Securing Sensitive Data
The State of Massachusetts has recently adopted a new data security law (Chapter 93H of the Massachusetts General Laws of 2007). The law defines sensitive data (a.k.a. confidential ‘personally identifiable information’) and requires that institutions notify immediately those individuals whose information has been compromised as a result of a security breach.
What Constitutes Sensitive Data?
At UMass Amherst, sensitive data refers to:
- Personal information: An individual’s name in combination with any of the following: Social Security Number, Driver’s License Number, State Identification Card Number, financial account number, credit or debit card number (based on Chapter 93H of the Massachusetts General Laws of 2007).
- Health information: Individually identifiable information related to a person’s physical or mental health. This applies to any past, present, or future condition, treatment, or payment of health care service (based on the Health Insurance Portability and Accountability Act of 1996, a.k.a. HIPAA).
- Education records: Students’ academic, personal, and financial information as described in the most recent Academic Regulations Handbook (based on the Family Educational Rights and Privacy Act, a.k.a. FERPA).
Data Protection Action Plan
To comply with the new law and enable the University to take appropriate action in case of a security breach, the Office of Information Technologies (OIT) is asking all departments on campus to take the four steps described below.
1. Know what constitutes sensitive data at UMass Amherst
Keep current with data security policies and procedures implemented on campus. Visit:
- The Data and Computing Policy and Guidelines for the official University standards on using and storing sensitive data.
- The OIT Web site for the latest security news and updates.
2. Keep what’s necessary, purge what’s not
Carefully review your business requirements for sensitive data and delete any information that you do not need. For data purging guidelines, follow the University Records Management, Retention and Disposition Standards.
Save any sensitive data that you need on your departmental server(s). Because servers are a more secure storage option, best practices suggest that all your sensitive data be usually transferred from laptops, portable storage media (e.g., USB flash drives, CDs, etc.), and local computers to your departmental server space.
3. Identify the workstations and servers that contain sensitive data in your department
For compliance purposes, the University needs an inventory of all sensitive data stored on departmental computers. After you have purged/stored the applicable data on your departmental server(s), fill out the Sensitive Data Checklist (MS Excel, 20K) for all workstations/servers that contain sensitive information.
Send the Sensitive Data Checklist to data-security@oit.umass.edu by Friday, March 14, 2008 at 5:00 p.m.
4. Designate a ‘data security’ contact in your department
This person will act as a liaison with OIT, providing us with logistical details about the data stored in your department (as required by law), and keeping you informed with data security policies and procedures.
Questions? Contact the OIT Data Security Group at data-security@oit.umass.edu.
