Text Size Default Text SizeDefault Text Size Large Text SizeLarge Text Size Largest Text SizeLargest Text Size Print Print this Page

Handling Restricted Data

ITS has been working with faculty and staff since early 2009 regarding the classification and handling of Longwood data. Below is information that you should be aware of regarding the handling of Longwood's restricted data.

What is Data Classification?

Three categories (Public, Internal and Restricted) were developed to aid in the identification of the sensitivity1 of the university's data; hence Data Classification.

Data Classification Rings

Rings of Data Classification

  • Public Data is the least sensitive information and is acceptable for public consumption.
  • Internal Data is moderately sensitive information. All University data is considered Internal unless classified otherwise.
  • Restricted Data is highly sensitive information for which an unauthorized disclosure may result in identity theft or University liability for costs or damages under laws, government regulations or contract.

Data Classification Links

What is Restricted Data?

There are two reasons why data would be classified as restricted:

1. The data is Personally Identifiable Information, as defined by the Code of Virginia § 18.2-186.6.:

Personally Identifiable Information (PII)
One of these elements Combined with one of these elements
  1. First name and Last name
  2. First Initial and Last name
  1. Social Security Number
  2. Drivers License Number
  3. State Identification Card Number
  4. Financial Account or
    Credit or Debit Card Number
    (in combination with codes or passwords that would permit account access)

 

2. An unauthorized disclosure of the data could result in costs or damages to the University. These can include: fines and legal costs, safety and health, productivity, financial, and reputation.

Unauthorized disclosure of the data associated with the following regulations, laws, and standards would cost the university:

  • HIPAA
  • GLBA
  • PCI
  • Code of Virginia
  • etc. 

What is Data Handling?

Standards were developed to set minimum requirements for the protection of data that is stored, transmitted or disposed of; hence the Data Handling Standards.

Recurring Requirements
Approval and...

Animated gif illustrating encryption
Encryption

Animated gif illustrating redaction
Redaction

  • Encryption: the transformation of data through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without the use of a confidential process or key
  • Redaction: the alteration or truncation of data such that no more than the following are accessible as part of the personal information:
    • Five digits of a social security number; or
    • The last four digits of a driver's license number, state identification card number, or account number.

Data Handling Links

What can I do now?

  • If you do not handle restricted data, or you have no need to store restricted data on a device other than a Longwood server you do not need to take any action.
  • If you do not know if you have restricted data, here are two tools you can run:
  • If you currently have restricted data on your computer or any device other than a Longwood server you should move that data to a server or follow the steps below immediately:
    1. Complete the Restricted Data Authorization Form (.docx - updated 2014).
      Note: the requestor's supervisor must acknowledge the request.
    2. Upon receipt of the completed form, a work order will be placed, on your behalf, to install TrueCrypt and Eraser software on the computer in your office.
    3. Upon installation of True Crypt and Eraser software,
      1. A TrueCrypt folder, called crypt, will be created in which restricted data can be securely stored (encrypted)
      2. An Erase option will allow for the secure removal of data. Data "erased" with this software is totally and permanently removed from your computer.
  • If you still have questions email Jen Eckrote at eckrotejl@longwood.edu

Why bother?

Good question, because you don't have to if...

  • You can move the data to a network space (i.e. a department share drive or your personal network space (B drive).
  • You can take another hassle-free route:
    1. Erase the File: Use the Eraser software, installed upon your work order request, to completely and totally remove the file from your non-network space
    2. Redact the data from the file: Use the delete key to remove what you don't need.
      • For instance, if you only need the last 4 of a social, then delete the rest of it.

But, if you've decided to keep the data in it's restricted form...

Here are some potential consequences of unauthorized disclosure of that data :

  • OUCH :: BUDGET
    A potential fine; levied by the Commonwealth, up to $150,000 per breach.
  • OUCH :: REPUTATION
    A potential blow on state and local media (i.e. radio, television, etc.); as the University's trustworthiness comes into question.
  • OUCH :: CUSTOMER SATISFACTION
    A potential increase in phone calls, emails and general customer relations; as the University Community wonder's "Was my data breached?"

1Sensitivity is the degree of adverse effect a compromise of confidentiality, integrity or availability would have on Commonwealth of Virginia interests, the conduct of university programs or the privacy to which individuals are entitled.