Winter 2026

Asmat Noori, Interim Chief Information Security Officer, looks forward to U-M’s transition on February 25 to the Okta identity management platform. It provides an enhanced sign-in experience with new passwordless options such as Face ID, Touch ID, and Windows Hello. Noori says, “The new capabilities Okta offers for protecting university accounts will help us meet the challenges of ever-evolving cybersecurity threats.” As U-M takes this step forward in account management, it’s fitting to acknowledge the contributions of DePriest Dockins, recent retiree and former Director of Identity & Access Management (IAM). Noori notes, “DePriest’s thoughtful leadership has been integral to the evolution of IAM at the university, and to the successful ITS internship program, which he championed and led since it began in 2014.”

Noori also reminds the security community that all faculty and staff were required to complete DCE101: Data Protection and Cybersecurity at U-M, available in My LINC, by February 13, 2026. As of February 15, more than 28,000 faculty and staff have completed it. Noori says, “Providing cybersecurity and data protection awareness training across the U-M community marks a milestone in protecting the confidentiality, integrity, and availability of U-M systems and data.”

Sol Bermann, Executive Director of Privacy & Faculty Affairs, invites the U-M community and the public to this year’s Privacy@Michigan event series that began in January and continues through March. All are welcome to join us for these thought-provoking conversations with speakers who are at the forefront of research and advocacy related to pressing privacy concerns. Bermann says, “We all read the news. It’s never been more important to be aware and protect privacy as a human right and a civil liberty.” Bermann is pleased to announce that the first-ever Unveil: Privacy@Michigan Student Art Contest is underway, and winners will be honored at a ceremony and exhibition on March 27. Bermann adds, “Unveil celebrates artistic expression and enables students to engage personally with privacy, surveillance, and their autonomy in today’s society. We’re excited to shine a spotlight on student creativity and civic engagement.”

Jeremy Johnson has joined IA on the Proactive Cybersecurity team as a Cybersecurity Engineer. He comes from Ford Motor Company, where he worked in both product and enterprise cybersecurity over the last 12 years. He will be working on threat hunting, vulnerability scanning, sensitive data discovery, and penetration testing. When he is not working to protect networks, Jeremy can typically be found chasing his daughter through a museum, camping out in some forest, behind a camera, or enjoying some gaming time at home.

Tommy Tunks joined the Design and Engineering team as a Research Data Security Analyst, where he develops compliance solutions for research projects involving CMMC, CUI, and FISMA requirements. Tommy graduated from the School of the Art Institute of Chicago in 2010 with a Bachelor of Fine Arts and has worked in technology since 2015. Before joining IA, he was with CAEN in the College of Engineering, where he served as IT Manager for the Nuclear Engineering department. Tommy's background in departmental IT and researcher support brings a practical, customer-focused perspective to IA's research security work. Tommy lives in Ypsilanti with his wife, teenage son, and a squadron of felines. In his spare time, he enjoys drawing, listening to electronic music, and reading manga.

Please take a moment to welcome Jeremy and Tommy to the IA team!

The ITS Privacy Office has grown younger, a bit wiser, and a whole lot more creative by adding two fantastic student contributors to the team in the past year. They have applied skills from their academic work and pumped up student outreach with their fresh perspectives.

Tabassum Chowdhury, User Experience (UX) Design major in the School of Information, joined the team as an intern in the summer of 2025. She jumped right in by applying her UX skills to a Safe Computing website refresh - analyzing user needs, providing feedback on wireframes, and more. Tabassum has stayed on with the team through her senior year, continuing to demonstrate an artistic touch and keen understanding of UX design as she helped enhance the Safe Computing Challenge for students.

