Protecting Sensitive Data
The Commonwealth of Massachusetts has adopted a new data security law (Chapter 93H of the Massachusetts General Laws of 2007). This new law defines Personally Identifiable Information (PII) and requires that institutions notify individuals immediately whose information has been compromised as a result of a Security breach. In addition there are a few federal regulations such as FERPA and HIPPA that would apply to certain data processed, transmitted, and/or collected at Bridgewater State University. As per these regulations, such information must be protected from un-authorized disclosure by applying appropriate security controls.
What is confidential data?
Data in this category constitutes information that is private in nature and is mandated by certain legislations that we provide a standard level of privacy and security. Such security includes restricted access, encryption, and securing networks associated with processing or transmitting such information.
a. Personal Identifiable Information (PII): As per the new data security law (Chapter 93H of the Massachusetts General Laws of 2007) PII data is a combination of a user's name and their a) Social Security Number (SSN) or b) Drivers license number or Mass ID or c) financial account number, credit or debit card number (with or without password or PIN, password or personal ID number that would grant account access). BUT NOT information lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
b. Health Information (HIPPA): As per the Health Insurance Portability and Accountability Act (HIPPA), this is information pertaining to a user's physical and mental health, treatment details (past, present and future), insurance information and information on payment of health care services.
c. Academic and Educational records (FERPA):
Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student's educational records.
Please refer to the Data Classification Standard
for more information.
Bridgewater State University's efforts towards protecting sensitive data
It is a Bridgewater State University (BSU) policy that BSU employees must not store confidential information on their local computer hard drives. Instead, sensitive data must be stored in a secure, restricted location on the G drive. Please make yourself aware of the Confidential Data Policy
In order to protect confidential information under the University's stewardship while complying with above mentioned regulations, Information Security at Bridgewater State University has begun certain initiatives.
As a part of these initiatives IT Security staff will scan all:
- Network Shares (G drive)
- University owned websites
- University Affiliated websites
- Hard drives of University owned notebook computers
- Servers on BSU network
- Database applications on BSU network
This is an initiative to identify all confidential and private data stored in various locations on Bridgewater State University infrastructure. For more information about the software used to scan for PII visit the Identity Finder at BSU page!
Network share encryption:
Bridgewater State University has acquired an encryption platform for encrypting identified confidential information. The encryption system is centrally managed and BSU users who need access to confidential information must access it using the encryption platform. Ultimately, confidential data will be encrypted and access will be restricted to identified BSU employees upon completion of an access request and verification process. Access will be granted on a need to know basis.
To help protect confidential information and comply with the new state law we would like you to do the following:
- Inspect all files under your control with PII information
- Move all files with PII data into the "Secure_folder", located within the Department folder in your G drive.
- Move all files without PII data which should be restricted to the "Department" folder located within your G drive
- Move all files without PII data that need to be accessed by your student workers into the "Community" folder
- Move all files that need to be securely deleted to the "Delete_Items" folder located within the "Department" folder in your G drive. IT will securely delete all of these files. Once you have moved the files for deletion, please contact IT Support Services at 508.531.2555 and open an ITS ticket to have IT staff delete the contents of your departments "Delete_Items" folder.
To gain access to secure or encrypted confidential information please contact IT Support Services at 508.531.2555 and open an ITS ticket. You will be asked to complete this access request form
. Once we receive the ticket number and completed access request form, we will review it and contact you. If approved, IT staff will work with you to establish secure access to confidential data.
Whole disk encryption:
In another initiative to protect sensitive information, whole disk encryption is being deployed to University-owned notebook computers. Data is encrypted only if the notebook (with whole disk encryption) is stolen or lost in a shutdown state. Whole disk encryption clients will be automatically installed on all new faculty and staff University-owned notebook computers. As for the existing notebooks, due to limited licenses, the client will be installed on a case by case basis once we determine if the notebook is able to support the whole disk encryption program and the nature of data stored.
For all laptops that have the client already installed, you will have to register with the central server and then start the encryption process. Once the whole disk has been encrypted all data is secure if the laptop is lost in a shutdown state.
You will have to use your BSU email password to log in to your notebook computer. In an event that you forget your password we will be able to provide you with a onetime token to unlock your account. This token will allow you to log in to your laptop and reset your password. This token will not be provided over the phone or via email. You must come in person with your notebook computer.
Caution: Encryption is great if you are storing or communicating sensitive information. However, if you lose the encryption key IT will not be able to recover your data. If you need to encrypt sensitive data please contact the IT Service Desk at extension 2555 or firstname.lastname@example.org.