What is High-Risk (Confidential) Data?
This article applies to: Data Discovery
As described in Cornell University Policy 5.10, Information Security, any information that contains any of the following data elements, when appearing in conjunction with an individual’s legal name or other identifier (for example, email address), is considered to be high-risk (confidential) university data:
- Social Security number
- Credit or debit card number
- Driver’s license (or non-driver identification) number
- Bank account number
- Visa or passport number
- Protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA)
- Personal financial information subject to the Gramm-Leach-Bliley Act (GLBA)
High-risk data is created by people to describe people. It is (or has been) used at Cornell to:
- Uniquely identify people
- Pay or reimburse people
- Provide employment benefits
- Support business-related travel and lodging
- Understand the financial status of a person
- Fulfill obligations to the state or federal government
To prepare for data discovery and cleanup, think about the work you do and where you might come into contact with high-risk data, now but also in the past. Some good questions to answer include:
- What jobs have you had before this one?
- Do you still retain files from those jobs?
- Did you have files transferred from an older computer to your current one?
- Has anyone else used or been responsible for your computer in the past? Do they have files on your computer?
- What other places do you store files? (For example, storage services like Box or OneDrive, file shares, network drives, external hard drives, and USB drives)
You may find that you are storing high-risk data that you have forgotten about or weren't ever aware of. It's important to do a thorough scan using a tool like Spirion of all of the files on your computer no matter when they were created or who created them. Once you've identified the high-risk data, you can decide what to do with it.
If you're interested, you can read a technical description of high-risk data on the Confidential Data Types page. It provides some insight into the challenges confidential data presents to scan tools and reinforces the key role you'll play in understanding what's on your computer and in your files.