Consequences of Mishandling Sensitive Data
This article applies to: Security & Policy
When sensitive data isn't managed appropriately, it poses many risks to Cornell. By law, possible loss to certain types of data requires Cornell to report to government agencies and notify potentially affected individuals.
Responding to data losses (even possible losses) can easily consume hundreds of hours and is, as a result, an expensive activity. It can also significantly disrupt university business by involving many people from your department and other campus offices.
Repercussions of lost data:
- Regulatory fines
- Loss of funding from government agencies
- Loss of donations and gifts
- Loss of Cornell's or your reputation
Data Loss Activities
The IT Security Office leads an investigation of the incident:
(1) The computer’s hard drive is copied for analysis.
(2) Information on the computer’s hard drive and other data, such as network traffic history, are analyzed to determine whether sensitive data may have been exposed.
(3) The university’s response to the incident is determined by the Data-loss Incident Response Team (DIRT) members:
- Vice President for Information Technologies (chairs the group)
- IT Policy Office
- IT Security Office
- Audit Office
- University Counsel
- Cornell Police
- University Communications
- Risk Management
(4) The DIRT team also brings in the unit head, technical support staff, and other staff from the department where the incident occurred, as well as the university data steward (for example, the Vice President for Student and Academic Services for incidents involving student data, or the Vice President for Human Resources for incidents involving employee data). For a complete list of data stewards, see University Policy 4.12, Data Stewardship and Custodianship.
(5) DIRT meets to review the incident and determine how the university should respond to it. If there is a reasonable likelihood that sensitive data could have been accessed in an unauthorized fashion, DIRT determines which potentially affected parties need to be notified. DIRT also considers what needs to be done to avoid similar incidents in the future.