Legally Protected and Sensitive Data

1
Legally Protected and Sensitive Data

• Know Your Data

2
Embarrassed? Nah!

• Doh! The Most Disastrous E-Mail Mistakes
  http//pcworld.about.com/news/Apr292002id93283.htm
  
• Dumb and dumber moments in tech
  http//www.cnn.com/2004/TECH/ptech/02/05/bus2.feat
  .dumbest.moments/
• Dumb business moments http//blog.seattlepi.nwsour
  ce.com/buzz/archives/004236.html
• Where the Hell is My Laptop? http//www.business2.
  com/b2/web/articles/0,17863,513164,00.html

3
Bermuda Triangle
4
Information Flow in Your Workplace

• Take off your techie hat
• Put on your data hat
• Start thinking about and listening to how
  information flows through your place of work

5
Lets talk about the data!

• Do you need to have it?
• Can the names be removed?
• Is the information out of date? Can you purge
  it?

6
Are Universities Really Targets?

• Confidential student, employee, donor and medical
  data have been stolen.
• University computers have been used to launch
  attacks on businesses and the Federal government.
• Research data have been compromised.
• Networks and mail systems have been rendered
  useless for days.
• University computers have been confiscated by FBI
  investigators.

7
Universities Really Are Targets

• HACKER HITS CALIFORNIA UNIVERSITY Officials at
  the University of California, Berkeley, this week
  said that a hacker had compromised the
  university's computer system and gained access to
  records on 1.4 million individuals in research
  database. CNET, 19 October 2004
• VITAL FILES EXPOSED IN GMU HACKING
• A computer hacker apparently broke into a George
  Mason University database containing student and
  employee Social Security numbers, leaving 32,000
  people uncertain whether their finances or
  identities might be compromised. Washington Post,
  11 January 2005
• DRUG RECORDS, CONFIDENTIAL DATA VULNERABLEThe
  confidential drug purchase histories of many
  Harvard students and employees have been
  available for months to any internet user, as
  have the e-mail addresses of high-profile
  undergraduates whose contact information the
  University legally must conceal, a Crimson
  investigation has found. Harvard Crimson, 21
  January 2005
• HACKERS TARGET BOSTON COLLEGE ALUMNI DATABASE A
  computer at Boston College with access to an
  alumni database has been found to be infected
  with a virus that may have exposed personal
  information on more than 100,000 individuals.
  ZDNet, 17 March 2005
• STOLEN A LAPTOP AND 100,000 IDENTITIESSomeone
  brazenly walked into the graduate division of the
  University of California at Berkeley two weeks
  ago and stole a laptop. The thief walked off not
  only with a nifty technological device but also
  key identifying information - including Social
  Security numbers of nearly 98,369 people who
  either were or applied to be graduate students at
  Berkeley between 1976 and last year. Inside
  Higher Ed, 29 March 2005
• U. OF MISSISSIPPI WEB PAGE SHOWED PERSONAL DATA
  Officials at the University of Mississippi have
  removed files from their servers that included
  names and Social Security numbers for about 700
  students after being notified that the files were
  available to anyone on the Web. MSNBC, 6 April
  2005

8
How Might You Be Personally Affected?

• You could lose access to the University's network
  and the Internet while a security breach is being
  investigated.
• Keep in mind that computer attacks are crimes,
  and people can easily become unwilling
  accomplices just as they can be with other
  crimes. If your computer is used by someone else
  to commit a crime, you could find the FBI
  knocking on your door the next day. It happens,
  and it is serious business.

9
Types of Legally Protected DataHIPAA, FERPA,
GLBA

• Health Insurance Portability and Accountability
  Act Security Rule Privacy Rule -
  http//www.itc.virginia.edu/security/riskmanagemen
  t/appendixD.html
• Family Educational Rights and Privacy Act -
  http//www.itc.virginia.edu/security/riskmanagemen
  t/appendixF.html
• Gramm-Leach-Bliley Act - http//www.itc.virginia.e
  du/security/riskmanagement/appendixE.html

10
HIPAA

• Does your department handle medical information
  that is combined in any way with a personal
  health identifiers (PHI)?

