank you Nikki, any final thoughts?
I just remind everyone that reporting concerns is a shared responsibility. It's a critical mechanism for maintaining an ethical and transparent campus environment. If anyone has questions or would like more information the hotline is a great resource, and of course you can always reach out to Danielle Foster or myself as the hotline administrators.
Thanks everyone for joining this Compliance Chat. We each have a responsibility to help create a safe and ethical campus.If you see something that doesn't look right, it's important to speak up. You can contribute by staying alert, asking questions, understanding University policies, and reporting any concerns. Also be sure to check out the UA Confidential Hotline.
Compliance Onboarding
[October 2023] The initial days as a new university employee, when people are shaping their initial perceptions of university worklife, meeting their supervisor and colleagues, and settling into the new work space, is the key time for us to emphasize our commitment to compliance. It is crucial that employees realize this responsibility early. Non-compliance can lead to safety risks, legal consequences for the university, reputational damage, financial losses, and disruptions in both operations and academics.
00:18
No matter your position, it’s crucial that all university employees maintain compliance with laws, policies, and procedures. To understand why this is important, let's begin by discussing the risks of non-compliance.
Non-compliance can have significant repercussions. At the worst, failure to follow laws and regulations can result in injury, death, legal actions, fines, or lawsuits.
- Legal Consequences can span safety, finance, research, and student rights.
- Reputation Damage can harm enrollment, funding, and credibility, especially if legal issues arise.
- Financial Impact of non-compliance may result in fines, legal fees, and reduced funding, affecting resources and donor support.
- Operational Disruption can be significant. Violations require quick actions to make things right, which could disrupt academic functions and research.
- Finally, this can include loss of funding and trust erosion. Failure to comply can risk grants and research support.
01:14
As a university employee, let's take a look at what your compliance responsibilities include. These are grouped into: risks, mitigation, training and reporting.
Risks:
It’s each of our responsibility to understand compliance risks relevant to our roles. Familiarize yourself with the policies, procedures, and laws that govern your work. You are expected to conduct university business in a compliant and ethical manner. As an example of risk, imagine a hypothetical situation where researchers stored hazardous chemicals in a lab without proper containment and labeling. This risks chemical reactions, spills, and endangers lab personnel and the environment. It can lead to potential accidents, injury and penalties.
Mitigation:
This includes following established compliance activities, processes, and controls to mitigate risks. As an example, the university has a risk mitigation plan concerning minors on campus. This includes specialized training and establishing clear policies to prioritize the safety of the minors attending its programs.
02:16
Training:
As an employee, you need to complete all required compliance education and training for your position. Speak with your supervisor to understand what the compliance requirements are of your position, and to identify relevant laws, Board of Regents policy, and University regulation, as well as training specific to your role.
Let’s consider what can happen with OR WITHOUT the right training. Imagine if a university's event planning team arranges an inaccessible seminar, lacking ramps, elevators, sign language interpretation, or accessible materials. Or, consider the alternative. After participating in proper disability access training, the team knows to choose a venue with ramps, elevators, to provide a sign language interpreter, and accessible materials. This is not only lawful, it also demonstrates our commitment to inclusivity.
03:09
Reporting:
As members of the University community, we all share the responsibility to foster a safe and ethical campus environment. If you observe any concerns, don't hesitate to speak up. Stay attentive, inquire, acquaint yourself with university policies, and report any issues to your supervisor or other university leadership. If you feel uncomfortable approaching your supervisor, you can report using the confidential and anonymous UA Hotline. The hotline serves as a system-wide tool for receiving tips on safety, financial or reputational risks.
UA Confidential Hotline
855-251-5719
alaska.ethicspoint.com
Again, thank you for your time and let me know if you have any questions.
Protection of Minors
[August 2023] The increasing volume of minors in youth camps, UA events, middle-colleges and other affiliated programs underscore the significance of protective measures for the well-being of these younger students within the university environment. Under Board of Regents’ policy Chapter 09.12 – Protection of Minors, the university provides a policy and regulation framework designed to ensure the safety of minors participating in programs, events, and activities.
00:05
I'm here with Bridget Ballou and Jesse Benton to discuss protection minors at the University. As you walk around campus you likely have noticed the growing number of students under the age of 18 in class, in Residence Life, and in other Student Activities. "Protection of Minors" is a set of policies and measures aimed at keeping individuals under 18 safe and secure when they're on our campuses. Such policies reflect the institution's commitment to maintaining a secure and supportive space for all members of the campus community.
00:42
Three key things university employees need to know about minors attending the university are:
- Some university employees involved in the protection of minor processes are "mandated reporters." The list of included employees is sent in Statue set by the state, which may change over time.
However everyone is encouraged to report whether they are a mandatory reporter or not. Mandatory reporters must submit a report to the state of Alaska's Office of Children's Services within 24 hours a reasonable cause to respect that a child has suffered harm as a result of abuse or neglect. This includes reporting requirements and follow-up investigation after the event has taken place, as well as here at UA, we report all concerns to the Equity and Compliance Office.
- Training and certification. Certain work teams and departments that frequently interact with minors, such as admissions teams assisting minors regularly, should provide staff with appropriate training and certification to handle situations involving minors effectively and responsibly.
- Employees need to start the Protection of Minors process at least 30 days prior to a minor event taking place on campus. Give yourself and your team or department plenty of time, because the process can involve multiple employees, work teams, background checks, and collaboration with external partners.
2:08
Employees should be aware that certain activities involving minors may require heightened levels of supervision and additional mitigation processes. These could lead to different procedures, potential timeline delays, and the need for specific authorizations.
Decisions on such activities may be based on risk assessments, staffing considerations, equipment requirements or insurance coverage, among other factors. When volunteers and protection of minors activities are combined, there are additional procedures and authorizations that are needed.
These could involve risk management assessments, Title IX training, waivers and more, to ensure the safety and well-being of minors involved. As a best practice to protect both employees and minors, avoid being isolated or alone with a minor at any time. If such situations are unavoidable, employees should take steps to ensure the safety of both parties. For assistance in developing action plans for such scenarios, employees can reach out to their Protection of Minor’s contact.
The upcoming new protection of minors policy will require a minimum of two supervising adults to be present at every event involving minors, although there will be some exceptions.
Documentation and the retention of all records is vital to meet all the laws related to protection of minors.
3:31
If you see something of concern please make a report to the Office of Children's Services and notify your Protection of Minors contact.
If you have ideas for future compliance chats please send them to ua-compliance@alaska.edu.
Title IX
[November 2023] Title IX is foundational for ensuring equal rights in education, preventing sexual harassment, and combating sex-based discrimination. Title IX includes provisions for pregnancy protections. It also provides essential safeguards and procedures to address misconduct in educational settings.
Regents Policy Chapter 01.04 – Sex and Gender-Based Discrimination Under Title IX
The Board of Regents of the University of Alaska System affirms its commitment to educational programs and activities that are free of discrimination on the basis of sex and gender.
04.56
Hello, I'm Mary Gower, and today I'm joined by Mitzi Anderson from UAS, Sara Childress from UAA, and Kaydee Van Flein from UAF to talk about Title IX protections here at the university.
Title IX is foundational for ensuring equal rights in education, preventing sexual harassment, and combating sex-based discrimination. It provides essential safeguards and procedures to address misconduct in educational settings.
Title IX also includes provisions for pregnancy protections. This, and other federal and state laws, ensure that pregnant students and employees have access to necessary accommodations and support to continue their work or education. The staff that support this work at UA play a pivotal role in upholding a safe and inclusive campus environment through their efforts to prevent discrimination and harassment.
Mitzi, my first question is for you. Let's say a coworker tells me that they are being sexually harassed. What do I tell them about how to make a report? Also, what happens after a report is made?
01:03
If the coworker believes they’ve experienced discrimination, they can report the incident online through the equity and compliance website. They can also report in person or over the phone to the Title IX Coordinator or their staff, or make an anonymous report through the UA confidential hotline. These resources will be shared later in this Chat. Also, a reminder that most university employees are considered responsible employees. This means that, with few exceptions, University employees must report any incidents of sexual misconduct they become aware of to the Title IX coordinator or other designee within 24 hours of becoming aware.
This is because the university is required to address any incidents of sexual misconduct about which a responsible employee knew or should have known. When reporting under Title IX, the process usually follows these steps. First, supportive measures are offered to the impacted individuals and additional information may be collected. If it appears that a policy violation may have occurred, the individual may choose to file a formal complaint and the University will then proceed with an investigation. This includes notifying parties involved that an investigation is being initiated, explaining their role in the process and that of others, such as advisors, and offering supportive measures and other resources throughout the entire process.
