Why Data Security Is Important to Cornell
This article applies to: Data Discovery
With identity theft due to the loss of online data a major concern these days, Cornell needs to better protect sensitive data stored in electronic form, particularly the personal information that students, employees and others associated with the university have placed under our trust.
Regulations Protect Certain Types of Data
Not only do we have a moral obligation to take good care of other people’s personal information, certain types of data are protected by regulation. If it appears that such information held by the university may have been accessed by an unauthorized party, we are obliged to formally notify the impacted individuals and to report the breach to government agencies.
Our chief concern for the Ithaca units is the New York State Information Security Breach and Notification Act, which addresses the exposure of Social Security, credit card, driver’s license, and bank account numbers. Cornell Health and Benefits Services also handle information protected under the U.S. Health Insurance Portability and Accountability Act (HIPPA).
What Happens after a Data Security Breach?
Data breach incidents can be expensive, costing us both time and money. Cornell has had to report incidents potentially exposing such data, and notify the impacted individuals, a number of times over the past few years. These data breaches have typically been the result of a lost or stolen computer, or of an intrusion where the attacker took control of a computer.
- The local department and the IT Security Office investigate to determine whether sensitive data may be at risk.
University leaders determine what action, if any, should be taken. If the decision is to notify:
- The necessary information about the impacted parties is assembled.
- The university has the direct expense of generating the notifications and providing credit-monitoring services.
The worst cost we bear, however, is the damage a data breach does to Cornell’s reputation—with the campus community, with our supporters and with the general public.
For more information, see the Consequences of Mishandling Sensitive Data page.
While part of the solution lies with reviewing how sensitive data is stored on the central administrative systems and how such information is made available to campus departments, our bigger problem is that sensitive data is spread far and wide throughout campus, including on staff laptops and desktops and on local file servers.
As often as not, this information is no longer relevant to current work and the person using the computer is not even aware of it. The most common problem is files dating back to when Social Security numbers were still being used as a general identifier. Sometimes these are files from a previous user of the computer.
Finding where confidential data is stored, removing what is no longer needed, and appropriately securing what must be retained is the best step we can take to improve data security. In departments that have not yet implemented a formal data cleanup process, some two-thirds of staff computers are storing other people’s confidential information.
If the university takes better control of the sensitive personal information under our care, we can reduce the risk of data breaches.