11
PHI Personal Health Identifiers

• Names
• All geographic subdivisions smaller than a
  State
• All elements of dates (except year) for dates
  directly related to an individual
• Telephone numbers
• Fax numbers
• Electronic mail addresses
• Social security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers,
  including license plate numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger and
  voice prints
• Full face photographic images and any
  comparable images and
• Any other unique identifying number,
  characteristic, or code

12
FERPA the protected list

• Information such as grades, courses, days and
  times of course meetings, withdrawals,
  suspension, and month and day of birth, CANNOT be
  disclosed without the students permission. Such
  information needs to be protected not only from
  external release, but also protected from access
  by those within the University who do not have an
  authorized, job-related need to see it.

13
FERPA the allowed list

• student name
• home and school addresses, telephone numbers,
  e-mail address
• year of birth
• country of citizenship
• major(s)
• school of enrollment
• full or part-time status
• year in school
• participation in officially-recognized activities
  and sports
• dates of attendance
• degrees, honors, scholarships, and awards
  received
• most recent previous educational institution
  attended
• names of parents or guardians
• and weight and height of members of athletic
  teams.

14
Examples of legally protected data and actions to
take

• Example A researcher in your department has
  recently received a grant to study foot injury
  induced by falling laptops. As a matter of
  course, NIH, who is funding the study, has given
  your researcher a record set containing names,
  social security numbers, patient numbers, types
  of injuries, and treatments. What should you do?

15
Examples of legally protected data and actions to
take

• Recommendation Ask the researcher if she can
  remove the names from the records thus
  de-identifying data. If so, HIPAA regulations do
  not apply. If names must be there, then the full
  weight of the regulation applies. You will need
  to track this data. If you decide to keep it
  housed in your department, you must know where it
  resides and if the researcher has any plans to
  move or copy it for whatever reason. For example,
  if the data is moved/copied to laptop for a
  presentation, the laptop must be secure making
  sure the data is removed from the laptop when the
  presentation is over. Further, the researcher
  must log on to the laptop as a unique user. Also,
  this data must be backed up.

16
Examples of legally protected data and actions to
take

• Example A professor has asked you to do some
  statistical analysis on the grades of his
  students. He gives you a thumb drive with the
  record sets which include name, social security
  number, course, day and time of class, and birth
  date. You take the drive and copy the contents on
  to your workstation and perform the analysis. You
  copy the analysis to the thumb drive and return
  it to the professor. What should you do?

17
Examples of legally protected data and actions to
take

• Recommendation According to FERPA, grades,
  courses, days and times of course meetings,
  withdrawals, suspensions, and month and day of
  birth cannot be released without the student's
  permission. So, by the nature of the data, you
  have legally protected data. The professor's
  workstation, as does yours, needs to be protected
  with a strong password that is periodically
  changed. Even better if the professor is working
  off of a networked share on a server that you
  maintain. Your server must be located in a
  physically secure area. Any system that houses
  this data must be patched in a timely manner with
  software updates and new virus definitions. Any
  system that houses this data must require a
  unique identifier associated with one person. The
  thumb drive needs to have this data removed after
  the professor has finished using it. Also, when
  the thumb drive is at end of life, it must be
  disposed of properly. For more information about
  hardware disposal, see Electronic Data Removal
  Policy and Procedures.

18
You CAN Really Make a Difference

• Become familiar with threats and safeguards
• Take security awareness training
  (https//whois.virginia.edu/security)
• Use safe computing practices
• Follow ITCs Device Requirements
  (http//www.itc.security/device-requirements.html
  )
• Take physical security precautions as well
• Diligently safeguard sensitive data
• Dont store sensitive data on laptop or desktop
  computer hard drives or removable media
• If you must access the data, use the secure VPN
  or encrypt it
• Properly dispose of hard drives and removable
  media
• Protect home computers as well
• Understand each employees responsibility to
  abide by University computing policies and
  relevant laws and regulations. If unsure what
  this means, ask questions.

19
How is the University Responding?

• Risk Management Program
• IT Auditing Group
• Inventory of Sensitive Data
• Online Training Tool - https//whois.virginia.edu
  /cgi-ruby/itsaquiz