02:25
Following an investigation, if an informal resolution cannot be reached, a hearing with the opportunity for cross-examination will occur. Once a determination has been made on whether policy was violated, and after any appeals have concluded, the University will identify remedial efforts. If a violation is found, the university must stop the discrimination, work to prevent it from happening again, and remedy the effects of the discrimination, which can include sanctions. Sanctions for a respondent employee found responsible for discrimination range from a written reprimand, disciplinary probation, suspension without pay,and up to termination for cause, following university policy.
03:10
Thanks Mitzi. Sara, what's different about Title IX now versus ten years ago?
03:17
Well, compared to a decade ago, our current landscape is a significant contrast in awareness, process and action regarding Title IX-related issues. We've seen frequent federal changes,
prominent national cases, and influential social movements such as the #MeToo movement that have driven these issues to the forefront. Staying on top of these federal changes takes our departments' constant attention. We are consistently updating our processes and materials to align with the frequent federal regulation changes. Notably, in the past 10 years our universities have expanded their infrastructure, support and resources for the parties involved in sexual harassment and discrimination.
Additionally, there is increased accountability for all aspects of Title IX processes. The updated regulations include specific requirements for how institutions must respond to Title IX complaints, placing a premium on ensuring a fair process for all parties involved. We've also intensified our focus on training. UA Safe is a custom-designed training module developed in response to feedback from both our students and our employees to reflect Alaska's special needs. In addition to UA Safe, TIX teams across the universities engage with critical stakeholders to create meaningful programming outside of the training module.
04:36
Thanks Sara. Kaydee, how can my department become a Title IX partner?
04:41
Thanks so much Mary. There are specific steps the departments at our universities can take to become Title IX partners. Departmental leadership can ensure that their team members complete UA Safe training annually and also confirm their employees' knowledge of reporting Title IX concerns or incidents. It can be as simple as asking your teams how and when they would report to the Title IX office. Encourage your teams to connect with their respective TIX teams and ask questions about processes, how to help others report and what to expect.
We're happy to attend staff meetings to talk about challenges employees are facing and how we as Title IX can be good partners to all of you. Departments can request bystander or green dot training to better understand the university's prevention and awareness programs, as well as understand how to recognize and safely intervene in potentially dangerous situations. They can also ensure all team members are familiar with an employee's pregnancy and childbirth rights to accommodations, which might include things like schedule adjustments, additional breaks, workstation modifications, and accessible parking. Finally, fostering a departmental culture that is inclusive, respectful, and free from discrimination and harassment is the best way to partner.
05:53
It's great to see colleagues leading by example and setting a standard for respectful behavior. Please reach our offices for opportunities to collaborate and ways you feel we can support you all in your respective teams. Thank you so much.
06:07
Thanks Mitzi, Sara and Kaydee. Everyone, thanks for joining us for this Compliance Chat, and if you see something of concern, please make a report.
For sex discrimination claims or other inquiries concerning the application of Title IX of the Education Amendments of 1972 and its implementing regulations, individuals may contact the University’s Title IX Coordinator, or the Assistant Secretary in the U.S. Department of Education Office of Civil Rights, or both:
UAA Title IX Coordinator
3190 Alumni Drive, Suite 352
Anchorage, AK 99508
Phone: 907-786-0818
E-Mail: uaa_titleix@alaska.edu
Website: www.uaa.alaska.edu/about/equity-and-compliance/
UAF Title IX Coordinator
1692 Tok Lane, 3rd Floor Constitution Hall
Fairbanks, AK 99775-6910
Phone: 907-474-7300
E-Mail: uaf-tix@alaska.edu
UAS Title IX Coordinator
11066 Auke Lake Way
Juneau, AK 99801
Phone: 907-796-6371
E-Mail: uas.titleix@alaska.edu
http://www.uas.alaska.edu/titleix
Office for Civil Rights, Seattle Office
U.S. Department of Education
915 Second Ave., Room 3310
Seattle, WA 98174-1099
Phone: 206-607-1600
TDD: 800-877-8339
E-mail: OCR.Seattle@ed.gov
FERPA
[August 2024] The Family Educational Rights and Privacy Act (FERPA) is a guardian of student privacy. FERPA is crucial because it ensures that students have control over who sees their educational information, safeguarding their privacy and security. For university employees, understanding and complying with FERPA is not just a legal obligation but a commitment to protecting students’ rights and fostering a trustworthy educational environment.
Today I'm joined by the university registrars‚ Lindsay Chadwell, Trisha Lee and Holly McDonald, and we're going to be discussing FERPA. FERPA is the Family Educational Rights and Privacy Act, and it's a federal law that provides university students with access to their educational records. It also gives students a level of control over the disclosure of personally identifiable information from their student record. FERPA is a guardian of student privacy, mandating that universities and educational institutions uphold the confidentiality and accuracy of the student record.
00:41
I expect that most of the people that are joining us on this Chat want to know what requirements they need to follow to ensure compliance with FERPA regulations when they're handling student records and information.
To ensure compliance with FERPA regulations when handling student records and information, university employees should:
1) Limit access to student records to school officials with a legitimate educational interest. This means university employees who need access to a student's records to perform their professional duties related to the student's education.
2) Obtain a FERPA release form from students before releasing personally identifiable information to anyone unless an exception under FERPA applies. And I'll explain some of those exceptions in a moment. It's important to note that FERPA does not acknowledge verbal consent, so obtaining the students permission in writing before releasing any information is critical.
3) Complete the university's FERPA training annually in the MyUA learning library.
4) Ensure student records and information are always secure. We can lock our computer before we step away; don't print student records unless absolutely necessary; and if you do, keep them secure in a locked cabinet or office and flip them upside down if someone enters your workspace.
02:10
When employees transition out of a role, ensure their access to student records and information is removed promptly. Delete drives, documents, etc. containing student information after the business need has been met. And remember FERPA applies to our work environments at home too.
There are situations, as I mentioned, where records may be released without the student's consent, such as when transferring to another school, complying with a judicial order or a subpoena, and in health and safety emergencies. The university can also disclose directory information without the student's consent unless they have enabled a directory hold in UAOnline. It's best to discuss these situations with your university registrar before releasing information to ensure you're complying with FERPA.
03:00
Trisha, as students under 18 are increasingly enrolling here at the university, what do employees need to understand regarding FERPA with minors?
In this situation parents do not automatically have rights to access their student’s educational records under FERPA as they did in high school. At the university, those rights are granted to the student only, regardless of their age. This can be a tough learning curve for parents, so keep this in mind when working with them.
FERPA considers students who have reached the age of 18, or who attend college, as eligible students. This means that even if a student is under 18, the student has control over who can access their educational records. Lindsay mentioned the FERPA release form. Signing a FERPA release is the most efficient way for any student to allow their parent or another designated person to discuss their student records with the university.
Also, employees should complete FERPA training annually to become and remain familiar with the requirements. Employees can access FERPA training in the MyUA learning library. Simply search for FERPA. Also it's good to know that FERPA coverage begins on the first day of a student's first class, regardless of age.
04:20
Holly can you help us understand how FERPA applies in the following situations? For example, what if a professor asks students to peer review each other's work, which includes sharing you know grades and feedback? Or what about when a faculty member is asked to write a letter of recommendation and that includes details from a student's academic record?
When a professor asks students to peer review each other's work, including sharing grades and feedback, FERPA considerations come into play. Under FERPA, grades and feedback provided by students in the course of peer review are typically considered to be part of the instructional process, and are not treated as educational records until they are reported by the instructor.
However, professors should be mindful of student privacy and ensure that the peer review process does not involve the disclosure of grades or feedback in a manner that would be considered harmful or an invasion of privacy. Best practices include anonymizing the work where possible, or obtaining written student consent for sharing grades and feedback among peers.
05:27
Regarding the question of letters of recommendation, when faculty members are asked to write letters of recommendations that include details from the student's academic time with us, FERPA does require that they obtain written consent from the student. This is because letters of recommendation that reference specific grades GPA or other educational records are disclosing protected information under FERPA.
The written consent should specify what records are to be disclosed, the purpose for the disclosure, and to whom the disclosure can be made. Your university may have a release form available specifically designed for letters of recommendation, so chat with your University register first.
As always, Lindsay, Trisha and I are here to help. Students, faculty and staff are encouraged to contact us with any questions or concerns regarding FERPA.
