Protecting Sensitive Data is Everyone’s Responsibility
Improper disclosures of sensitive data can cause harm and embarrassment to students, faculty, and staff, and immeasurable damage to the image and reputation of the institution. It is in everyone’s interest to ensure that the institution’s sensitive data is appropriately protected. It is also everyone’s responsibility to safeguard such data. Some examples of sensitive data are:
- Social Security numbers (SSN)
- Credit card numbers
- Drivers license numbers
- Personally identifiable patient information
- Personally identifiable clinical trial enrollee information
- Personally identifiable student information
- Personally identifiable employee information
- Personally identifiable donor information
- Proprietary research data
- Confidential legal data
- Confidential financial data
- Other proprietary data that should not be shared with the public
Federal and state laws and regulations such as HIPAA, FERPA, PCI, GLBA, and Florida Statute § 817.5681 (Florida data breach law) mandate the protection of different types of sensitive data. The following are some guidelines for protecting such data.
Do not download or copy sensitive data from University servers to your PC, PDA, laptop, etc. unless absolutely required and you have documented permission to do so from appropriate University management.
If there are no viable alternatives to copying or downloading data from University systems, additional security controls must be implemented:
- Remove the confidential part of the information from the data if possible (e.g. SSN, credit card number)
- Store the data on a secure server managed by your authorized IT support group. Be especially cautious with web servers and creating your own file shares, whereby such data may be inadvertently accessible by unauthorized individuals.
- Always use some form of encryption (or at the very minimum, password protection) if you absolutely must store sensitive data on portable devices such as PDAs, USB drives, laptops etc. Keep the data on such a device only for the shortest time period you need to accomplish your task
- Physically secure devices that can be easily moved such as laptops, portable USB drives, backup tapes etc. There have been many reported cases of such devices being lost with sensitive data. Ignorance is no longer an excuse.
Do not create databases or applications that use SSN as identifiers unless there is an unavoidable business need. Whenever possible, create an unique identifier that does not use SSN.
If you are storing sensitive data elements such as SSN, then restrict access to only those workforce members whose job function absolutely requires access to such sensitive data.
Do not send unencrypted sensitive data via email. Email messages can be intercepted by third parties or mistakenly sent to the wrong address.
Never download or copy sensitive data to your home computer.
Never store unencrypted sensitive data on a portable device.
Do not transmit unencrypted sensitive data outside the University of Miami computer network, e.g. by using FTP or submitting data through an insecure web site. Contact your IT support group for recommended, secure practices for electronic transmission of sensitive data.
Protect printed sensitive data. Secure sensitive data in a locked desk, drawer, or cabinet. Don’t leave unattended sensitive data on a copier, fax, printer, or any other unsecured area.
When disposing or transferring ownership of PCs, CDs, backup tapes, and any other form of electronic storage, make sure any sensitive data is irretrievably deleted.
Posted: September 13, 2007