Tabassum’s minor in writing and her creativity have been tremendous assets in writing communications, Safe Computing articles, and promotional materials for multiple awareness campaigns. To cap it off, she is taking the lead on Unveil, the first-ever privacy-themed U-M student art contest. She is making connections across ITS and the university, developing new website functionality, and expanding outreach to students. If you attend athletic events, look for her on the sidelines, behind a giant camera lens, capturing amazing moments as a Big Ten Network freelance photographer. After graduating, Tabassum and her gray cat hope to stay in Michigan and find a position in employing UX design, communications, and/or project management skills (the cat plans to snooze).

Kate Hurley joined the Privacy Office as a student employee in the fall of 2025, and by December, she was a published author of an article in Educause about The Paradox of AI Assistance. She is also a senior in the School of Information, completing a B.S. in UX design as well as a minor in business. She supports Privacy Office leadership by creating and maintaining a curated list of privacy-related news. She tapped into her own news resource to write the News Round Up article in this newsletter. Kate also spent time researching privacy challenges impacting K-12 education and AI governance occurring at state, federal, and international levels. She contributed her knowledge to the development of a student course on Learning with GenAI. 
In her free time, Kate enjoys working out and playing sports. She’s on three intramural teams this semester - soccer, basketball, and volleyball! After completing her degree in May, she hopes to travel abroad in the summer and then work in the tech industry, while preparing to apply to law schools or to graduate public policy programs.

Tabassum Chowdhury and Kate Hurley embark on their next adventures with portfolios highlighting their talents and the real-world skills they enhanced while making their mark as contributing team members in the Privacy Office.
 

Beginning February 25, the University of Michigan will transition to Okta, an industry-leading platform for managing digital identities and access, for sign-in and multi-factor authentication (MFA). Adopting Okta for sign-in and MFA is one part of a broader, strategic effort to modernize U-M’s identity and access management (IAM) environment and strengthen digital security across the university. The new platform comes with an impressive set of integrated capabilities and will serve as an excellent foundation for the modernization efforts.

Okta’s unified identity and access management platform allows ITS to apply security protections more consistently and intelligently across the full range of systems at U-M, strengthening our ability to safeguard user data and protect against evolving threats. Along with improved security, the transition to Okta improves the sign-in experience by offering more flexible options, including optional biometric authentication with Okta FastPass for a passwordless sign-in experience. As is true with other programs that utilize your device’s biometric features (Apple’s Face ID, for example), biometric information remains securely stored on your device and is not collected or stored by U-M or Okta. By adopting Okta, ITS is introducing new sign-in capabilities now while building a modern identity and access management foundation to support the university’s future needs.

“Okta is truly an industry-best platform. We believe our community will greatly appreciate the modern features this partnership brings, such as passwordless sign-in with Okta FastPass, which will make accessing university resources both easier and more secure.” - Robert Jones, Assistant Vice President of Emerging Technology and Support Services

Overall, the response to Okta has been overwhelmingly positive. Enrollment in Okta began on January 14, and more than 105,000 faculty, staff, and students have already enrolled, with thousands more joining each day. Early feedback indicates that the enrollment process is quick and straightforward, and ITS teams are actively supporting anyone who may need assistance during the transition.

UMICH account holders are encouraged to enroll their accounts ahead of the transition on February 25 by following a step-by-step enrollment process provided by Information and Technology Services.

Dylan, a Central Michigan University grad, went to college with the intention of becoming a journalist, planning to minor in technology. While he retains a love of writing and journalism, studying what made for a newsworthy story, and seeing how negative that focus could be, led him to decide to reverse the order of his studies to major in IT and minor in journalism. From a young age, Dylan was exposed to technology through his father, an IT professional. "I played with the tech my dad brought home, so I was very comfortable with it," he said.

After college, Dylan worked for some heavy hitters in the tech and consulting world, but private sector success didn't translate into complete career happiness. One day, while working a challenging assignment that had him flying back and forth across the country, Dylan had had enough. He came back ready to make a change.

That change turned out to be joining U-M. In one of his pre-UM roles, he worked with data recovery, which led him to have an interest in IT security. Enter his job at OUD. "I started as a Business Systems Analyst and worked my way up," he said proudly.