UAA https://www.uaa.alaska.edu/students/registrar/ferpa.cshtml
UAF https://www.uaf.edu/reg/ferpa.php
UAS https://uas.alaska.edu/registrar/academic-records/ferpa.html
Everyone thanks for joining this Compliance Chat and if you have any further questions please reach out to your university registrar.
Cybersecurity Series
Data Security and Privacy
[May 2024] Regular assessments of your data, storage locations, permissions, and deleting unnecessary files and using strong passwords are recommended practices to ensure data security and compliance with federal and other requirements.
00:04
Today I'm joined by Raina Collins, Senior IT risk and compliance analyst at the University of Alaska System Office of Information Technology to talk about data security and privacy.
In our positions here at the University there are so many of us that are handling sensitive information, and data security and privacy are really critical issues. And many of us have a large digital footprint. By footprint, I'm referring to all of the documents, emails, videos, images and also our transaction records.Having this large digital footprint heightens our vulnerability to data breaches, which can result in identity theft, financial harm and damage to the University's reputation.
When I'm thinking about the compliance concerns here, these include, legal, regulatory obligations surrounding the data handling, storage, and retention. Managing this extensive data and controlling access is really challenging.
Raina, so many employees viewing this video have a large data footprint with the university, including years worth of emails and stored documents, knowing that this presents an exposure risk to the university. How do you suggest going about trimming back that risk?
01:19
I'd suggest starting with identifying the contents of the data that you have. Data can consist of emails, photos, videos, documents, spreadsheets and all kinds of unique file types. There's also a difference between working documents and documents for retention. Hint: emails are considered working documents.
- Working documents are actively used during day-to-day operations. They serve as tools for collaboration, decision-making, and ongoing task management.
- Documents for retention are retained for legal, operational or historical reasons. They're not actively used in daily work but are preserved for compliance, reference or recordkeeping. UA OIT is currently working to develop tools and resources to help people identify the kind of data they have, so stay tuned.
Also there's one caveat: although UA emails are regarded for document retention as "working documents", they are retained indefinitely through Google, and in that sense, are closer to retention documents.
This is why it's important to know the content of your data.
Now that we know what the data is, let's discuss location. Throughout UA, data can be stored in our Google workspace environment, Microsoft 365, department file sharers, Onbase or other dedicated data repositories.
So now that we've defined the what, and the where, let's discuss how much.
In many cases, the systems mentioned above have seemingly limitless capacity for storage, which can contribute to years worth of data and documents being stored.
As you noted already, this creates an extensive footprint. Our recommendation is to really look at what kind of data you produce, evaluate its sensitivity, then determine if you have to keep it for regulatory purposes or if it's just a nice to have. For things that you must keep for retention reasons, you can work with the OIT Records and Information Management office to help you determine where to keep them. For things that are for your own convenience or departmental record keeping, you should save it in a secure location that is appropriate for the type of data that it is.
Let's look at permissions more closely. Google Drive and Microsoft 0365 are designed to allow for easy sharing of data both internally with our co-workers, and externally with our stakeholders. This helps create efficiency in our work products, and allows us to collaborate worldwide. However the possibility of oversharing creates many kinds of cyber-security vulnerabilities.
There are many Federal requirements in place to protect UA data, and in support of them, we recommend you do a routine audit of your storage locations. Look at who those files are shared with, and then remove access where appropriate. Delete files that you no longer need, or find them a secure and permanent home. This type of review should always be done after employees leave or if they transfer outside of your department. But if this doesn't happen often, then at least annually.
04:05
Looking at the security of the data, in what instances are University employees expected to be, encrypting their emails, and using secure file transfer for their documents? Also, how do we go about that?
Wherever there's a need to send protected sensitive or private data, users should employ added encryption to keep their messages secure. UA users can leverage our large and secure file transfer service at securefiles.alaska.edu which allows UA account holders to exchange secure emails within UA or with external stakeholders. We do not recommend sending secure, private or sensitive email messages via Gmail or Outlook.
Also to note, sometimes the best way to protect sensitive information is to avoid the temptation to put it in your keyboard in the first place. Rather than sending an email then deleting it, pick up the phone. Take care to not write anything in an email that you're not ready to read in a newspaper. And on that topic, consider the use of UA emails for personal business. While it is generally allowable under regent's policy, it's not always the best idea. UA emails are subject to public records requests, and unless there's a statutory shield that protects them, they may have to get delivered into the hands of a third party. It isn't precluded to use UA for emails for personal reasons, but it may not be the best practice overall.
05:26
Do you have any pointers for supervisors to help implement solid access controls, to limit who can access the sensitive information? For example, to ensure that employees only have access to the data that they need for performing their duties for the university? Also what can supervisors do to make sure that access is removed as their employees transfer to different departments or leave the university?
Absolutely. Supervisors can establish solid access controls, as I mentioned earlier, by establishing departmental policies that outline how their department will manage their data.It'll identify the roles surrounding data management and conducting regular reviews of access permissions, thereby aligning them with their employees' specific roles and responsibilities. That way they're ensuring that their employees are only accessing the data that is required for their job tasks.
They can also develop departmental policy on onboarding and offboarding, which creates a systematic process for granting and revoking access when employees first join or when they transition to other departments, or if they leave the university entirely. We would suggest as part of the departmental policy to set up a schedule -- such as every 12 months -- to review these permissions even if they are still employed, because this would capture any role changes within the department.
06:44
In closing, we cannot really over-stress how important it is to really understand what data you're generating.
For instance the music department data is going to be completely different from research data, however they both might both deal with student related data. So if you're understanding what you're managing and the requirements of that data, is critical to managing data access wisely.
If you need further assistance including individualized help please contact OIT Security Operations at ua-oit-security@alaska.edu or visit OIT's website.
AI in Social Engineering
[June 2024] AI is revolutionizing social engineering. AI’s use of automation and stealthy techniques dramatically raises the stakes of cybersecurity. Threat actors can create convincing written messages, voice mimicking and phone-based attacks.
I'm joined by Bill Anker, executive director of strategic programs at the University
of Alaska system Office for information technology.
00:13
We're discussing social engineering using AI.
In recent headlines Forbes declared that AI is revolutionizing social engineering
and likened generative AI to "social engineering on steroids." AI's use of automation
and stealthy techniques dramatically raises the stakes of cyber security.
00:34
What used to amount to a peppering of emails with some clumsy grammar and misspelled
words, now is really sophisticated.
It feels like we're entering into an alternative reality where you just don't know
what's fake and what's real.
00:47
It’s a real problem. We're now living in the intersection of AI and social engineering
and that's dangerous territory.
For example, threat actors can now create flawless, convincing messages in perfect
English using tools like chat GPT that makes detecting fraudulent messages really
challenging.
01:04
There are also voice mimicking and phone-based attacks. As many of you know, AI tools
can generate lifelike spoken words that mimic specific individuals. This capability
opens the door to phone calls that can convincingly imitate anyone, such as the head
of finance, a chancellor or the university president. Threat actors generally use
a two-pronged approach. They start with credible emails and follow that by voice calls,
adding a layer of deception to social engineering attacks.
01:30
That's troubling. I know that in addition to email and voice attacks, picture and
video can also be AI generated. Are these so-called deep fakes a concern for the university?
01:41
Absolutely. You may have seen deep fakes in the news recently. For example, as recently
as this past February, a finance worker paid out more than $25 million in response
to fake video requests from someone impersonating the Chief Financial Officer of the
company.
Concern about election year deep fakes is in the news quite a bit and is leading to
the introduction of AI related legislation to combat attempts to mislead voters during
the 2024 election.
AI can be used to create deep fakes using pictures, video, and audio footage found
in the public space. And with that they can pretty easily make completely realistic
fake videos and fake virtual identities.
02:18
What are the big risks related to social engineering using AI for the University?
With AI's hyper-speed ability to analyze an employee's digital behavior, scams can
take on an unsettling personalization, increasing the likelihood of successfully tricking
our employees into providing access or sharing private information.
02:36
Beyond social engineering AI also accelerates the detection of vulnerabilities in
systems, potentially leading to rapid breaches even before staff recognize a threat.
AI tools can autonomously probe defenses,learn from mistakes, distribute malware and
extract sensitive data often bypassing traditional security alarms. Adaptive AI-powered
malware can dynamically create real-time countermeasures against the university's
defenses resulting in more prolonged and disruptive attacks.
