September 2005 IT News

Private Sensitive Data: Rules on Keeping and Accessing It

In the last several months, there have been reports of the loss or exposure of personal information affecting almost 2.7 million students, faculty, staff, alumni and individuals affiliated with other U.S. colleges and universities. This past summer, a University of Utah campus department computer was compromised, potentially exposing the names and Social Security Numbers of approximately one hundred thousand former and some current University employees. Such events expose the University’s friends and associates to an increased risk of identity theft and they anger and frustrate those individuals as they take precautions to protect themselves from potential fraud. These events negatively impact the University’s reputation, cost tens of thousands of dollars, consume hundreds of man hours, and waste other valuable University resources.

The University of Utah's administration has taken steps to protect private, sensitive data, meaning information that could potentially identify someone, residing in central systems and to restrict access only to those individuals who require such information to perform their duties. Most campus IT professionals take the same precautions. However, as the recent incident shows, our campus is not immune from attack, especially those that may result from insecure computers and personal missteps.

The University Information Technology Resource Security Policy (PPM 1-18) states that "Users of IT Resources must not knowingly retain on personal computers, servers, or other computing devices, Private Sensitive Information, such as Social Security Numbers, financial information including credit card numbers and bank information, or protected health information, including health records and medical information" unless specifically approved by the Dean, Department Chair, or Vice President, and only when absolutely necessary to perform one's official duties. For more information on the IT Resource Security Policy, see the IT Security Policy presentation (ppt).

Several top administrators sent a memo to all faculty and staff in June 2005 with information about the IT Resource Security Policy and how to identify if your department may be overlooking steps to secure private, sensitive data. This issue is so important that another campus memo was sent out this month. Please, ask yourself and others in your department the following questions. If the answer to any of them is yes, contact the Information Security Office at 585-1012 or for information on best practices and/or to schedule an information security audit.

Do I store anyone's personal information, including my own, on my personal computer, PDA, or in paper form?
Does our department use Social Security Numbers on forms or applications when unique identifiers such as Employee ID or uNID are sufficient?
Do administrative support people store credit card information on computers in order to make hotel and other travel arrangements for our faculty and staff?
Do we store conference registration, or other e-commerce transaction information, that may include social security numbers or credit card numbers?
Do we store prospective student or alumni information that may contain social security numbers?
Do we store vendor, contractor, consultant information that may contain social security numbers or financial information?
Do we generate and store PeopleSoft reports that contain sensitive personal information?
Am I unsure about whether or not my own, or my personal assistant's password is secure?
Is it possible that my own desktop or laptop computer could be electronically or physically accessed or stolen by undesirable individuals?

If you work in the Health Sciences Center, please contact the Privacy and Information Security Office at or 587-9241, for recommendations based on HIPAA Privacy and Security requirements.

The article below also provides links to some basic computer security steps to protect personal information.

Basic Computer safety - at work and home

Did you know that when you connect a computer to the Internet, hackers typically scan it within a few minutes to discover whether or not it is secure? There are a number of basic steps that every computer user can and should take to make their computers safer.

1. Keep your operating system & software applications up-to-date & patched, and check your Microsoft patches & updates.

2. Use good password policies to keep your system secure.

3. Protect your desktop computer or laptop with anti-virus, anti-spyware, and firewall products.

4. Avoid Phishing scams & protect your identity.

5. Know what information is on your computer - whether or not private sensitive data could be found there. Follow the requirements of P&PM 1-18. This is every campus member's responsibility.

More information on University guidelines, resources, and policies for safe computing practices can be found on the OIT Basic Computer Safety page.