It's no surprise that when asked what his favorite things about working at U-M are, he immediately said, "Being treated well – like a person." He also cites a work atmosphere that doesn't require being cutthroat and overly competitive with colleagues. "It's just a much better work-life balance!"

What are some good things about being an SUL specifically? First, he said he loves working with the folks in OUD. In particular, the Performance Support Program. "It's learning by doing. It's fun to pull the curtain back on technology, and to see that moment where people 'get it'."

I asked Dylan if he's used the AI tools ITS has helped provide to U-M, and if he has a favorite thing about them. "Playing around and trying to break them?" he joked, "Maybe I shouldn't say that?" Returning to being serious, he cited how U-M's AI tools can take unmanageable amounts of legacy data and summarize it in ways that allow him and his colleagues to make use of it. "We could never do that by hand," Dylan said.

I was curious about Dylan’s biggest challenge as an SUL. "Getting people to pay attention to communications!" he smiled.

When I admit I see this is my role as a communicator, too, Dylan said, "Read rates are low," then added, "I know from studying journalism and writing, you have one sentence to get attention, and then people move on."

Dylan also mentioned the familiar challenge of how decentralized some IT is at U-M. I asked about a specific challenge he and OUD face: moving out of Wolverine Tower. While he admitted that it adds another wrinkle, especially ensuring connectivity and continuity, he sounded undaunted. "We hope to be up and running in the new place by mid-February."

So how does Dylan relax outside of work? "I love TTRPGs," he said. For the uninitiated, that's Table Top Role Playing Games; games similar to Dungeons & Dragons, though he prefers things with simpler and more manageable rule sets. Pathfinder is one of his favorites. "I run three TTRPG games, which is like a second job, but you're not staring at a computer!" he says happily.

Like everything else about his journey, Dylan is generous in sharing what he knows, whether it's OUD operations, TTRPGs, or experiments with AI. As we wrapped up our interview, I left with the distinct sense that Dylan Marino could be a professional at a lot of things. We're lucky his career led him to be the SUL for OUD, and one of our many partners in protecting U-M!

As the university’s digital environment evolves in response to global technological developments and the needs of the U-M community, so do our cybersecurity practices and underlying IT policies and standards.

Here is a roundup of the IT policies and standards that were updated in 2025:

• Network Security (DS-14): updated in February 2025 to establish requirements for use of the U-M network and VPN, update roles and responsibilities, and strengthen network protection mechanisms.
• Security Log Collection, Analysis, and Retention (DS-19): updated in June 2025 to incorporate changes in logging configuration requirements.
• Access, Authorization, and Authentication Management (DS-22): updated in June 2025 to require two-factor authentication for remote access to U-M systems.
• Institutional Data Stewardship Policy (SPG 601.12): revised in August 2025 to reflect changes to technology and the U-M Data Governance Framework.
• Information Security Incident Reporting (SPG 601.25): updated in August 2025 to make it clearer and more concise.
• Information Assurance Awareness, Training, and Education (DS-16): updated in October 2025 to clarify annual training requirements for faculty, staff, and workforce members.
• Endpoint Security Administration (DS-23): updated in November 2025 to include a requirement for information security support.

In early 2026, we published an update to Personally Owned Devices that Access or Maintain Sensitive Institutional Data (SPG 601.33) to adjust the definition of sensitive university data in alignment with Institutional Data Stewardship Policy (SPG 601.12) and the university data classification levels.

Later in the year, we are queuing up reviews and revisions of  Vulnerability Management (DS-21) and Disaster Recovery Planning and Data Backup for Information Systems and Services (DS-12).
To stay up to date on recent and upcoming IT policy and standard revisions, visit the Information Technology Policies Under Review page on the VPIT-CIO website.

A little over a year ago, in December 2024, ITS Information Assurance (IA) published Endpoint Security Administration (DS-23) – an IT standard that establishes foundational security measures for university-owned systems. The FY26 Internal Controls IA Certification Question focuses on one of these measures: maintenance of an up-to-date inventory of university-owned systems.

