The Ohio State University

www.osu.edu

  1. Help
  2. Campus map
  3. Find people
  4. Webmail

Ohio State University logo Safe Computing logo

spacerHome

spacer Safety Issues
spacer Computer Theft
spacer Hoaxes
spacer Identity Theft
spacer Online Addictions
spacer Online Shopping
spacer Phishing
spacer Power Surges
spacer Social Networking Sites
spacer Spam
spacer Spyware
spacer Viruses

spacerGeneral Safeguards
spacer Anti-spam
spacer Antivirus Software
spacer Backups
spacer Encryption
spacer Firewalls
spacer Privacy
spacer Healthy Habits
spacerIdentity Management
spacer Social Security Number
spacer Network Security
spacer (Effective) Passwords
spacerSecurity Patches
spacer Wireless

spacer Legal Issues
spacer Software Piracy
spacer Copyright Infringement
spacer Online Harassment

spacer Getting Help
spacer Virus Problems
spacer Technical Problems
spacerReporting Network Attacks

Protecting Personal Information

Ohio State University has a strong collective and individual commitment to protect the personal information of its academic community. In addition, both federal and state laws protect this information. It is in our best interest to understand and abide by the laws and the university policies and best practices that work in parallel to protect us.  In order to accomplish this goal there are steps faculty and staff are asked to take to reduce the chance of exposure of legally protected information.

Laws

The Ohio State University falls under many state and federal laws regarding the information we control.The most common regulatory acts or laws that concern our handling of sensitive data are Ohio House Bill 104  and the Family Education Right and Privacy Act (FERPA). (Feel free to check out the links above for more information about the legislation.) The university's interim policy on House Bill 104  also outlines how it expects departments to respond in the event of possible personal data exposure.

What Constitutes a Personal Data Exposure?

Exposure of an individual's name in combination with any of the following constitutes a data breach and may require the university to begin the notification process:

  • Social Security Numbers
  • Banking or Financial account numbers with passwords or PIN numbers that are not encrypted
  • Driver's license number or state identification card number
  • Student educational records including academic performance data, disciplinary records, race or ethnicity, gender, nationality or grades.

Consequences of a Violation

Under the requirements of House Bill 104, an incident that allowed unauthorized individuals to have potential or actual access to student names coupled with their Social Security numbers requires notification of these individuals. According to university policy, the actual costs associated with the notification will be borne by the department involved with the breach. 

The cost of the notification process is not the only consideration when dealing with a personal data exposure. Perhaps of greater consequence is the loss of trust in the university that results from the inevitable publicity surrounding these incidents. Other institutions that have incurred major breaches have reported significant negative effects that include denial of grant applications, loss of donor support and declines in enrollment.

Reducing the Chance of an Exposure

The first step to eliminating the university's liability from possible exposure of protected information is to adopt changes to the way that protected data is stored. Here are the recommended and required actions that personnel handling protected data can execute to protect themselves

  • Whenever possible move files that contain protected information from publicly accessible fileservers and desktops and store them on password protected or encrypted secure shares and servers. Central department fileservers should have a restricted area where only permitted users can access, move or copy files containing personal information. Talk to your local IT staff about what resources exist in your department to allow this.
  • Protected data must not be stored on devices not owned by the university. Storage of this information on personal laptops, personally owned home computers or personally owned portable storage devices like USB hard drives, flash drives, or PDAs is not allowed.
  • Use of university owned portable equipment for storage of personal data is discouraged because of the high loss rate on items like laptops, PDAs and flash drives due to theft. Contact your IT staff to find out if there are other ways to access needed personal data files in a secure way while on the go.

When no central secure server is available or is unfeasible for the storage of files containing protected information, university staff is expected to take steps to protect those files. 

Note: Be sure to work with your IT staff to secure protected files and folders on desktop computers. This process is often as simple as enabling the protections included in the latest Microsoft and Apple operating systems. Below you will find step-by-step instructions on how to activate the built-in encryption software on Macintosh OS X and Windows XP computers. (Windows Vista contains Bitlocker, a new encryption feature. Directions to enable this are found here.)

Encryption is the translation of data into a secret code. Encrypted files require you to have access to a secret key or password that enables you to decrypt it. Encryption of personal data protects it from the notification process in the event of an exposure to unauthorized persons. Encryption includes not just file and folder encryption but also the transport of personal information via secure communication paths like Virtual Private Networks or encrypted e-mail.

Redaction 

Simply removing social security information from electronic documents goes a long way toward neutralizing the threat of legal action should those files be exposed. Removing SSNs completely or scrambling the numbers is one effective way to protect student information in the event of a computer theft. Use safe unique identifiers such as a students "name.n" whenever possible and remove protected personal information from documents you intend to store.

Encryption, 8Help and BuckeyeSecure Resources

Here are a number of resources, including printable instructions for more computer savvy users and 8help articles that walk through the process of activating the built-in file and folder encryption options in Windows and Mac OS X operating systems. 

Contact your IT staff before executing these directions to ensure you have the right access on your computer to implement the changes.

How to encrypt your Macintosh OS X user directory using Filevault - Printable PDF and a detailed 8Help article

How to encrypt PC folders and documents using EFS under Windows XP - Printable PDF and a detailed 8Help article

BuckeyeSecure Resources on Protecting and Safeguarding SSNs.

Complying with FERPA and House Bill 104 - A guide for Faculty, GAs and Staff - PDF
computer graphic

Table of Links

Laws

What Constitutes a Personal Data Exposure?

Consequences of a Violation

Reducing the chance of an exposure

Redaction

Encryption, 8Help and BuckeyeSecure Resources
OIT | Office of CIO | TELR