Managing Legally Protected Electronic Private Information
The University of Minnesota values the privacy of every member of its community, but protecting private data is more challenging than it has ever been. We read or hear, almost daily, about incidents in which private data has been compromised through theft, negligence, or ignorance. As a result, we all need to take responsibility for understanding what legally protected private data is and how we can protect it. The goal is to collectively avoid unwanted disclosure of personal information that, in turn, saves all of us from the unfortunate experience of identity theft or other problems.
The University of Minnesota has a series of guidelines, standards, and policies that explain this issue and lay out the steps needed to protect private information. While legally protected private data can exist in formats that include paper, photographs, or credit card magnetic strips, the purpose of this communication is to inform you of ways to protect private information when it exists electronically. Information in digital, electronic form becomes portable and can be replicated with little to no effort. The following best practices, guidelines, standards, and policies are in the context of this focus on portable, digital/electronic information.
Preventing Accidental and/or Unwanted Exposure
Below are ways to prevent accidental and/or unwanted exposure of electronic legally protected private information:
1. Know the meaning of the term "private data" and what it means to protect it. Read the definition.
- The best protection is to NOT store private data on a laptop or portable device.
- University employees who store legally private data have a responsibility to make sure it is secure.
- Do not store University legally private data on your home computer or laptop unless supported by University technical staff.
2. Know what "encryption" means and how it applies to protecting electronic private data. Read Encypting Stored Data.
- If it is used to store private data, encrypt your laptop hard drive, and do not carry the password in the case.
- Encrypt or physically lock up any private data backed up to a CD/DVD/USB fob.
- Talk to your local technical staff and ask for recommendations.
3. Know the University's policy on the Acceptable Use of Information Technologies. This policy outlines the uses and associated behaviors that are acceptable when using the University's technologies. Read the policy.
4. Other useful best practices:
- Laptop loss/theft is a big problem. To prepare, assume that you will lose your laptop!
- Store private data on a secure server not on your desktop, laptop or thumb-drive.
- Back up your data.
- After a computer is stolen, is too late to be sorry you saved so much private data.
- Use a security cable to lock down your laptop or desktop computer whenever possible (they do help).
Following these protocols can help protect you from the legal problems, embarrassment, inconvenience, and other problems that result when preventable private data breaches occur.
Frequently Asked Questions
What are the U of M rules for securing computers with private data?
See the U of M policy for Information Security.
What does "Private Data" mean in this context?
Legally private data includes social security number, private health information, date of birth. The Data Security Classification Policy for a longer list.
What can I do to make sure the private data I work with is adequately secure?
Store private data on a professionally maintained server. Do not store private data on a laptop computer unless you are sure it is encrypted AND the above policy is met. Review the Information Security Policy with your technology support staff to be sure you are meeting the policy.
What are some common ways that desktop computers get infected and/or compromised?
- Visiting non work-related and/or questionable Web sites on the internet and clicking on a link or an image.
- Irregularly applying patches to the software on the computer.
- Downloading infected files with a file sharing program.
- Clicking on links or attachments in e-mail or instant messages that may be disguised to look like they are from someone you know.
- Downloading software from non-reputable sources (e.g., screensavers or accelerator programs from advertisements or unsolicited/unknown email.)
What if I need private data on my laptop to do my job?
If there is no other way, options are to store the data on a server and log into the server during the time that you work with the data or to work with your technology support staff to encrypt the disk drive on the laptop. Note that with disk encryption a lockout screensaver set to a reasonably short time must be used, or a thief would have access to everything you do. Also information saved or sent via e-mail from the computer is not encrypted. When you open a file, it is unencrypted.
Can't I just protect private data on a laptop by being very careful?
Being careful helps, but computers are still stolen, even from careful people. If it is determined that a security breach as defined by Minnesota law has occurred, notifications will need to be sent to the individuals affected. Read the University's Breach Policy.