Properly Classify and Handle Sensitive Data at Longwood University
Learn how Longwood University classifies data into public, internal, and restricted categories based on sensitivity levels. Discover examples of restricted data such as Personally Identifiable Information (PII) and Personal Health Information (PHI), alongside the importance of complying with regulations like FERPA.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Data Security HOW TO PROPERLY CLASSIFY AND HANDLE LONGWOOD S DATA
Classifying Data We developed three categories to identify the sensitivity of the university's data. Sensitivity is how likely it is that the data will compromise the three principles of security: confidentiality, integrity, and availability. Public Data is the least sensitive information. Internal Data is moderately sensitive information. Restricted Data is highly sensitive information for which an unauthorized disclosure may result in identity theft or university liability for costs or damages under laws, government regulations or contract.
Internal Data: FERPA The Family Educational Rights and Privacy Act (FERPA): The purpose of this act is to protect the privacy rights of student educational records and to ensure the accuracy of those records. We must start observing these regulations as soon as a student registers for a class. Please know the difference between directory information and non-directory information and what can be disclosed. See the Registrar for more information. Security of records is your responsibility: Physical Security: Desktop, laptop, portable devices, including flash drives and your office Electronic Security: Wireless, using a network, working from home or on the web Communication Tools: Employee-owned communication tools
Examples of Restricted Data The first example of restricted data is Personally Identifiable Information, or PII, as defined by the Code of Virginia. PII consists of a person s first name or first initial and last name in combination with: 1. Social Security Number 2. Driver s License Number 3. State Identification Card Number 4. Financial Account or Credit or Debit Card Number (in combination with codes or passwords that would permit access) 5. Passport Number 6. Military Identification Number Note: A taxpayer identification number in combination with the income tax withheld for that taxpayer is also PII.
Examples of Restricted Data The second example of restricted data is Personal Health Information, or PHI, as defined by the Code of Virginia. PHI consists of a person s first name or first initial and last name in combination with: 1. Medical or Mental Health History 2. Mental or Physical Condition 3. Medical Treatment or Diagnosis by a Health Care Professional 4. Health Insurance Policy Number 5. Subscriber Identification Number 6. Any Unique Identifier Used by a Health Insurer to Identify the Individual 7. Any Information in an Individual s Application and Claims History, Including Appeals Records Note: In cases where HIPAA data is involved, the Code of Virginia would defer to HIPAA.
Examples of Restricted Data Other regulations, laws and standards that enumerate restricted data include: HIPAA: The Health Insurance Portability and Accountability Act GLBA: The Gramm-Leach-Bliley Act PCI DSS: Payment Card Industry Data Security Standards
Examples of Restricted Data Remember that the following count as restricted data: Social Security Numbers with Names Personal Donor Information Immigration and Visa Information US Passport Copies I-9 Medical Records Your Password and LancerNet ID
Handling Data There are three ways to handle data: storage, transmission, and disposal. How you handle data depends on how the data is classified: Public: Store or send electronic or physical data as you wish. Dispose of it at regular intervals. Internal: Store electronic data on a server or on your hard drive; store physical data in a secure location, such as a locked file cabinet. Restricted: The storage, transmission, and disposal of restricted data is very important. We will discuss each concept in detail.
Storing Restricted Data You might have electronic restricted data on your hard drive or in your email. To handle this data: 1. Remove It: If it is in your email, even as an attachment, you should completely remove it. Delete it from your Sent and Trash folders. 2. Move It: Move it to a Longwood server, such as a shared drive or your B: drive. Note: Physical restricted data should be stored in a secure location, such as a locked file cabinet.
Storing Restricted Data (Cont.) You should store restricted data on a Longwood server. Servers are a secure location and the data on them is backed up regularly. If you absolutely need to keep restricted data anywhere else, you can use a program such as Microsoft Office to encrypt the data. If you cannot use a program to encrypt your data for storage, contact the Help Desk to discuss other options. Note: Because you need a key to read a file after it is encrypted, you should use encryption carefully.
Transmitting Restricted Data If you need to send restricted data such as a list of names and SSNs to someone else, keep these rules in mind: Do NOT email the data off campus unless you are using a method of encryption. You can transmit encrypted electronic data in two ways: Program: If you send encrypted data infrequently, use a program, such as Microsoft Office or Adobe Acrobat, to encrypt the file and then send it. Secure Email: If you send encrypted data frequently, ask your supervisor to send an email to the Help Desk requesting that your name be added to a list of people who can send secure email. Note: It is best to share the encryption password with the recipient of your file over the phone. Remember to delete the file from your sent folder and from your trash after you send it!
Disposing of Restricted Data To dispose of restricted electronic data: Erase It: Use the Eraser software, available when you right-click in your Windows Explorer, to completely remove the file. Redact It: Use the delete key to remove enough information so that the data is no longer restricted. Encrypt It: Once data is encrypted, it is no longer restricted. To dispose of restricted physical data, redact, shred, or destroy it.
If you do nothing Here are some potential consequences of unauthorized disclosure of restricted data: FINES: A potential fine, levied by the Commonwealth, up to $150,000 per breach. Other entities may also levy fines. REPUTATION: A potential blow on state and local media. CUSTOMER SATISFACTION: A potential increase in phone calls, emails and general customer relations as the university community wonders "Was my data breached?"