03:03
What are some countermeasures that we can take against AI fueled attacks?
This can be broken down into three main strategies. First, training our users to detect
social engineering. Second, implementing improved authentication. And third, deploying
AI based security controls.
Employee awareness and vigilance is by far the most powerful tool in our arsenal.
The use of multi-factor authentication can reduce account compromises by up to 99%.
And finally, AI-based defenses can react and adapt to attacks in real time dramatically
speeding up our response times. UA is already implementing the first two and is currently
investigating the third.
03:38
Remember there is always time to verify the authenticity of a request. If you have
any doubts, aren't expecting this type of communication, or aren't sure if you should
proceed, reach out to the requester directly, using an alternate communication method.
For urgent matters contact your local service desk and if you need further assistance
including individualized help do not hesitate to contact OIT security operations at
ua-oit-security@alaska.edu or visit OIT's website.
04:07
Thanks Bill. I'm impressed with the work that you and the entire OIT team are doing
on behalf of the university to protect our online security.
Everyone thanks for joining this compliance chat. If you have any further questions,
please feel free to contact OIT security operations.
Additional topics covered monthly
Additional topics covered monthly
Securing Devices During Travel
[December 2023] As a university employee, is it ok to leave your laptop computer back in the hotel room when you travel? What about using the Wi-Fi provided at the conference? Whether you're traveling for research, presenting at a conference, or collaborating face-to-face at meetings within the state, as university employees it is important that we make sure our devices and data are secure during our travels.
0:04
Hello I'm Mary Gower and today I'm joined by Sean Hagan, University of Alaska system’s Chief Information Security Officer and Aaron Menshouse, UAF's Export Control/Research Security Officer, to discuss the secure usage of smartphones and laptops during travel. We'll explore key strategies to safeguard your device and data while on the move.
Sean, first let's take a look at traveling in the United States. When I travel for work I always bring my laptop with me. What about the physical security of the laptop? For example on days where I don't need it at the conference, do I just lock it in the hotel safe?
0:38
First, only bring what you absolutely need. Try to minimize the number of devices and the amount of data that you carry with you while traveling.
You may wish to consider using a loaner laptop or even going so far as getting a temporary cell phone, especially if you're traveling overseas. Aaron will discuss traveling abroad further in a minute. Other things you can do: store your data in the cloud and not on your laptop, or you might store it on a secure USB stick, and we have those available for checkout from the IT units.
Before departure ensure your device is well prepared by updating the software. You may wish to set a temporary password that you would change when you return from your travels. You will want to review Wi-Fi or bluetooth settings to make sure that the device will not automatically connect to unknown or untrusted wireless networks.
1:26
Always maintain physical possession of your devices while traveling, and you may wish to avoid using public Wi-Fi unless you're certain that the wireless network is trustworthy. Instead you could rely on a secure Wi-Fi hotspot from your cell phone. Or you may be able to check out, or rent, a portable hotspot device. You can also use the UA VPN while you're traveling for added security.
If you plan to work on UA data while you're traveling, consider whether sensitive data may be visible to people -- say while you're crunched up in an airplane seat working on an airplane, or if you're in a lounge or hotel conference area or something like that. If you intend to work in those environments, or think you might, you may wish to purchase a screen protector which can make it harder for others to "shoulder surf" or view sensitive information on your screen behind you.
2:16
For international trips it's essential to contact your Export Control Representative in all cases before travel commences. This ensures compliance with regulations, and addresses any specific considerations related to foreign travel and those you may meet while you're on travel status. Contact information for these professionals can be found on the website following this video. If your device is lost or stolen during travel take immediate action. Report the incident to law enforcement and if you're traveling abroad the nearest U.S. Embassy.
If your device is UA owned or managed, or if it has any UA data potentially involved, please promptly report the loss or theft to the UA Information Security and Assurance team so that we can do necessary followup and mitigation work as needed. Contact information for our group can also be found after this video.
3:05
Aaron, Sean shared a couple of tips for international travel. What other considerations are there about device security when traveling internationally for the university?
3:13
Additional cybersecurity considerations come into play. Firstly acquaint yourself with the specific regulations of the host country, which may differ from domestic standards. OIT can assist you with how to do this.
Be cautious of potential internet access restrictions and bolster data security with a VPN for encrypted connection. Internationally, prioritize device security by implementing robust measures like strong password encryption and multi-factor authentication. Stay vigilant about physical device security utilizing locks or secure bags to deter theft.
3:46
When accessing public Wi-Fi ensure a secure connection using a trusted VPN. Be aware of potential device inspections at borders and comply with local regulations. Sean mentioned using a loaner laptop from the university or a temporary burner device for international trips. You can get the loaner laptop from OIT. Prepaid cell phones and international SIM cards can be purchased for use of temporary devices at local retailers.
Familiarize yourself with the university's emergency response plan for international travel knowing whom to contact in the event of the cybersecurity incident. You can access it using the link below. Lastly, keep IT support informed of your travel plan.
4:24
As we travel on behalf of the university it introduces new dimensions to online physical security. To mitigate these risks effectively it's crucial for us to stay informed and implement proactive measures as outlined here.
If you have further questions, please contact:
- UAF Export Control: Aaron Menshouse, acmenshouse@alaska.edu, (907) 474-7832
- UAA Export Control: George Kamberov, gkamberov@alaska.edu, (907) 786-5472
- Information Security and Assurance (ISA), oit-security@alaska.edu, (907) 450-8300
Phishing: Risks and Responses
[January 2024] Chances are that you've encountered phishing emails numerous times in both your personal and university email accounts. Phishing is a deceptive tactic to trick individuals into disclosing sensitive information. These attacks frequently employ convincing yet fraudulent emails, messages, or websites that mirror trusted sources like colleagues or official university channels.
00:12
I’m here with Jeanette Okinczyc the manager of Security Operations for the University of Alaska system OIT. Today we’ll discuss the realm of phishing attacks; exploring essential strategies to detect and counteract these cyber threats.
00:20
How to recognize phishing attempts:
When it comes to identifying phishing attempts it’s crucial to understand that phishing succeeds because we’re human beings, and that we are all at risk for becoming victims of a cyber attack. My advice is for people to know that they can always take the time to verify, trust their gut instincts, and when something doesn't seem right, pause and reconsider.
Phishing preys on our vulnerabilities, but by being proactive and cautious, we can significantly reduce the risk of falling victim to these deceptive tactics. If you suspect a phishing attempt, please mark it as phishing in the Google interface. This sends a message to the security operations team so they can assess whether the circumstances warrant warning other employees to be on the lookout for parallel attempts. And if you’re not a Google user, please forward the email to ua-phishing@alaska.edu.
01:51
Motives behind phishing attempts:
Let’s explore the aim of phishing attempts. Phishing has diverse objectives including stealing sensitive information, financial gain, and gaining unauthorized system access. Recognizing these motivations is crucial for better protection.
Phishing aims to steal sensitive information, enticing individuals to disclose personal details. This requires a cyber security culture emphasizing security measures, user education, and constant vigilance. Financial gain is another motivation prompting caution when faced with requests for financial information. Strengthening financial cyber security defenses is vital.
Phishing also targets unauthorized system access, demanding a comprehensive defense strategy with regular updates, robust password policies, and employee training. Understanding these motives helps tailor defenses fostering resilience against cyber threats.
2:57
Examples of various phishing methods:
Phishing is not limited to just email, it can manifest through phone calls, text messages
and other channels. For instance deceptive emails may contain malicious links or attachments,
and phone calls can be impersonations of trusted entities, and text messages might
attempt to trick you into divulging sensitive information. Being aware of these methods
empowers our employees here at the University to stay vigilant across different communication
channels.
Phishing is a pervasive threat that exploits human tendencies. By stressing verification,
intuition and caution, we can thwart phishing. Stay informed, be proactive, and we
can reduce the risk of falling victim to these cyber threats.
Feel free to contact OIT Security Operations at 907-450-8900 for more information.
Password Security
[February 2024] When it comes to passwords, it's more than just picking any combination of letters and numbers. As we recognize the growing sophistication of hackers it's essential that we understand what truly makes a password strong and secure. Also, hange your passwords at least every six months and consider using a password manager like Keeper or other available options to help encrypt, store, and manage your passwords.
00:03
Hello everyone I’m Mary Gower. Today we’re joined by Kaitlyn Malloy, UA Security Analyst at the University of Alaska system, Office of Information Technology to discuss password security.
Exploring password security is more than just creating easy-to-remember passwords, especially now that the era of using something like "123456" is far behind us.
