Title: Legally Protected and Sensitive Data
1Legally Protected and Sensitive Data
2Embarrassed? Nah!
- Doh! The Most Disastrous E-Mail Mistakes
http//pcworld.about.com/news/Apr292002id93283.htm
- Dumb and dumber moments in tech
http//www.cnn.com/2004/TECH/ptech/02/05/bus2.feat
.dumbest.moments/ - Dumb business moments http//blog.seattlepi.nwsour
ce.com/buzz/archives/004236.html - Where the Hell is My Laptop? http//www.business2.
com/b2/web/articles/0,17863,513164,00.html
3Bermuda Triangle
4Information Flow in Your Workplace
- Take off your techie hat
- Put on your data hat
- Start thinking about and listening to how
information flows through your place of work
5Lets talk about the data!
- Do you need to have it?
- Can the names be removed?
- Is the information out of date? Can you purge
it?
6Are Universities Really Targets?
- Confidential student, employee, donor and medical
data have been stolen. - University computers have been used to launch
attacks on businesses and the Federal government. - Research data have been compromised.
- Networks and mail systems have been rendered
useless for days. - University computers have been confiscated by FBI
investigators.
7Universities Really Are Targets
- HACKER HITS CALIFORNIA UNIVERSITY Officials at
the University of California, Berkeley, this week
said that a hacker had compromised the
university's computer system and gained access to
records on 1.4 million individuals in research
database. CNET, 19 October 2004 - VITAL FILES EXPOSED IN GMU HACKING
- A computer hacker apparently broke into a George
Mason University database containing student and
employee Social Security numbers, leaving 32,000
people uncertain whether their finances or
identities might be compromised. Washington Post,
11 January 2005 - DRUG RECORDS, CONFIDENTIAL DATA VULNERABLEThe
confidential drug purchase histories of many
Harvard students and employees have been
available for months to any internet user, as
have the e-mail addresses of high-profile
undergraduates whose contact information the
University legally must conceal, a Crimson
investigation has found. Harvard Crimson, 21
January 2005 - HACKERS TARGET BOSTON COLLEGE ALUMNI DATABASE A
computer at Boston College with access to an
alumni database has been found to be infected
with a virus that may have exposed personal
information on more than 100,000 individuals.
ZDNet, 17 March 2005 - STOLEN A LAPTOP AND 100,000 IDENTITIESSomeone
brazenly walked into the graduate division of the
University of California at Berkeley two weeks
ago and stole a laptop. The thief walked off not
only with a nifty technological device but also
key identifying information - including Social
Security numbers of nearly 98,369 people who
either were or applied to be graduate students at
Berkeley between 1976 and last year. Inside
Higher Ed, 29 March 2005 - U. OF MISSISSIPPI WEB PAGE SHOWED PERSONAL DATA
Officials at the University of Mississippi have
removed files from their servers that included
names and Social Security numbers for about 700
students after being notified that the files were
available to anyone on the Web. MSNBC, 6 April
2005
8How Might You Be Personally Affected?
- You could lose access to the University's network
and the Internet while a security breach is being
investigated. - Keep in mind that computer attacks are crimes,
and people can easily become unwilling
accomplices just as they can be with other
crimes. If your computer is used by someone else
to commit a crime, you could find the FBI
knocking on your door the next day. It happens,
and it is serious business.
9Types of Legally Protected DataHIPAA, FERPA,
GLBA
- Health Insurance Portability and Accountability
Act Security Rule Privacy Rule -
http//www.itc.virginia.edu/security/riskmanagemen
t/appendixD.html - Family Educational Rights and Privacy Act -
http//www.itc.virginia.edu/security/riskmanagemen
t/appendixF.html - Gramm-Leach-Bliley Act - http//www.itc.virginia.e
du/security/riskmanagement/appendixE.html
10HIPAA
- Does your department handle medical information
that is combined in any way with a personal
health identifiers (PHI)?
