The Importance of Securing Electronic Data

Much of the data stored or transmitted via Whitman's computing equipment is confidential.  Unauthorized access to this data may constitute a violation of federal statutes such as the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), the Graham-Leach-Bliley Act (GLB), and other laws designed to protect privacy.  A breach in data security that compromises personal information can lead to identity theft, putting members of the Whitman community at risk and exposing the College to litigation.  Unauthorized access to other confidential data, though not usable for identity theft, may nonetheless have serious legal, financial, or public relations implications for the College.

Preventing Electronic Data Breaches

The task of protecting confidential electronic data is shared by all members of the Whitman community who have authorized access to such data. In general, confidential data should not be accessed, copied, stored, downloaded, transmitted, or used unless it is essential to do so to conduct College business.

Confidential data should not be stored on laptops or other mobile devices for longer than necessary and should be encrypted at all times when not actually in use.  Devices that contain confidential data, whether mobile or not, should be secured by strong authentication (e.g., multiple levels of passwords) as well as by physical means (security cables, locked cabinets, etc.).  Mobile devices should not be put into checked luggage when traveling.

The Chain of Responsibility

Under certain circumstances, confidential electronic data –– such as student names, email addresses, or other information –– may need to be conveyed to individuals or groups who are not employees of the College.  These may be vendors, contractors, professional organizations, (internal) student organizations, or others.  In these circumstances, the College must require the recipient of the data to abide by the same (or stricter) guidelines to protect the data from unauthorized access or abuse.  This chain of responsibility must extend to any third parties (or beyond) to whom the confidential data might be further conveyed.

Responding to Data Security Breaches

Despite explicit guidelines for securing confidential electronic data, breaches can still occur. At such times, it is important that the College respond as quickly and as professionally as possible. Computer thefts, should be reported immediately to Office of Information Technology (ext. 5415 or 509-527-5415). Steps that Office of Information Technology will take in the event of a data security breach are as follows:

1. Determination of the nature and scope of a breach

2. Communication about breach to authorized individuals

3. Investigation of breach

4. Assessment of breach

5. Remediation

6. Notification of breach - senior officers and CIO will determine need and method(s) to:

Guidelines for Community and Public Notifications

If senior officers and the CIO determine that community and/or public notifications are indicated, the president––or a person designated by the president to serve as spokesperson––will convey information and answer questions about the incident.  Others should refer all questions to the president or designated spokesperson.

Communications will cover the following points:

Post-Incident Follow-Up

In the wake of a serious data security breach, Office of Information Technology will:

 Adapted with permission from Reed College Computing & Information Services http://web.reed.edu/cis/policies/incident_response.html

Related articles

Related articles appear here based on the labels you select. Click to edit the macro and add or change labels.

Related issues