As we recognize the growing sophistication of hackers, including their use of AI, it's essential that we understand what truly makes a password strong and secure. This is even more urgent and concerning with so much personal identity information ending up on the dark web.
Kaitlyn, how does all this impact our approach to crafting passwords, and could you provide key tips to ensure our information remains as secure as possible?
00:16
Yes, this is really important. When it comes to creating passwords, it's more than just picking any old combination of letters and numbers. We need to think about what makes a password really strong and safe.
Recently, hackers have become more adept and are leveraging advanced technology to infiltrate various systems. Here at the university, these systems contain valuable data such as research findings, student records, and intellectual property. Hackers use artificial intelligence to exploit weaknesses in security protocols and gain unauthorized access.
And, as you mentioned, this can also be a big worry personally because our own identity information can end up on the dark web.
So, let's talk about a couple of tips to keep your information safer.
The length of your password is crucial. While a 12-letter password may seem lengthy, it might not be sufficient to deter hackers. Aim for longer passwords, ideally 14 characters or more, for enhanced security.
Additionally, incorporate symbols like exclamation points or hashtags to add a layer of protection. For instance, a 12-character password using only letters is quickly crackable, but a 14-character password incorporating numbers, symbols, uppercase, and lowercase letters is currently estimated to take millions of years to crack. Integrate a special character within the password itself, such as replacing an A with the @ sign, or a zero for an O.
Be unique. Yes, it is absolutely a security risk to use the same password for all your accounts. Never reuse a password, even if it has been unused for some time. And, I know most of us have done this, but just adding a new number to an old password is not sufficient.
02:33
Three key ways passwords get hacked are by credential stuffing, dictionary attack and by brute force.
In credential stuffing, an attacker takes login credentials obtained from a breached
account and tries the same email and password combination across various accounts
and websites. This technique is particularly potent because many individuals reuse
passwords, and if one password is leaked in a data breach, it can be exploited across
multiple platforms. This is why it is SO important to not reuse the same password.
In the next way, brute-force uses a program to systematically try different combinations
of letters, numbers, and symbols at a much faster rate than a human could ever manually
attempt. A hacker can test up to 100 billion potential passwords per second. If your
password is simple or commonly used, it is likely to get hacked.
Next, and similar to brute-forcing but more intelligent, a dictionary attack checks words from dictionaries, company names, sports teams, and other common terms. This method allows hackers to crack passwords even more rapidly by leveraging known words and phrases.
03:39
Change your passwords at least every six months and consider using a password manager like Keeper or other available options to help encrypt, store, and manage your passwords. More information on password managers is available at the OIT website https://www.alaska.edu/securitymatters/training/password_managers.php.
03:51
If you need further assistance, including individualized help, contact the Office of Information Technology (OIT) Security using the provided contact number (907-450-8900) or visit the OIT’s website https://www.alaska.edu/oit/.
Social Engineering
[April 2024} Social engineering is the use of deception and or manipulation intended to essentially cause a person to divulge information they normally wouldn't. Cyber attacks may include social engineering techniques, such as phishing emails or phone scams, to manipulate us into revealing confidential information or granting unauthorized access. Without proper awareness and training, you may unwittingly be subject to social engineering scams.
00:03
Hello everyone, I'm Mary Gower and today I'm joined by Joshua Craft at the University of Alaska system office of Information Technology. Josh is a security analyst. So today we're going to be talking about social engineering and we'll have a follow-up chat where we talk about social engineering using artificial intelligence. In a nutshell social engineering is using psychological tactics to manipulate people.
In an information security context, social engineering is the use of deception and or manipulation intended to essentially cause a person to divulge information they normally wouldn't -- and it's usually used for fraudulent purposes. So unlike a cyber attack, bad actors gain the trust of their targets so they give up that personal information.Imagine now at the University we have a researcher -- let's call him Greg -- who routinely communicates online with colleagues. And a hacker will target Greg and meticulously research his communication patterns.
Then posing as an IT support specialist this hacker begins to send three seemingly legitimate emails over the span of a couple of weeks. These emails discuss routine system updates, software patches, upcoming security measures, and project work. Each message is crafted to mirror the University's communication style. So what this does, is it makes it challenging to discern any malicious intent. After establishing a sense of familiarity and trust with Greg, the hacker sends a fourth email this time containing a link that appears to be a program specifically associated with Greg's research. Trusting the routine nature of the communication Greg clicks on the link redirecting him to a convincing but fake login page where he enters his credentials and unbeknownst to Greg his username and password are now in the hands of the hacker.
02:23
Another common scenario takes advantage of certain events or transitions for setting up an attack -- like at tax time or when employees are first starting a job. For example, a hacker carefully monitors departments within the university, pinpointing recently hired employees in financial aid for example. After identifying the targets the hacker sifts through all this information about their recent office events, gathered from the campus newsletters, student newspapers or even the office's Facebook account. The hacker then will craft a personalized phishing email posing as a human resource employee. The email prompts the new employee to click on a link for university onboarding training -- however that link actually leads to a phishing site designed to capture these log-in credentials allowing the hacker to gain unauthorized access to the new employee's sensitive financial aid data.
03:40
To prevent this from happening, start with being skeptical. Always approach unexpected emails,
messages or calls with caution. Verify the identity of the sender through established and trusted communication channels before sharing sensitive information or clicking on links. If you're ever in question, reach out to that colleague. Send them an email, make a phone call, verify maybe they did or did not send those suspicious messages.
Additional counter measures could include training employees on recognizing phishing attempts and implementing Two Factor Authentication -- also known as TFA -- to add an extra layer of security beyond just the password.
Keep tabs on what's happening in security awareness and take training to learn to recognize and respond appropriately to social engineering attempts. You can check out the cybersecurity trainings at myUA. The simplest way to locate them is to search “data security” once you've logged in to myUA.
04:44
The best resource for learning the latest about all of these kinds of changes in the landscape are usually cybersecurity news articles. The principles of social engineering do not necessarily change through time -- it's their core kind of inner workings to hack the human psychology and get users to divulge information by exploiting them. There's a really great article called “Social engineering: definition, examples, and techniques”; on an online resource named CSO that I recommend looking up. It talks about many different elements of social engineering and examples as well.
For urgent matters, contact your local service desk. If you need further assistance including individualized help contact the Office of Information Technology Security at ua-oit-security@alaska.edu or visit the OIT's website.
Executive Branch Ethics Act Compliance
As university employees, the Executive Branch Ethics Act (EBEA) provides us guidance for safely navigating situations such as compliant employment and contracting with the university, and serves as our Standards of Ethical Conduct.
#7 Partisan Political Activity
[July 2023] In recent times, university employees have become increasingly aware of the guidelines and restrictions surrounding their political activities. It is essential to understand the parameters set by the Executive Branch Ethics Act, and Board of Regents’ policy about partisan political activities. This latest installment of the "Compliance Chat" video series provides a brief yet comprehensive overview of the guidelines aimed at avoiding potential issues concerning political activity.
00:16
The Executive Branch Ethics Act states that UA employees cannot use any UA resources - meaning funds, facilities, equipment, services - for partisan political purposes. That phrase “partisan political purposes” has a specific meaning. It's the intent to differentially benefit or harm a candidate, or potential candidate, for elective office; or a political party; or a political group. It does not include having the intent to benefit the public at large, through the normal performance of our official duties.
This includes municipal elections as well. Even though municipal elections are supposed to be nonpartisan, they still fall within this definition of partisan political activity; so using UA resources to support a candidate still counts as partisan political activity even if it's a municipal election.
01:09
Isn't that an infringement on our right to engage in political activity?
The EBEA doesn't tell us that we cannot endorse candidates, or campaign, or make donations in our individual capacities - we still have all those individual rights - it just says that we cannot use our access to UA resources for those activities. Employees can endorse a particular candidate or take a position for or against a ballot proposition in their individual capacity; it just says that they can't use UA resources in order to do so.
01:44
I've seen candidate debates on campus, is that permissible?
A candidate debate, as long as all the candidates are invited and treated equivalently, does not have the intent to benefit or harm any individual candidate, so does not violate the statute. And the people who within the university are working to set up those candidate forums are working to benefit the public interest at large through the normal performance of their official duties as long as they don't manifest any favoritism in setting those events up.
02:15
What about political rallies or party conventions held on campus?
