Managing Restricted Information
Despite your best precautions, you could join the growing ranks of those who've experienced compromised, lost or stolen computers. The loss becomes big news*, however, when personal information is jeopardized, as in these recent examples:
- A laptop with personal information on hundreds of thousands of employees is stolen from an employee's car, with files for thousands of past and present employees containing their Social Security numbers (SSNs), home addresses, phone numbers and dates of birth.
- A hard drive goes missing, containing the personally identifiable information (PII) of some three million UK driving test candidates.
- A phishing attack results in the compromise of a visitor database at a US Department of Energy facility. PII (including SSNs) of all laboratory visitors between 1990 and 2004 were in the accessed database. The phishing emails asked recipients to open attachments, which were actually malware that infected the laboratory's computer system.
- Approximately 45,000 patients treated at a California hospital are notified that their personal information had been compromised. The data was being transferred from one secure system to another during an equipment upgrade. A contractor violated hospital policy by downloading the data to a laptop computer that was later stolen.
- During a network intrusion at a university in Texas, the SSNs and other PII of some 6,000 current and former students were possibly exposed.
These stories share a common theme: compromised personal information that was inadequately protected, with risk to individuals as well as institutions.
Because of legal and business obligations, Brown is in the process of adopting a new computing policy to address the proper handling of restricted information, i.e., social security numbers, credit card numbers, driver’s license numbers, bank account numbers and medical records. Anyone whose job requires the use of Brown Restricted Information (BRI) will be required to comply with specified minimum requirements for:
- Access - BRI must have a designated data owner who authorizes access; those granted access must complete a training course; and, access controls must be documented for audit purposes.
- Storage - PII must reside on a centrally-managed server (exceptions to be reviewed and approved by IT Security).
- Transmission - An IT Security-approved transport encryption mechanism must be used when transmitting PII.
- Back ups - PII must be stored in a secure and controlled location, and encrypted if technically feasible.
- Archiving - Restricted information no longer necessary for day-to-day operations must be securely archived or destroyed.
The Policy for Handling Brown Restricted Information is currently under initial review. The Brown community will have an opportunity to provide their input on the policy before its adoption, planned for later this semester.
* For a chronology of data breaches for the last three years, visit www.privacyrights.org/ar/ChronDataBreaches.htm#CP