11PHI Personal Health Identifiers
- Names
- All geographic subdivisions smaller than a
State - All elements of dates (except year) for dates
directly related to an individual - Telephone numbers
- Fax numbers
- Electronic mail addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers,
including license plate numbers - Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and
voice prints - Full face photographic images and any
comparable images and - Any other unique identifying number,
characteristic, or code
12FERPA the protected list
- Information such as grades, courses, days and
times of course meetings, withdrawals,
suspension, and month and day of birth, CANNOT be
disclosed without the students permission. Such
information needs to be protected not only from
external release, but also protected from access
by those within the University who do not have an
authorized, job-related need to see it.
13FERPA the allowed list
- student name
- home and school addresses, telephone numbers,
e-mail address - year of birth
- country of citizenship
- major(s)
- school of enrollment
- full or part-time status
- year in school
- participation in officially-recognized activities
and sports - dates of attendance
- degrees, honors, scholarships, and awards
received - most recent previous educational institution
attended - names of parents or guardians
- and weight and height of members of athletic
teams.
14Examples of legally protected data and actions to
take
- Example A researcher in your department has
recently received a grant to study foot injury
induced by falling laptops. As a matter of
course, NIH, who is funding the study, has given
your researcher a record set containing names,
social security numbers, patient numbers, types
of injuries, and treatments. What should you do?
15Examples of legally protected data and actions to
take
- Recommendation Ask the researcher if she can
remove the names from the records thus
de-identifying data. If so, HIPAA regulations do
not apply. If names must be there, then the full
weight of the regulation applies. You will need
to track this data. If you decide to keep it
housed in your department, you must know where it
resides and if the researcher has any plans to
move or copy it for whatever reason. For example,
if the data is moved/copied to laptop for a
presentation, the laptop must be secure making
sure the data is removed from the laptop when the
presentation is over. Further, the researcher
must log on to the laptop as a unique user. Also,
this data must be backed up.
16Examples of legally protected data and actions to
take
- Example A professor has asked you to do some
statistical analysis on the grades of his
students. He gives you a thumb drive with the
record sets which include name, social security
number, course, day and time of class, and birth
date. You take the drive and copy the contents on
to your workstation and perform the analysis. You
copy the analysis to the thumb drive and return
it to the professor. What should you do?
17Examples of legally protected data and actions to
take
- Recommendation According to FERPA, grades,
courses, days and times of course meetings,
withdrawals, suspensions, and month and day of
birth cannot be released without the student's
permission. So, by the nature of the data, you
have legally protected data. The professor's
workstation, as does yours, needs to be protected
with a strong password that is periodically
changed. Even better if the professor is working
off of a networked share on a server that you
maintain. Your server must be located in a
physically secure area. Any system that houses
this data must be patched in a timely manner with
software updates and new virus definitions. Any
system that houses this data must require a
unique identifier associated with one person. The
thumb drive needs to have this data removed after
the professor has finished using it. Also, when
the thumb drive is at end of life, it must be
disposed of properly. For more information about
hardware disposal, see Electronic Data Removal
Policy and Procedures.
18You CAN Really Make a Difference
- Become familiar with threats and safeguards
- Take security awareness training
(https//whois.virginia.edu/security) - Use safe computing practices
- Follow ITCs Device Requirements
(http//www.itc.security/device-requirements.html
) - Take physical security precautions as well
- Diligently safeguard sensitive data
- Dont store sensitive data on laptop or desktop
computer hard drives or removable media - If you must access the data, use the secure VPN
or encrypt it - Properly dispose of hard drives and removable
media - Protect home computers as well
- Understand each employees responsibility to
abide by University computing policies and
relevant laws and regulations. If unsure what
this means, ask questions.
19How is the University Responding?
- Risk Management Program
- IT Auditing Group
- Inventory of Sensitive Data
- Online Training Tool - https//whois.virginia.edu
/cgi-ruby/itsaquiz