Units are asked if they have established and maintain an up-to-date inventory of university-owned systems:

• Yes. My unit has established and maintains an up-to-date inventory of university-owned systems in my unit.
• Partially. My unit is in the process of establishing an inventory of university-owned systems in my unit, and has plans for keeping it up to date.
• No. My unit has not established an inventory of university-owned systems in my unit.

All units should be able to reply "Yes" or "Partially."

While the university does not provide an enterprise inventory management solution, it offers systems with IT asset management capabilities, such as TeamDynamix.  Units can select the solution of their choice to use to establish and maintain an inventory of university-owned systems in their unit, and IA staff are available to provide guidance.

Security Unit Liaisons can submit questions related to the FY26 Internal Controls IA Certification Question through the ITS Service Center.

A new DPE320: HIPAA and Protected Health Information course is available for faculty and staff who may interact with Protected Health Information (PHI) as part of their normal job activities.

DPE320 provides an accessible and engaging experience that should take less than 20 minutes to complete. The course covers:

• HIPAA’s privacy and security rules.
• The importance of HIPAA compliance.
• Your role in safeguarding PHI.
• Appropriately accessing and sharing PHI.
• Identifying and reporting HIPAA breaches, violations, and related concerns.

The introductory data protection course of DCE101: Cybersecurity and Data Protection at U-M, which is now required for all employees, is a prerequisite for DPE320.

Note that the DPE110: Data Protection for Unit IT course also provides a basic introduction to HIPAA, and is intended for IT professionals who may have access to PHI data. The more advanced-level DPE320 is designed for administrative and health care professionals in academic units outside of Michigan Medicine.

Every year, in celebration of Data Privacy Day, the ITS Privacy Office, in collaboration with the School of Information, organizes Privacy@Michigan programming that explores pressing privacy-related issues and topics.

This year's events kicked off on January 28 with a transatlantic conversation between Elodie Vialle, a prominent international journalist and human rights activist, and Lynette Clementson, the Charles R. Eisendrath Director of Wallace House Center for Journalists. Vialle and Clementson shed light on the many digital threats journalists and news organizations face – from surveillance and doxxing, to hacking and cyber mobbing. They discussed the important measures that need to be taken to keep journalists and the press protected, and addressed great questions from a highly engaged audience. If you missed the live event, you can watch the recording on the Safe Computing event page.

On February 3, Privacy@Michigan welcomed Dr. Lauren Girouard, a post-doctoral researcher focused on examining how children think about, trust, and learn from digital technologies including AI. In her presentation at the Michigan League, Dr. Girouard explored the complexities of keeping children safe online: distributed responsibilities among parents, teachers, government, and companies; commercial interests in capturing children’s attention; a deficient regulatory framework; and children’s evolving attitudes towards technology and privacy. She also shared preliminary insights from her latest research project. Watch the recording of this dynamic event on Safe Computing.

February programming will wrap up with an examination of big tech’s influence on Detroit's future by privacy researcher Dr. Chris Gilliard and artist and organizer Tawana Petty. Add the event to your calendar and join us on February 24 at the Michigan League.

In March, we are excited to host Albert Fox Cahn, founder in residence of the Surveillance Technology Oversight Project (S.T.O.P.), on St. Patrick's Day, March 17. Finally, Cindy Cohn, Executive Director of the Electronic Frontier Foundation and author of Privacy's Defender, joins us to wrap up our Privacy@Michigan offerings on March 26. Visit Privacy@Michigan for more details.

These events are free and open to the public, so please plan to attend and help us share broadly!

What is privacy in the context of our digital lives? The first-ever Privacy@Michigan student art contest, Unveil, invites U-M students to explore the meaning of privacy through visual, literary, and performing arts.

Students were encouraged to create art that reflects themes of surveillance, autonomy, individual rights, and civil liberties–sparking conversation about what privacy means today.

