University Data Cleanup and Inventory Initiative
This article applies to: Data Discovery
To greatly reduce Cornell's risk of suffering data breaches, it's critical to identify what confidential data must be stored (temporarily or permanently) on a staff computer or departmental file server, to secure and track confidential data while it's being stored, and to delete that confidential data from staff computers and departmental file servers as soon as the data is no longer needed.
Each campus unit is required to establish a local data cleanup program. The details of implementation vary but a unit must:
Set guidelines for what action is to be taken when confidential data is found on a computer. As described in University Policy 5.10, Information Security, any information that contains any of the following data elements, when appearing in conjunction with an individual’s legal name or other identifier (for example, email address), is considered to be high-risk (confidential) university data:
- Social Security number
- Credit or debit card number
- Driver’s license (or non-driver identification) number
- Bank account number
- Visa or passport number
- Protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA)
- Personal financial information subject to the Gramm-Leach-Bliley Act (GLBA)
Require all staff and faculty in the unit to:
- Acknowledge their responsibility to understand and safeguard the university information they handle.
- Determine where confidential data is stored on their computers and other file spaces assigned for their use.
- Run a data discovery tool, to assist in finding confidential data.
- Take whatever action, if any, is specified by university policy and local practice when confidential data is found, be it through the scanning process or by other means.
Note: To help ensure successful completion of the program, the unit may require its employees to formally attest that they have fulfilled these requirements.
- Maintain an inventory of computers than continue to hold confidential data.
A unit should also be implementing guidelines for how confidential data is to be handled in the future and other ongoing data security measures.