June 19, 2008 — The University of Virginia has put in place a new policy to better protect sensitive electronic data. The Universitywide policy, effective immediately, requires that sensitive data, including Social Security numbers, credit card numbers and certain medical records, be scrubbed from thousands of electronic devices and media, starting with portable devices like laptop computers, tablet PCs and "smart phones" that may be more vulnerable to theft than desktop computers.
Federal and state laws require the University to keep Social Security numbers for several purposes, including reporting salaries on W-2 forms and student applications for federal financial aid. But the new policy aims to eliminate such data from the many places where it isn't required, such as old employee evaluation forms and student grade sheets.
"This is an important policy and a key step in the University's campaign to reduce collection and use of Social Security numbers and to better protect highly sensitive institutional data in general," said James Hilton, vice president and chief information officer.
"Last fall, for example, the University began issuing new ID cards that do not depend on Social Security numbers," said Hilton. "This policy helps ensure that legacy files containing Social Security numbers and other sensitive data are identified and purged where feasible. By clearly stating the requirements that must be met to retain these files, the policy also helps ensure sensitive information receives the careful handling that it now requires."
The University is providing employees with a software tool, Identity Finder, that will scan all data on a computer or device to find any data that may be sensitive. When found, sensitive data must be "digitally shredded" or moved to a secure server unless a vice president or dean approves a special request to maintain such data. If kept, the data must be encrypted and protected by passwords.
"People should expect that exceptions from the deans will be few and far between, because there aren't many cases where a person has a strong business case to store sensitive data on a personal computer or portable device," said Shirley Payne, a director of information technology security and policy. "We have secure servers for that kind of information.
"We need to think about sensitive data as toxic waste," Payne added, "and we need to find it all and make sure it's stored away in a safe place."
The policy applies to all University entities, including the Medical Center, the College at Wise and University-related foundations. It applies to all devices that contain U.Va. data, regardless of whether owned by an employee or the University.
Since portable devices and media are at a higher risk for theft, noted Payne, removing sensitive data from these items takes priority over desktop computers. "This new policy is effective immediately and we expect people to immediately get to work on scanning and cleaning mobile devices," said Payne. All steps required by the policy must be completed by July 1, 2009.
Failure to follow the policy will result in disciplinary action that may include termination.
The full details of the new policy, along with action guidelines, answers to frequently asked questions, related policies, and links to relevant software and request forms may be found online at: www.itc.virginia.edu/security/highlysensitivedata/.
For decades, U.Va. business (like many businesses) has been tied to Social Security numbers, explained Payne. That legacy, along with the unique challenges of a University community — a great diversity of computer users with varying needs and competence levels, thousands of people coming and going every year, and a large group of remote computer users — makes information security at U.Va. a "massive, massive effort," said Payne. These challenges call for a comprehensive approach to security that deals with not just technology, but also with processes and people.
"The focus on people is critically important," said Payne. "Our security awareness programs, like 'Who's Watching Charlottesville,' have been considered national models for years. A huge percentage of security breaches occur because folks don't understand what they're supposed to do, or they ignore it.
"Policies like these, coupled with awareness programs, try to remedy that."