CJIS

A few blog posts ago, I wrote about body worn cameras on campus law enforcement. Since then I have been thinking more about the standards required for the storage and transmission of the video. The topic of standards has not been far from my radar.  For at least a year now I have focused on standards in my privacy, security and accessibility work. A number of blog posts point to that focus, although this one, entitled “Standards” probably sums it up best. 

It was therefore no surprise that the next step in my thinking about body worn cameras on campus law enforcement (BWC) would shift to this point. Having come to a conclusion about it, to which I will turn in a moment, I also now see that it should have be integrated into the original post on this subject. In other words, in that blog post, I talked about a number of intercampus cloud computing procurement strategies, institutional surveillance policy and communications matters. Standards should be integrated into that list.

The CJIS standard is the one that bubbles up. CJIS stands for the Criminal Justice Information Service Division. It is a division of the Federal Bureau of Investigation (FBI), the largest division in fact, and it warehouses a vast data base and search perimeters for federal law enforcement and terrorist investigations. The significance of that data and the need to maintain the availability, integrity and appropriate access to it is obvious. The administrative, technical and physical security standards that the FBI developed for that database are therefore of note. Not only do they comport with the significance of the data, those standards have set the bar for the maintenance and transmission standards for all information use by both law enforcement and the judicial system. 

The CJIS Security Policy is a model whether one is investing in campus policy body cam video or not.  It covers the general and fine points of policy governance, technical controls, training, education and awareness. Cloud computing procurement and contracts with vendors are interwoven into its directives rather than, as is the case with so many of our higher education ventures, an initiative that gets bolted onto policy written when on premise services were the norm. Although titled a “security policy” it weaves privacy practices into it.  Surprisingly devoid of government speak, the prose is clear and organized.  In the work I did at Cornell, I wish I had consulted it. For the work which I now do for a number of colleges and universities in the area of information privacy and security, it will become a resource. 

For campuses investing in campus law enforcement BWC, this policy and its corresponding standards are a must. Not only does it address all of the fundamentals of privacy practices and security controls, it creates its own standard that provide assurance for extenuating concerns such as chain of custody or inappropriate disclosure of video content. Let me drill down a bit in the practical meaning of those two points. 
 
The probability that video content of BWC of campus law enforcement will become evidence at institutional disciplinary proceedings or criminal court is great; in fact, while I would not wager a guess as to the percentage of video that enters into campus adjudication or a court, I can nonetheless safely wager that it is almost certain video will be called upon at some point in both of these venues. 

For students, the moment it enters those arenas the video becomes an education record and therefore must be maintained according to the rules of FERPA. Well that it should. What student, especially of traditional age and commonplace habits (read: occasionally obstreperous with authority and often when an encounter with law enforcement occurs under the influence) would want release of that video onto the Internet for all the world to see, including future lenders, employers, insurance companies or mates. One could only image the combustible conflict between parents of such a student, who are paying tens of thousands of dollars in tuition, and the institution that would expose their son or daughter to a lifetime of opprobrium for the video’s release. I can see the plaintiff’s complaint now, beginning with negligence and moving through intentional infliction of emotional harm. The harm to the institution’s reputation in such a situation is significant. 

Not to mention the ever-present threat that some day your institution becomes the first for which the nuclear FERPA enforcement mechanism – end of federal funding – becomes a reality. To put this scenario in context, remember the “mac and cheese” boy a few weeks back? The video was not taken or maintained by the institution. As such, it does not apply as an example, but I mention it for the kind of viral, reputation harm that it undoubtedly had on the student. That kind of behavior, and outcome of the video’s release on the Internet, is precisely the type of content that colleges and universities, when they are responsible for it, would not want to release, not of its students, nor of its administration, faculty or staff.
 
Chain of custody is the other issue that jumps out as critical risk management. Putting on my defendant’s cap (professional responsibility rules require “zealous representation” of a client), I easily imagine that chain of custody would be a key line of cross examination material.  Campus law enforcement is on the witness stand. “How do you know that the video was appropriately maintained?  What kind of policy do you have in place for it?  What are the privacy practices and security controls? Oh, it is in in the cloud!?! Is your institution contractually assured integrity? How? Are you sure that video was not photo-shopped? Are you really sure?!” That, dear reader, is how a defense attorney creates “reasonable doubt.” (Remember the O.J. Simpson criminal trial? A casebook example of a successful strategic defense approach …) The CJIS standard cuts that potentially embarrassing line of cross examination at the knees, so long as all of the appropriate controls from the video source to the cloud and back are also properly in place.

So much is at stake with BWC: the reputation of the institution, the reputation of its constituents, the vortex of racial, gender and class issues so alive now in our body and campus politic that intersect with law enforcement, higher education and the public. This environment is not the time to experiment or make mistakes. As so many examples now suggest, exposure onto the Internet is serious business that carries reputation harm to everyone/institution involved. Given the inflammatory times in which we find ourselves, these types of lapses have the potential for truly serious health and safety issues of everyone involved. To be the institution that inadvertently discloses content in violation of FERPA or because of a garden-variety security breach and makes headlines because of it is not a cherished public place for an institution to be. To be the institution that fumbled chain of custody and allows either a bad cop or criminal to go free as a result of the rules of criminal procedure similarly puts a lot of egg on an institution’s face.  

What makes these risks all the more palpable is the simple fact that a given standard exists to proactively correct for these potential errors and mis-steps. When the Internet was in earlier stages of development, it was understandable, even defensible, to scramble and claim ignorance.  We were all on a learning curve then. Standards have shifted the burden to the institution that does not keep pace. For campus law enforcement BWC, CJIS is that standard.  Just ask your risk manager to do the calculous for not adopting it.