Windows 10 Privacy Settings and "Regulated" data

[randy <marchany () VT EDU>]

The Windows 10 privacy settings has generated a lot of discussion on
various threads lately. I'm concerned about the implications of these
setting with respect to some of the regulations that govern EDU "data" such
as FERPA, HIPAA, ITAR, PCI, etc.

Does Educause have any working groups on this topic? Any thoughts on this?
While I don't expect one on Windows 10 specifically, have there been any
discussions on regulated (FERPA, HIPAA, ITAR, etc.) to cloud providers?

BTW, a good resource for a privacy lockdown guide is at
http://www.zdnet.com/article/how-to-secure-windows-10-the-paranoids-guide/.
There's an interesting quote in this article:

--------------
"Steve Hoffenberg, VDC Research <http://www.vdcresearch.com/>'s Director of
IoT & Embedded Technology worries, for instance, that these Windows 10's
"features" violate Health Insurance Portability and Accountability Act
(HIPAA) privacy requirements
<https://www.linkedin.com/pulse/does-windows-10-violate-hipaa-steve-hoffenberg?trk=hp-feed-article-title-like>.
If his fears are valid, this means medical offices and health insurance
companies should turn off this Windows 10 setting.

I doubt he's right, but I'm no lawyer. Even so, were I working with
transactions that fall under Sarbanes- Oxley (SOX) <http://www.soxlaw.com/>,
Gramm-Leach-Bliley (GLB)
<https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act>,
or HIPAA <https://www.hipaa.com/>, I'd turn off this feature, and its
related setting, "Windows 10 Input Personalization." Better safe than
sorry."

---------------

This quote is why I'm asking the list about this topic.

Thanks.

Randy Marchany

VA Tech IT Security Office & Lab