Background: Recent security breaches at businesses and universities, including thefts of devices such as laptops containing personal information, have exposed thousands of people to potential identity theft.
Your job at UCSD may give you responsibility for processes involving access to personal information or sensitive data, including:
- Social Security numbers
- Birth dates
- Home phone numbers
- Home addresses
- Home email addresses
- Location of assets
- Credit cards
Federal and state law, as well as UCSD policy, govern the use and protection of these types of personal information. All members of the UCSD community are responsible to respect and protect private personal information under their control, whether electronic (e.g. e-mail) or hard copy.
If you use and/ or store private information as described above, examine your businesses processes to ensure that the retrieval or storage of private information on portable devices is absolutely necessary for such processes.
If you are using the UCSD network or have UCSD-related data on your laptop or other portable devices, you are responsible for its safekeeping. Take extra precautions to physically secure such devices to ensure they are not taken by unauthorized people.
Understand the laws:
- Sensitive data is any data that is regulated by law or limited by contractual agreements between the University and other business partners.
- The Family Educational Rights and Privacy Act (FERPA) covers all student data. The University can disclose without consent directory information such as a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance, as long as the student's disclosure preferences from TritonLink are honored. If any data is present that has been flagged for nondisclosure, or if the disclosure option is not checked and enforced, the data is considered sensitive.
- The Gramm-Leach-Bliley Act (GLB Act), officially known as the Financial Modernization Act of 1999, includes privacy provisions to protect consumer information held by financial institutions. Because of student loan activity, the University is considered a financial institution under the GLB Act. FERPA compliance places the University in compliance with FTC privacy rules under the GLB Act.
- California Public Records Act Code 6250-6270 mandates public access to records held by the University. The act also provides exclusions for access to certain types of records or data. Examples of excluded data include personal payroll/ employee data such as state and federal tax withholding. The act requires the protection of the privacy and integrity of this data and its use at the University.
- California State Senate Bill, SB 1386 requires that the University disclose any unauthorized access to Social Security numbers, driver's license numbers, and a financial account or credit card number in combination with any password that would permit access to the individual's financial account.
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law establishing national standards for the privacy and security of an individual's health information. This is information created or received by a health care provider or health plan, including health information or health care payment information plus information that personally identifies the individual patient or plan member, including:
- A patient's name and e-mail, Web site and home addresses
- Identifying numbers, including Social Security numbers, medical records, insurance numbers, biomedical devices, vehicle identifiers, and license numbers
- Full facial photos and other biometric identifiers
- Dates, such as birth date, dates of admission and discharge, or date of death
- Payment Card Industry (PCI) Standard is a contractual agreement between the University and its merchant bank. The agreement covers handling of credit card numbers, magnetic stripe contents, card verification code numbers, and expiration dates. In addition to the standards outlined above for sensitive systems, PCI requires extra security and has its own set of standards.
Links to more information:
Device and data security:
- Computer Security For Laptops
- Securing Your Data and Workspace
- How to Report a Computer Security Incident
- Computer and Network Security
- Preventing Identity Theft – Securing Personal Information
- Internal Control Practices: Information Systems
- Handling Records Containing Information on Individuals
- UCSD Plan For Protection of Electronic Personal Identity Information (PDF)
- UC Electronic Information Security (IS-3) policy (PDF)