If there's a meeting room, or arena, or other facility that UA offers to rent out to individuals, or businesses, or other entities, those facilities can be rented out on equal terms for a campaign, or a political party, or a political group. As it's got to be on the same terms, and it's got to be on the same price that we would be willing to let it go out for a business convention or something like that. And we have to be willing to offer that same arrangement to any of the candidates running against that person. We would need to rent facilities out to campaigns in the same way that we would rent them out to any other entity.
03:04
Displaying or distributing partisan political material while engaged in an official UA business is not permissible. If you are working off-site, you can have the campaign materials in your own home work area, just keep the materials out of the background when you're on an official Zoom call.
Activities on your own time and away from your work area, such as employees that wish to waive campaign signs on a street corner during their lunch time, are okay as long as you aren't using any UA resources. So if you want to campaign, you can take personal leave or faculty time off and use that time for campaigning away from your work area. The university does not limit that to unpaid leave.
Employees can have their name listed in a campaign ad, but we recommend you not include your UA affiliation or if your picture is going to appear in the ad don't have it taken by some UA Landmark or containing a UA logo.
It can be appropriate to list your profession, like college professor, since UA is not the only college in Alaska, but avoid mentioning the University of Alaska by name.
04:22
What about legislators visiting a campus?
Legislators often have very good reasons to visit a campus to learn more about a particular program, or learn more about the university in general, that's not a violation of the EBEA. And we can arrange events to give legislators a tour or something like that.
We do try to be careful to caution the legislator not to turn the visit into a campaign event and similarly a political science professor might want to have a legislator come in to give a guest lecture on some topic - that furthers UA's educational mission, and that's permissible; again assuming we're careful to avoid having it turned into a campaign activity.
05:08
What if I write an email to a legislator from my UA email address about an important topic, would that get me into trouble?
We recommend for several reasons that when you're going to be writing to a legislator that you use your private email address for that and do so outside business hours.
There are many reasons for that:
- It's too easy to inadvertently step across the line between lobbying and electioneering.
If I am telling a legislator “I want you to support this bill that's lobbying and
that's not prohibited by the EBEA but if that email says I want you to support this
bill and if you don't I'm going to start making contributions to whoever your next
opponent is.” In this example I've crossed that line -- that's electioneering, and I can't use UA
resources for that.
- Using a UA email address can convey the impression that I'm speaking on behalf of
the University. Regents' policies state that if I'm communicating with a legislator
or with someone in the governor's office, the president has to authorize that kind
of official communication. Even though it might not amount to a violation of the partisan
political activity prohibition, it would violate this other Regents' policy about
being an official spokesperson on behalf of the University.
- Even if my email says I'm just talking in my personal capacity, for example because
I'm on the board of my kids soccer league and I want support for funding intramural
sports, remember the EBEA prohibits us from using UA resources to further our personal
or financial interests. So even though it may not be partisan political activity,
if I'm using UA resources to further my personal interests, that's still forbidden
by the EBEA entirely aside from whether it's partisan political activity or not.
- Even if it's something on which the president has authorized me to write an email
to legislators – and this frequently comes up when somebody is targeting the university
budget for cuts, and the president will say "we want to encourage you to have your
input to the Senate finance committee or the house finance committee on this" some
legislators when they see an email coming with a UA email address down at the bottom
will discount those points that you're trying to make in the email.
- Sometimes we get complaints from legislators who have gotten emails from a UA email address and we have to investigate those and even though if we look at them and decide this is not partisan political activity, it still takes time and resources to conduct that investigation, and so our strong recommendation is if you if you want to write to a legislator it's almost always preferable to do so using your private email.
Those aren't all the reasons, but they're some of the more important reasons why we always encourage if you're writing to a legislator or to somebody in the executive branch use your private email for that rather than a UA email.
08:25
What about students who are not University of Alaska employees, but they use their UA email address to engage in partisan political activities?
Well, the executive branch ethics act says that even though the students themselves if they're not employees are not bound by the EBEA, we cannot either use, or authorize the use by somebody else, of UA resources. So if we learn of a student who has been sending out partisan political activity we do have a responsibility to not authorize that use by contacting the student and saying we would respectfully request that you refrain from using UA emails for partisan political activity.
09:12
Student political clubs are allowed to use their own funds, including funding they have may have from the student government, in order to engage in partisan political activity that's why they exist in the first place as long as they don't abuse that discretion by doing something that would violate the EBEA or other provisions of law like trying to disguise funds that do come to the student political club from a political party.
But they do have more flexibility to engage than what we as University employees would be able to do as far as the political activity.
09:52
What if an employee wants to run for public office?
Well an employee doesn't have to resign from the University in order to run for office but may have to resign if they win.
If you're going to run you should disclose that as an outside activity through the outside activity disclosures that we've previously discussed, and the same is true if you're going to be a Treasurer or other have some other official role in somebody else's campaign. If you win, you may need to resign at that point.
State legislators are not allowed to hold a position of profit with the state, so would have to resign from a full-time UA position before getting sworn in as a legislator.
Under certain narrow circumstances you might be allowed to continue to teach courses as an adjunct as long as it is temporary and non-salaried, but that's a fairly narrow exception. For the most part people who get elected to a municipal board or to a school board don't have to resign but would need to report that also as an outside activity.
If you get elected mayor it depends on whether it's a full-time job or not. If it is a full-time job as mayor then it may be not compatible to work full-time for both the mayor's office and for the University. Not because of any partisan political activity prohibition, but because the outside activity rules make it virtually impossible for any UA employee to have two full-time jobs.
11:31
For more information check out the general counsel ethics website https://www.alaska.edu/counsel/ethics-information/.
If you have ideas for future compliance chats please send them to ua-compliance@alaska.edu.
#6 Misuse of Official Position
[June 2023] At the University of Alaska issues such as misuse of official position are addressed in the Executive Branch Ethics Act (EBEA). Regarding our use of our official positions, the EBEA states that employees may not “use, or attempt to use, an official position for personal gain, and may not intentionally secure or grant unwarranted benefits or treatment for any person.”
00:18
"Misuse of Official Position" has some very similar aspects to the topic of "Improper Influence in Grants, Contracts, Leases and Loans" which we already talked about.
The Grants, Contracts, Leases and Loans statute is narrower in the sense that it only deals with Grants, Contracts, Leases and Loan whereas Misuse of Official Position statute talks about any kind of matter, not just one of those four.
But the Grants, Contracts, Leases and Loans statute is also a little broader in that it prohibits me from holding a specific UA position affecting a personal or financial interest in a particular grant, contract, lease or loan. Whereas with respect to Misuse of Official Position, it tells me rules that I have to abide by, things that I cannot reach out and try to do, but it wouldn't make me leave that particular position with the university.
01:24
An example: It's best to think of Grants, Contracts, Leases and Loans in terms of nepotism. If my son and I are both working for the same unit, then he cannot be my supervisor no matter how careful he's being to treat me the same as all his other direct reports. That's just a rule, period, that he cannot be in that position.
01:49
How is the Misuse of Official Position statute different?
There's a general rule that we may not use or attempt to use our official positions
for personal gain, and may not secure or grant unwarranted benefits or treatment for
any person.
And that is followed by six specific prohibitions.
The sixth needs its own chat as that deals with Partisan Political Activity which can take some time to cover.
02:14
Number one is we cannot seek other employment or contracts through the use or attempted use of our official position.
What you cannot do is to use your official position to provide somebody with any favors in order to get that job offer as a quid pro quo.
02:53
Example, implying that a letter of reference is tied to whether or not a position is open.
It's okay for me to write letters of recommendation, and it's okay for me to inquire about job openings, but once I link those two together and imply that how the letter comes out might depend on whether I got a job offer that's prohibited.
Similarly, if I'm steering University business towards a company with an understanding that they'll hire me after I leave the university, that's prohibited.
03:51
Two, a UA employee cannot accept receive or solicit compensation for the performance of official UA duties or responsibilities from anybody else other than the University.
That could include a $5 tip - or any compensation. Don't accept anything of value offered as compensation for your University work.
04:29
They can make a contribution to the university, but not to me as an individual.
04:33
What if I'm being compensated for work that I did for another employer and not the University?
As long as you disclose that as an Outside Activity, and got that approved, you're OK. That's why it's important that outside activity occurs away from regular UA work time.
05:05
The third one is a UA employee cannot use UA time, property, equipment, or other facilities to benefit personal or financial interests.
Example: using UA vehicle on the weekend.
It applies to any significant property.
06:00
The fourth, an employee cannot take or withhold official action in order to affect a manner in which the public officer has a personal or financial interest.
