Information Security Awareness Message - Sensitive Information

Highlights: Be aware of the information you handle, Only handle sensitive data if needed, Lower the risk level of your behavior, Contact IT support if you suspect a privacy breach

Protection of sensitive information

The security of sensitive information, and breaches of privacy, have been prominent in the news during the past few years.  From hackers accessing databases of credit card numbers, to military information found on USB drives being sold second-hand, breaches of information privacy have dominated news.  What is often neglected in reports is the proliferation of sensitive information and each individual's role in safeguarding it.  Emory is not immune to this threat and has been the victim of privacy breaches in the past.

What information is sensitive?

The first step in protecting ourselves, and those who have entrusted us with their information, is to be mindful of what information we handle and store.  Any documents that contain social security numbers, credit card numbers, patient health information, non-directory student information, human subject research data, bank account numbers or drivers license numbers need to be protected.  These pieces of information may be found in: our own electronic tax returns, human resource records, patient files, research databases, student records, customer payment documents, and more.  

Why do we protect sensitive information?

We protect sensitive information first and foremost to protect the people it references, whether that person is our self, a student, a patient, a co-worker or a customer.  Additionally, we are obligated to protect many forms of sensitive information by law or contracts - this includes health records, student records and credit card numbers.  These required protections usually carry fines or other penalties for breaches of privacy.  

What types of measures should you take to protect sensitive information?

The easiest way to protect sensitive information is to only store or handle it when required.  Protecting sensitive information requires lowering the risk level of our behavior.  It is analogous to driving with young children in the car you follow known good behaviors more closely because you are responsible for the safety of a vulnerable group.  If you handle sensitive information regularly, never leave your computer unattended without ensuring the screen is locked, only browse known, safe websites, and don't open email attachments or click links if you have any doubt about their safety. Use email and web services with caution they are rarely appropriate tools for storing or communicating sensitive information. Paper copies of sensitive information should be securely stored and shredded before disposal.  Employees should have a conversation with their local IT support staff about what sensitive data they handle and how to best protect that data.

What should I do if I think the privacy of sensitive information has been breached?

You should begin by contacting your local IT support and the Information Security office via the IT service desk.  The Information Security Office has a procedure to follow that will involve the appropriate parties, investigate the potential breach, determine the appropriate response steps, and coordinate the incident handling.  

Links

Below are links to related Emory policies and additional information.

FERPA guidance from the Office of the Registrar - guidance on the protection of student records

Disk encryption policy - details on when the use of disk encryption is required to protect sensitive information

Emory HIPAA policies - policies regarding protection of electronic patient health information