Winning entries will be showcased at an award ceremony and reception on March 27, 2026.

As AI tools become increasingly ubiquitous, it is important to question how they are or are not protecting user data. Technology tools are moving away from the opt-in standard for data privacy to a training by default method, where user information is recorded and applied to fuel the next generation of large language models. Privacy is rarely the default setting in the current AI landscape; instead, the burden is placed on the user to protect themselves.

OpenAI’s Agentic Web Browser

OpenAI’s new web browser takes contextual awareness to a new level. The agentic AI tool can navigate the web and actually take action on your behalf, completing tasks like handling your day-to-day scheduling or purchasing dinner ingredients. But to do so effectively, it watches your every move online. While the convenience of a browser with ChatGPT “baked in” may be appealing, this agency without oversight creates a massive security risk that many users are overlooking.

OpenAI's new web browser has ChatGPT baked in. That's raising some privacy questions (NPR) 

Anthropic’s Major Policy Change

Anthropic, the self-described ethical AI firm, updated its policies in August 2025 to require users to manually opt out of data training. Claude is now using previously private conversations to sharpen future models by default. For those who don't catch this change, the standard 30-day data deletion window vanishes, replaced by a five-year retention period that keeps your data in Anthropic’s hands long after you've forgotten the conversation.

Anthropic users face a new choice – opt out or share your chats for AI training (TechCrunch)

Automatic Opt-in Is the AI Default

The Stanford Institute for Human-Centered AI reported that nearly all leading AI developers use conversations to train their models by default. This places the entire burden of data protection on the user to find opt-out settings buried within menus. Researchers warn that these systems are recording sensitive information, often retaining it indefinitely without an obvious path for user deletion.

Study exposes privacy risks of AI chatbot conversations (Stanford Report)

Winter is in full swing, and many of us are looking for ways to escape the bitter cold. Whether it is a spontaneous excursion or a carefully planned spring break, you are likely to be traveling with personal electronic devices. Before leaving, remember that ITS Information Assurance (IA) strongly recommends you keep devices used for U-M work at home.

Here are some basic tips to help you avoid unnecessary headaches by keeping your data and devices safe. 

Only Take What You Need

• Don't take devices that you won't need.
• Use encrypted devices if you are traveling with U-M data. Learn how to Encrypt Your Data, which begins with setting your devices to require a password, passcode, or other authorization to be unlocked.

Avoid Common Pitfalls

• Do not leave your devices unattended in public.
• Never enter or access sensitive data when using a shared or public computer. For example, do not enter your U-M or personal account credentials.
• Don't use free charging stations. Always pack your own chargers and cords.
• Be cautious about sharing location and other sensitive information online.

If Your Device is Lost or Stolen

• Contact local authorities to report the loss or theft.
• Change the passwords for access to sensitive personal services, like email and banking.
• If it is a U-M device, contact the IT Service Center for assistance in changing your U-M passwords.

Visit Safe Computing While Traveling on the Safe Computing website for more information. See International Travel with Technology for important guidance for travel outside the United States.

In today’s hyperconnected world, online privacy is more important than ever. Tech advances have made it easier for companies, data brokers, and even hackers to sift through your personal information. Consider taking the following steps to safeguard your data and share it only with services you trust:

• Turn off unused subscriptions and applications. If you have expired subscriptions or applications you no longer use, consider deleting these accounts to limit exposure of your personal information.
• Install an online ad/tracking blocker. Many websites deploy ads, scripts, and cookies that track your browsing behavior. Tools like Privacy Badger automatically block these trackers.
• Request deletion of your information. Request removal from marketing lists distributing information you do not need. Search major data brokers like Whitepages, Spokeo, BeenVerified, and follow their opt-out processes to request deletion of your information. There are web-scrubbing services like DeleteMe that can do this on your behalf.

For a full list of tips for keeping your personal information private online, visit Protect Your Privacy.