That is one point of difference between this statute and the Grants, Contracts, Leases, Loans statute
If the matter in which you have an interest does not concern a grant, contract, lease, or loan, then your job can still include duties concerning that matter as long as you were very careful to individually avoid taking or withholding action anytime that matter comes up.
06:50
Remember the definition of official action is very broad and can include any involvement advice, assistance or recommendation.
So that broad definition of "official action" means that we have to be very careful.
07:40
The fifth one is, we cannot attempt to benefit a personal or financial interest through coercion of a subordinate, or require another University employee to perform services for our private benefit at any time.
07:56
Example my employees have offered to help me stain my deck, is that ok? What if I pay them?
If it's truly voluntary on their part, there's no violation. But if you bring it up as their supervisor it may be received as a thinly veiled requirement.
So if you need help it should be from someone other than your subordinate.
Regarding compensation, the rule still applies, though paying them does make it seem less likely that you are coercing them, or are requiring them since they could say no more readily.
09:30
What if the helpers are students?
You should apply the same rule as to any student over whom you have any kind of authority.
There isn't a specific definition of subordinates in the statute, but we don't want UA employees to be trying to coerce students any more than we want them to be trying to coerce direct reports.
If you have ideas for future compliance chats, please email them to ua-compliance@alaska.edu.
#5 Restrictions Post-Employment
[May 2023] Most obligations under the Executive Branch Ethics Act end with the termination of university employment with two exceptions. This includes (1) the information that we glean from our UA official duties and (2) the other has to do with advice, assistance, and representation.
00:09
If an employee is about to retire or leave the university to take another job, does that mean that their Alaska Executive Branch Ethics Act obligations are complete at that point?
For the most part, yes. Bear in mind if you're going to work for another employer, that employer may have their own ethical obligations and in particular if you go to work for the State of Alaska you'll be bound by the same Executive Branch Ethics Act that governs us as UA employees. But, for the most part, once we leave employment with the university we don't have to follow the EBEA anymore but with two exceptions. This includes (1) the information that we glean from our UA official duties and (2) the other has to do with advice, assistance, and representation.
- Current and former employees have an obligation to continue keeping confidential that information that is confidential by law and also to refrain from using or disclosing any information that might have any benefit for myself or for an immediate family member. And those obligations still apply even after the employee leaves university employment. The obligation to keep confidential that information that is confidential by law is indefinite and permanent.
- For two years after leaving UA employment employees cannot advise, assist, or represent someone on a matter that was under consideration by the administrative unit for which they worked, and in which they personally and substantially participated. This exception is temporary and it's also waivable and it doesn't really come up very often.
02:29
Examples of prohibited post-employment activity for a period of two years after you leave employment include:
- Employee is on a hiring committee; a dissatisfied job applicant is thinking about suing the university and wants to hire this employee to be a consultant.
- Employee was on the selection committee for a contract award or otherwise participated personally substantially in it; one of the people or businesses who put in a proposal that was not selected wants to pay the employee to be an expert witness.
- Employee was on a grade review committee; and the student wants to appeal that determination to Superior Court and wants to pay the employee to help write that appeal.
- Employee helped write a university regulation or a Regent's policy; outside employer wants to pay for employee’s help in lobbying the Board of Regents to change it.
03:37
This rule applies only if it is for compensation. Compensation is defined pretty broadly so it also includes travel reimbursement. But if it is something you are doing with no compensation at all then it is not a violation of the statute. But, with or without compensation, you still have the duty to respect the information limitations. So even if there's no compensation, you cannot disclose information that's confidential by law, or disclose or use information that could be of any benefit at all, whether financial or not, to yourself or a member of your immediate family.
04:15
The bar on assistance, advice, or representation only lasts for two years. As we discussed earlier, if you are, in the course of providing this advice or assistance, drawing on information that's confidential or that could benefit you or a family member and has not been publicly disseminated yet, that information protection obligation remains in place. The restriction that is specific to advice, assistance or representation for compensation is two years.
04:45
There's a specific provision in the statute that says that if it is the University that wants you to come back to work for them as a contractor, or maybe as an employee, then this prohibition doesn't apply. There are some wage and hour rules and retirement rules that might have limitations on how quickly you can do that but the ethical obligation doesn't apply if it's the same agency like the university that wants you to work on that issue.
If it would be to work for someone else under this provision rather than the university, the former employee can apply to the university president to waive the bar of that statute if the university president is convinced that it's not adverse to the public interest. That waiver has to be submitted to the Attorney General's office for approval.
For more information, contact the General Counsel’s office (907-450-8080) or the Attorney General's office (907-269-5100).
#4 Avoiding Improper Influence
[April 2023] The EBEA states that “employees, or an immediate family member, may not attempt to acquire, receive, apply for, be a party to, or have a personal or financial interest in a state grant, contract, lease, or loan if the employee may take or withhold official action that affects the award, execution, or administration of the state grant, contract, lease, or loan.”
00:03
This section of the Executive Branch Ethics Act restricts employees and immediate family members from having a personal or financial interest in University or state contracts, grants, leases or loans if the employee may withhold or take action official action that would impact the outcome.
It protects that principle in two ways: a disclosure requirement and a prohibition.
Disclosure requirement:
As UA employees we have to report in writing to the ethics supervisor a personal or financial interest held by ourselves, or our immediate family members, in any UA grant, contract, lease, or loan, that is awarded, executed or administered by the university.
Prohibition:
As a UA employee neither myself, nor any immediate family member, may enter into, or try to enter into, or apply for, or have a personal or financial interest in, any university grant, contract, lease or loan if I may take or withhold official action that affects anything about that grant, contract, lease or loan.
01:18
Examples of issues that need to be disclosed:
The most common is if two immediate family members are each employed by the University, at least one of them has to disclose that in writing to the ethics supervisor. And this situation is so common that there's a specialized form we use for disclosure of employment of an immediate family member. Immediate family member(s) not employed by UA submitting a bid to become a private contractor would still be a personal or financial interest and need to be disclosed.
01:50
Can my immediate family member be an employee or a private contractor?
The disclosure requirement covers a broader array of contracts, grants, leases, or loans, than the prohibition does -- most of the disclosures made by employees are situations that are not prohibited. If the employee has any influence, even in an advisory role, over the grant, or contract, or lease, or loan, it triggers a prohibition. An advisory role is still official action.
02:29
If I don't have any influence at all, such as a decision made by a separate component of UA, is it prohibited?
Then although this still has to be disclosed, your immediate family member is not prohibited from applying for that, as long as neither immediate family member has any kind of supervisory role with respect to the other. In other words, is not in a position from which they can participate in any employment, or grievance, or compensation, retention, promotion, leave, or other personnel decisions concerning the other family member, then that's permissible. The disclosure still has to be made, but no remedial action will be necessary beyond that.
Possible scenarios:
- If the immediate family member is trying to contract with the university on a matter that's completely unrelated to the employee’s position or authority the disclosure still has to be made, but they are not prohibited from applying.
- If the immediate family member would be prohibited from applying because the university-employed family member has a supervisory role, the ethics supervisor can make an assessment in that situation to explore if it's feasible to reassign duties away from the family member to someone else. If that is found to be feasible, that's the preferred solution to address a potential conflict.
- If your immediate family member wants to apply for a position that you would normally supervise, then the ethics supervisor can work with your work supervisor to see if it is practical to take those particular supervisory duties away from your position, and assign them to another position. If it's practicable to do that, then the ethics supervisor writes up a formal memo to accomplish that, and once your work supervisor approves that reassignment memo, then you don't have that supervisory authority anymore. It's not always feasible to make that reassignment, but where it is, and where that's properly documented, that fixes the problem.
#3 Use or disclosure of information
[February 2023] Everyday in our university jobs we hear and read interesting information and sometimes it can be difficult to figure out whether it is OK to share that information with friends and family members. As university employees, the Executive Branch Ethics Act provides guidance for these situations, and serves as our Standards of Ethical Conduct.
Question One (00:09)
Does the duty not to use or disclose information apply only to information that is confidential by law?
No, and the duty not to use or disclose information has two parts.
Part one is limited to information that is confidential by law. Current and former employees can not use or disclose, without appropriate authorization, information that is confidential by law.
Examples of information that is confidential by law are:
Information that's protected by FERPA (student records) would be one obvious example. Basically if there is a law that says the University has a duty to keep information confidential, then all university employees have an ethical as well as a legal duty to keep that information confidential.
