Too often, leaders at higher education institutions think of data security as strictly an IT department concern. Secure networks are vital but the truth is that the loss, theft, or misuse of sensitive personal information (SPI) can happen anywhere on campus.
A college or university is a multi-faceted organization. Think of all the areas on campus and the types of data handled there regularly: admissions office, financial aid office, health clinic, campus security, alumni/donor relations, sports programs, libraries, career center, classrooms, research centers, housing facilities, bookstores, food services, and counseling centers. The types of data they collect run the gamut: Social Security numbers; health history; financial records; resumes; counseling records; research data; and educational information for students, faculty and staff, perhaps others.
Now think of the open atmosphere of a campus. Employees, students, visitors, and vendors have access to the campus. Do they also have access to SPI?
In fact, there are a number of “data theft hot spots” that aren’t secured behind a firewall. They may not even be secured behind a locked door. According to a 2008 Ponemon study, over 88 percent of all breach cases reviewed involved incidents resulting from insider negligence.
Here are seven primary data theft hot spots and what college and university leaders should do to protect them:
Why They’re Hot: Such equipment can house a lot of SPI (worse, unencrypted SPI) pertaining to your educational institution, staff, and students/parents of students (think financial aid records). They also provide a gateway to your server, where a far greater amount of data is stored.
How to Minimize Your Risk: First, make sure all data is encrypted and all computers are password protected. Then implement a policy for laptops and thumb drives explaining what type of information can be stored on them and reminding employees to purge unnecessary data from such equipment. Under the Family Education Rights and Privacy Act (FERPA), schools must ensure the confidentiality of certain personally identifiable information. Make sure faculty and staff understand the risks of non-compliance associated with this particular hot spot.
Why They’re Hot: Employees and perhaps students inadvertently post SPI to the school’s intranet, making it accessible by people not authorized to view such information.
How to Minimize Your Risk: Educate everyone with intranet access on how to save files to a secure area and to restrict access to their computer files. Many of the breaches suffered by universities were the result of someone looking for one file and happening upon more, ripe with SPI.
Why They’re Hot: Staff members often leave large amounts of SPI piled up on the desk or in unlocked drawers, offering easy access to a thief. Professors post grades, leave out an open stack of papers for students to pick up, or utilize student assistants for grade posting purposes.
How to Minimize Your Risk: With the new clarifications to the FERPA rule, colleges and universities are becoming ever more sensitive to this particular hot spot. Go further than simply posting policies on your institution’s website. Implement a “clean desk” policy across your campus so that no SPI is left unsecured. Perform periodic audits to ensure that all workspaces are secure and in good working condition. For example, broken locks and lost keys should be replaced promptly and employees should be encouraged to report any such incidents as quickly as possible. These sound security practices can easily fall by the wayside over time, so it is important to offer a refresher to employees from time to time.
Why They’re Hot: Filing cabinets are often the storage of choice for hard copy records that contain employee, student, and vendor SPI. Failing to lock the cabinets ? even if they are located in a secured area ? increases the chances that this sensitive information could get into the wrong hands.
How to Minimize Your Risk: The short and obvious answer is to lock them up but take your solution a step further by regularly evaluating the files they contain and properly disposing of any unnecessary information. Why should your admissions office archive SPI of applicants who weren’t accepted? Reconsider your policy on what information your institution collects. If you don’t have it, you can’t lose it. Plus, locking down SPI also sends the message to employees that this is valuable data and should be treated as such.
Why They’re Hot: Outbound SPI is always vulnerable because the sender no longer has control over it. Plus, data in transit is easily intercepted and even inbound information (e.g., faxes left on the machine for anyone to pick up or incoming e-mails left in view at an unlocked computer station) can pose an issue.
How to Minimize Your Risk: Make sure all employees understand what kind of SPI can and cannot be sent out via e-mail or fax. If certain SPI must be sent via e-mail, consider having employees send it in a password protected document and make sure all electronic correspondence contains your institution’s privacy clause. Remind your employees that e-mails are retrievable records subject to discovery in a court case.
Why They’re Hot: Plenty of SPI comes and goes through the mailroom, making it a target for internal, and even external threats, depending upon the level of security.
How to Minimize Your Risk: In the last few years, mailroom security has become more important as higher ed institutions are working to keep employees safe in the event dangerous substances are sent through the mail. Generally speaking, your safety plan will contain useful elements for securing SPI too. Avoid placing new hires in the mailroom; restrict mailroom access for employees and use keycards or sign-in sheets; and make sure mail deliveries are made to a secure, restricted area. When preparing mass mailings, make sure that sensitive information such as SSNs are not part of the mailing label.
Why It’s Hot: Outbound data does not need any particular destination to be vulnerable to threat ? even SPI that is being disposed of can be stolen.
How to Minimize Your Risk: Make sure shredders or a locked disposal box is readily available for employees so that they have no excuse not to safely dispose of sensitive information. To avoid any confusion, ensure that all staff members are properly trained as to what constitutes as sensitive information and how they can and should dispose of it. One Canadian university accidently breached their students’ privacy when employees decided to reuse paper collected on campus. They converted the paper into notebooks so that the clean sides could be used. Some of that paper however contained their students’ personal information on the other side.
According to data gathered by the Open Security Foundation (http://opensecurityfoundation.org), since 2003, more than 488 academic institutions have reported data breaches exposing the sensitive information of at least 11,227,341 individuals. A review of current practices related to data security and appropriate changes to policy can reduce the risk that your university will suffer an incident of compromised sensitive personal information with often severe repercussions.
Brian Lapidus is chief operating officer at Kroll Fraud Solutions, a company specializing in data breach and identity theft discovery, investigation, and restoration.