The Importance of Securing Electronic Data

Much of the data stored or transmitted via Whitman's computing equipment is confidential. Unauthorized access to this data may constitute a violation of federal statutes such as the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), the Graham-Leach-Bliley Act (GLB), and other laws designed to protect privacy. A breach in data security that compromises personal information can lead to identity theft, putting members of the Whitman community at risk and exposing the College to litigation. Unauthorized access to other confidential data, though not usable for identity theft, may nonetheless have serious legal, financial, or public relations implications for the College.

Preventing Electronic Data Breaches

The task of protecting confidential electronic data is shared by all members of the Whitman community who have authorized access to such data. In general, confidential data should not be accessed, copied, stored, downloaded, transmitted, or used unless it is essential to do so to conduct College business.

Confidential data should not be stored on laptops or other mobile devices for longer than necessary and should be encrypted at all times when not actually in use. Devices that contain confidential data, whether mobile or not, should be secured by strong authentication (e.g., multiple levels of passwords) as well as by physical means (security cables, locked cabinets, etc.). Mobile devices should not be put into checked luggage when traveling.

The Chain of Responsibility

Under certain circumstances, confidential electronic data –– such as student names, email addresses, or other information –– may need to be conveyed to individuals or groups who are not employees of the College. These may be vendors, contractors, professional organizations, (internal) student organizations, or others. In these circumstances, the College must require the recipient of the data to abide by the same (or stricter) guidelines to protect the data from unauthorized access or abuse. This chain of responsibility must extend to any third parties (or beyond) to whom the confidential data might be further conveyed.

Responding to Data Security Breaches

Despite explicit guidelines for securing confidential electronic data, breaches can still occur. At such times, it is important that the College respond as quickly and as professionally as possible. Computer thefts, should be reported immediately to Office of Information Technology (ext. 5415 or 509-527-5415). Steps that Office of Information Technology will take in the event of a data security breach are as follows:

1. Determination of the nature and scope of a breach

Identification of the person reporting the breach (name, contact info, etc.)
Record of the location, timeframe, and apparent cause of the breach
Preliminary identification of confidential data that may be at risk

2. Communication about breach to authorized individuals

Chief Information Officer
Director of Security (if physical entry or hardware are involved)
President and senior officers (depending on severity of data compromised)
Law enforcement (depending on the nature/magnitude of theft)
Legal counsel (depending on severity of data compromised)

3. Investigation of breach

Confirmation/inventory of confidential materials at risk
Security measures that were defeated or circumvented
Forensic evidence
Likelihood of recovering data (or stolen equipment)
Utilize outside assistance if needed

4. Assessment of breach

Password changes and other security measures to prevent further breaches
Identify individuals affected by the breach (e.g., those whose loss of confidential information may put them at risk of identity theft or other adverse consequences)

5. Remediation

Determine if lost data can be restored from backups; take appropriate steps
Determine if lost data can be neutralized by changing account access, ID information, and taking other steps

6. Notification of breach - senior officers and CIO will determine need and method(s) to:

Notify affected individuals
Notify Whitman community
Notify public

Guidelines for Community and Public Notifications

If senior officers and the CIO determine that community and/or public notifications are indicated, the president––or a person designated by the president to serve as spokesperson––will convey information and answer questions about the incident. Others should refer all questions to the president or designated spokesperson.

Communications will cover the following points:

Nature and scope of missing data (e.g., alumni contact information, etc.)
General circumstances of the breach (e.g., stolen laptop, hacked database etc.)
Rough timeline of the breach (e.g., date)
Steps the college has taken to investigate and assess the breach
Involvement of law enforcement or other third parties
Knowledge of any misuse of the missing data
Steps that affected individuals may wish to take
Steps that the college is taking to prevent future breaches of this nature

Post-Incident Follow-Up

In the wake of a serious data security breach, Office of Information Technology will:

Ensure that missing data (e.g., passwords) cannot be used to access further information or cause harm in other ways to Whitman's electronic or other resources;
Pursue all reasonable means to recover the lost data
Modify procedures, software, equipment, etc., as needed to prevent future data breaches of a similar nature;
Take appropriate actions if personnel negligence caused or contributed to the incident.

Adapted with permission from Reed College Computing & Information Services http://web.reed.edu/cis/policies/incident_response.html

Related articles

Browser not supported