Part two is a little more involved. Even if the information is not confidential by law, if it is information that the employee received through their official duties, and if that information could in any way result in a benefit for the employee or the employee’s immediate family members, then the employee cannot use or disclose that information if the information has not been disseminated to the public.
This requirement is not limited to financial benefit. It includes anything that is to a person’s advantage or self-interests, or from which a person profits, regardless of the financial gains. So it includes financial benefits, but it also includes service, privilege, exemption, patronage, advantage, advancement, or really anything of value.
Question Two (01:50)
How far does the “immediate family member” group extend?
“Immediate family member” would include a spouse or domestic partner, child or children (including stepchildren and adopted children), parent, sibling, grandparents, aunts and uncles, and my father-in-law, mother-in-law, or sibling-in-law. So if I, as a UA employee, have any information that could benefit somebody in that group and in that scope, then I cannot share it. Or if one of my immediate family members is employed at UA and that person has information that might benefit me, then they cannot share that information with me.
Question Three (02:28)
If I know of someone that is outside the University who has learned the protected information, does that count as being publicly disseminated?
No, the state regulations have a specific list of things that have to be met in order for information to be regarded as being publicly disseminated. If it has been distributed through a newspaper or other printed publication; through broadcast media; a press release; a newsletter; a legal notice; a nonconfidential court filing; a published report; a UA website; posting on the Alaska Online Public Notice System; a public speech; or public testimony before the legislature or an agency.
Information that has not gone public through one of those channels, even though it may have to be produced in response to a public records request,or it may have otherwise been accessed by a member of the general public, it has not been "disseminated" to the public. So we should not disclose or use it if it might benefit ourselves or our immediate family members.
Question Four (03:36)
Who do we report it to if we suspect that someone has shared protected information, and what are the consequences?
It should be reported to the ethics supervisor for the particular unit of the university for which you are working. And those are listed on the ethics website for the general counsel's office. It may also have to be reported some place else, if it entails a crime or Title IX violation or something like that, but the place to start would be the ethics supervisors. Disciplinary action for an employee sharing protected information would follow the same progressive discipline approach that any other violation of policy would for an employee.
Question Five (04:19)
After we stop working for the University, are we released from these obligations?
No, these requirements regarding the sharing of confidential information apply to current and former employees. Most provisions of the Executive Branch Ethics Act stop being applicable to us when we stop working for the university, but these particular provisions apply to former employees. So even after leaving the university's service you still have these obligations to keep that information confidential.
If you have ideas for future compliance chats, please email them to ua-compliance@alaska.edu.
#2 Outside Activity or Employment
[January 2023] It’s important that employees be familiar with the guidance that covers the reporting requirements and restrictions on outside employment. All UA employees, full or part-time, are subject to the outside employment restrictions set forward under the Executive Branch Ethics Act (EBEA), which serves as UA’s Standards of Ethical Conduct and its implementing regulations published by the Department of Law.
Scenario one: (00:26)
Kaya is a UA faculty member and is contacted by John Hopkins University to work on a research project on a part time basis. What are the steps that Kaya needs to take in considering this opportunity and making sure that she's compliant?
First Kaya should talk informally to her work supervisor about the prospect and about any potential drawback.
Then get a form for disclosure of activities outside the University of Alaska and answer the questions. Once signed it goes to the supervisor for approval and then to the designated ethics supervisor who reviews the whole package for compliance.
Note UA resources are not to be used for outside work.
Scenario two: (2:30)
Sam is a supervisor and receives a disclosure form of outside activities or employment. What are the top three things that he should keep in mind when looking to approve or to possibly not approve this request?
One: whether the outside activity will take time away from the employee’s official university duties.
Two: whether they're going to limit the scope of the employee's official university duties.
Three: whether the outside activity is otherwise incompatible or in conflict with the discharge of the employee's university duties.
Scenario three: (3:17)
If a UA employee takes outside employment to supplement their income is there a limit to the number of hours they can work?
General guidelines are that employment under 10 hours is not generally regarded as interfering with the employee's primary duties to the university.
If the outside activity is taking 27.5 hours or more per week, the ethics supervisor will have to look closely to see how the employee and the work supervisor are working to manage that time commitment without interfering with the university duties.
In between that 10 hours and 27.5 hours, deference will be given to the work supervisor's judgment about how well the particular employee will manage the commitment while giving primary attention to their UA duties.
If outside work is occurring during regular university work time the employee may need to take annual leave or faculty time off, or adjust their regular working hours with their supervisor's permission.
Scenario four: (5:13)
What about volunteer work?
Some volunteer work should be reported if it takes time away from the employee's official duties; limits the scope of the employee's official duties; or is otherwise incompatible or in conflict with the proper discharge of the employee's official duties. Employees should report official positions within outside organizations (e.g. Board Membership, Officer position).
Scenario five: (6:13)
Outside the July 1 annual reporting requirement when does an employee need to file a report?
The statute requires that the report be made annually, around July 1st, even if nothing has changed about the outside activity.
If an employee takes on a new outside activity, or there are significant changes to a current activity, then a new disclosure needs to be made.
If you have any ideas for future "Compliance Chats" please go ahead and email us at ua-compliance@alaska.edu.
#1 Gifting Guidelines for UA Employees
[December 2022] As we are nearing the holidays, in this inaugural "Compliance Chat" Mary Gower is joined by Andrew Harrington to discuss gifting compliance guidelines. They address four scenarios about employees receiving gifts and the best way to handle each situation.
Scenario one: (00:22)
A software vendor is taking their top university clients out for an expensive dinner. How should one proceed?
You should politely decline the invitation, or if you decide to go, you should insist on paying for your own $100 dinner rather than accepting the gift. As university employees we're not allowed to accept or receive gifts under circumstances in which it would reasonably be inferred that the gift is intended to influence our professional actions, or decisions, or judgment.
Scenario two: (01:28)
An employee at convocation wins a university sweatshirt. What do they need to do?
As long as it was somebody from the university who was tossing out the sweatshirts,
you're fine keeping the sweatshirt, and you don't have to report that as a gift. Anything
that you get from our employer is not a gift. The Executive Branch Ethics Act focuses
on gifts from third parties intended to influence our actions or judgment.
NOTE: While gifts from UA to its employees need not be reported under the EBEA, UA
under certain circumstances may have to report the gift value to the IRS as employee
income. This applies to any cash or cash equivalent gift regardless of amount, and
to non-cash gifts that exceed a de minimis value.
Scenario three (02:30)
A vendor sent me a tower of holiday treats with meats and cheeses - a $250 value. Can I keep this gift? Do I need to do any reporting on it?
You will need to report it. Take the perishables and try to give them to the food bank, or the soup kitchen: someplace that will be able to take advantage of them, because you cannot keep it for yourself. Next best would be to treat it as a gift to the entire university, and distribute those as widely as possible among your department, or your unit, or your university. Send a polite thank you note saying that you will not be able to accept gifts like that in the future.
(03:52) I see less expensive gifts over the holidays like a tin of popcorn, or a box of cookies, or things like that. Do those have the same rules?
State law says that a gift of under $150 does not need to be reported; and an occasional gift of fifty dollars or less is not presumed to be designed to influence our official actions or judgment.
The university has a stricter standard. We're not supposed to accept any gifts from any entity that go above the level of something like a coffee cup or a pen or a calendar.
Scenario four (04:45)
I'm at a conference, and they do a drawing for next year's registration - thousand dollar value - and my name is drawn. How do I handle that in regards to compliance?
As long as that registration discount is available to the university rather than to you personally, then you can accept that, and whoever the university may decide to send the next year can take advantage of that discount. It's not benefiting your own personal or financial interest, that's benefiting the university.
Where do people go for more information? (06:12)
The General Counsel's office has a website specific to the Executive Branch Ethics Act and associated university policies. https://www.alaska.edu/counsel/ethics-information/
The state of Alaska has its own website specializing in the Executive Branch Ethics Act. https://law.alaska.gov/doclibrary/ethics/EthicsCode.html
For each one of the universities the HR senior business partner serves as the ethics designee. Or you can contact the General Counsel office. such as the Executive Branch Ethics Act (EBEA). Acceptance of gifts is covered in the EBEA, which serves at UA’s Standards of Ethical Conduct.
NOTE: While gifts from UA to its employees need not be reported under the EBEA, UA
under certain circumstances may have to report the gift value to the IRS as employee
income. This applies to any cash or cash equivalent gift regardless of amount, and
to non-cash gifts that exceed a de minimis value.