Data Handling

With Ease Comes Responsibility

By Christopher Penido

In today's world, most critical and personally identifiable information is stored in electronic format. From a business perspective, storing such information electronically makes it possible to deliver quick and efficient services to clients by being able to look up and uniquely identify them. However, given that such data is easily accessible, there exists an increased risk for it to be exposed, either by accident or by a malicious party.

Electronic data is a collection of information elements that is intended to be accessible, with the capacity for it to be modified, replicated, and destroyed by one or many people. Without the proper security controls, data of any kind can potentially be exposed at any point during its existence. This risk can occur as it traverses computer networks, is transmitted over wireless connections, gets input into databases, or is modified in spreadsheets. If it were possible to follow the many paths that unsecured data travels, one might be justifiably concerned as to how many individuals might have access to it, how it is stored, and how it is handled.

As with any piece of information, once data has been provided to another person or organization, the risk of it being transmitted to another arbitrary person or group is greatly increased. The reality is, once that information has been given out, it cannot be easily "taken back" or secured. Data security is especially important when the data contains financial, health, or personally identifiable information. If that highly critical data were to be exposed to a malicious individual, it could lead to identity theft, create an unnecessary burden for the data exposure victim, and present a serious problem to the institution that leaked the information.

One of the issues that many organizations are confronting is securing data while retaining the ability to efficiently access it. State and federal regulations enforce the need to secure critical data, but it is up to individual organizations to deploy the means of achieving that end. Depending on the quantity of data being collected, securing the processes that produce, handle, and destroy critical data may be easier said than done.

Despite the known risks, many organizations depend on such critical data to carry out their normal business practices. Without that information, many of the services that clients have come to enjoy would be made more complicated or impossible altogether. Nevertheless, in the last five years, following a series of high-profile security breaches, information security has evolved to become one of the highest priorities for many institutions across all sectors. Recent breach laws, such as New York Information Security Breach and Notification Act (2005) make the consequences of critical data exposure even more serious, by requiring institutional accountability and the notification of affected individuals.

Recent Incidents at Other Academic Institutions

Despite the fact that many sectors have increased their investments and resources in data security, there have been large-scale data breach incidents on a nearly annual basis, with an estimated ten million victims or more per year. The consequences of such data breaches can run the gamut from tarnishing an organization's reputation, to financial loss, and even legal liability.

One such incident took place in April 2006 at Ohio University. In that incident, the personal information for more than 300,000 alumni and Social Security Numbers (SSNs) for approximately 137,000 University members were exposed to a malicious outside party. Before the compromise, the critical data was being insecurely stored on an unprotected server. While the issue was discovered in April of 2006, the compromise itself occurred as early as 2005. Over the span of an entire year, the Information Technology (IT) staff at Ohio University believed that the server was decommissioned and no longer connected to the network. As a result of this significant oversight, the server became vulnerable to attack because it did not receive the necessary security patches.

Already beset by this massive exposure, Ohio University acknowledged a second server compromise that took place that same month in another department. In this second incident, the SSNs and medical records of over 60,000 students were exposed. Given the large number of individuals affected by these two events, the University's administration fired two IT staff members and sought the resignation of the University's CIO.

The Ohio University security incidents were the largest security breaches at a U.S. educational institution until November 21, 2006, when the University of California, Los Angeles (UCLA) discovered a significant security breach in one of its systems. Officials revealed that attackers broke into a database containing personally identifiable information on approximately 800,000 former and current students, staff, and faculty members.

As was the case in the Ohio University incident, the security breach at UCLA was discovered well after the initial compromise had occurred. The database that was accessed by the attackers contained names, SSNs, birth dates, and home addresses. Credit card information was not included, but it remains plausible that the attackers could rob their victims' identities by utilizing a combination of the information acquired. In both cases, the vector of attack was the use of insecure software that lacked critical security patches and updates. The attackers exploited these software flaws and accessed the databases over the course of an entire year before IT staff noticed anything.

Overall, 2006 was marked by a series of high-profile data exposure incidents across many sectors. In most cases, they were the result of mismanagement, a poor implementation of basic security controls, or user-error in the handling and proper disposal of restricted critical data. While technical means can be employed to mitigate critical information exposure, it is still imperative for any organization to institute clear policies, standards, and guidelines that help to define and build up its security profile. A combination of basic security controls, along with strong security procedures and policies, can help to significantly reduce the likelihood of potential data breaches.

NYU's Commitment

Over the last few years, given the increasing threats related to identify theft, state and federal regulations have instituted protections for personally identifiable information such as credit card, banking, and Social Security Numbers. According to the Federal Trade Commission (FTC), identity theft affects more than ten million Americans each year, with businesses paying upwards of $60 billion in losses. The fear that these figures might increase with time has served as a catalyst for the expansion of clear and concise security policies for business, educational, and government organizations.

Guided by state and federal regulations, such as FERPA,¹ GLBA,² HIPAA,³ and the New York Information Security Breach and Notification Act,⁴ NYU has its own set of policies and guidelines for securing critical data. The University's "Policy on Responsible Use of NYU Computers and Data"⁵ serves as the framework for instituting strong security controls for the protection of critical personally identifiable data.

Beginning in 2004, NYU began an ongoing project to institute new University Identifiers (UIDs) in lieu of the former identification method, which employed Social Security Numbers. The UIDs serve to identify students, faculty, administrators, and staff within the University, but are meaningless outside of the scope of the University. Much like the NYU NetID assigned to NYU community members, the UID is a randomized identifier for a University individual that another party cannot utilize to commit identity theft and other federal and state crimes. As the UIDs were implemented and became the principal individual identifier for all University business, the former SSN-based identifier system was largely retired.

Despite the changeover to UIDs, however, the use of SSNs cannot be fully phased out, since they are still needed for matters related to the state and federal governments, e.g., the IRS. Moreover, while the change to the new UID has been swift and effective, SSN usage remains essential for internal University matters related to credit score retrieval and financial aid.

The NYU policies that instituted the new UID system also give guidance as to when SSNs are to be collected, used, and released. SSNs will not be collected or used if another ID would suffice for business purposes, or unless it is legally required, or a person volunteers it to locate or confirm personal records. In addition, SSNs will not be released unless legally required, the owner authorizes it, an outside firm is acting on the University's behalf, or NYU's Legal Counsel has provided approval.⁶

NYU is continuously working to minimize the use of personally identifiable information. Beyond policy changes, security awareness initiatives are underway to assist staff and administrators in reducing the utilization of SSNs and replacing them with UIDs wherever possible. To support the internal inter-operability of the new identifier, UIDs were added to a plethora of databases where SSNs were previously the sole identifier, such as those in Human Resources and the NYU Student Information System. Ongoing initiatives also entail the minimized use of SSNs for internal data transfers.

NYU is committed to ensuring the privacy and proper handling of all personally identifiable information. It is important to recognize, however, that this responsibility is also spread amongst all University employees and offices that handle personal information. For more information, see NYU's Responsible Use Policy.⁷

What You Can Do

The best way to understand the importance of securing critical data is by examining your workflow and mapping out where personally identifiable data exists. A good place to start is by securing all of your home and office computers. Follow these four basic security practices for each computer:

1. Download and install the latest operating system patches, and set the computer to check for updates automatically.
2. Download and install the latest antivirus definitions, and set the computer to check for updates automatically.
3. Enable your computer's firewall.
4. Create account passwords that consist of a minimum of eight alphanumeric characters.

Simply by enacting these four basic security measures, the risks of a potential compromise of your computer(s) are greatly mitigated. It is also prudent to password-protect any handheld devices you use, such as Blackberries and Treos, in case these devices are lost or stolen.

Next, browse through files stored on your computer(s), such as Word documents, Excel spreadsheets, databases, and other file formats, to identify where personally identifiable information is present. Identify files that contain possible Social Security Numbers by running searches for keywords such as "SSN" or "Social Security." In addition, expand your search parameters to look for associated files that may contain names, addresses, and credit card numbers. If you deal with University ID numbers that date back before 2004, you may also consider looking for keywords such as "University ID," "UID," "Student ID," "Staff ID," or "Faculty ID," as these may contain SSNs as well. If you find such information on your work computer, whether it is a laptop or desktop, it is recommended that you contact your local office administrator and then remove the critical data as soon as possible. A compromise (by a virus or other security exploit) of a computer containing such critical data may inadvertently result in personally identifiable information being exposed to a malicious third party.

Compared to a desktop, a laptop computer's mobility puts it at greater risk for critical data exposure if it should be lost or stolen. State regulations, such as the New York Information Security Breach and Notification Act, require the reporting of computers containing unencrypted personally identifiable information to the Attorney General of New York State and the prompt notification of the affected victims of the breach. In the event that an NYU employee loses a laptop that contains unencrypted names and addresses with corresponding credit card information and/or Social Security Numbers, the University would be held accountable and obligated to issue privacy breach notifications. As such, it is highly recommended that critical data not be stored on a laptop.

Next, check to see if physical media, such as old floppy or ZIP discs, USB keys, CDs, DVDs, and paper records are being used to store or document restricted data. Assess whether or not these media types are secure from tampering or loss. Staff should be trained to recognize different types of critical data and to handle such data with a level of security appropriate to its sensitivity. Once the data has been used, a plan to securely destroy it should be enacted as a standard business practice.

Finally, open a dialogue within your department about the use of personally identifiable information and how it is handled. Discuss the importance of protecting, minimizing, or even phasing out critical data usage where possible. Examine alternative places where data could be stored, so that staff members don't replicate official data stores on their local computers. As a final point, managers and directors should reduce or remove staff members' access to critical data by the principle of least privileges: grant the least amount of access they need in order to perform their job functions.

In combination, all of these recommendations will help protect the University community from identity theft, negative publicity, increased costs, legal liability, and disciplinary action. Each member of the NYU community is essential to keeping the "chain of security" intact; a break in any portion of that chain could potentially pose a risk to the entire University. For more information on security policies, network and computer security, identity theft, and critical data handling, please visit: www.nyu.edu/its/security/.

Footnotes

1. Family Educational Rights and Privacy Act
2. Gramm-Leach Bliley Act
3. Health Insurance Portability and Accountability Act
4. www.oag.state.ny.us/consumer/tips/id_theft_law.html
5. www.nyu.edu/its/policies/responsibleuse.html
6. Ibid.
7. Ibid.

---

Author Biographies

Christopher Penido is a Network Security Analyst in ITS' Communications & Computing Services.

Page last reviewed: April 30, 2007. All content © New York University.
Questions or comments about this site? Send email to: its.connect@nyu.edu.