Data Protection and Encryption at UC

UC Personnel are responsible for the protection of sensitive data entrusted to our care. There are a number of Federal Regulations and State Laws requiring protection of different types of data; therefore, the UC Data Protection Policy was created to help provide simplified guidance and direction for compliance in a complex environment. This policy includes Data Classification guidelines which explain what information must be protected, how it should be classified, what protections are required and which laws or regulations apply.

At UC, data is classified as Restricted, Controlled or Public.

There are a number of types of restricted data. For a full list, see the UC Data Protection Policy. One example is a person´s first and last name or first initial and last name combined with any of the following:

• Social security number
• Driver´s license or other State identification card number
• Financial account / Credit card / Debit card number
• Protected health information and electronically stored biometric information

The Data Classification portion of the Data Protection Policy provides details of what types of data are Restricted, Controlled or Public and includes the required protections for each type. One example of restricted data is Social Security Numbers (SSNs), which is required to be protected in the following ways:

• SSNs must be encrypted if stored or used on portable storage devices, if removed from a secure university location, or if electronically transmitted.
• SSNs must never be stored on a non-university owned or operated computer or storage device.
• SSNs must not be stored or used by an external service provider or agent without a contractual agreement to provide appropriate protection to the same standards as applied at the university.
• There are other protection requirements as well. The full details are too long to list here, but are available in the Minimum Safeguards and Data Classification portions of the UC Data Protection PolicyData Protection Policy.

The policy goes on to recommend these additional security precautions:

• Whenever possible, all UC-owned desktop computers and servers that contain SSN data are encrypted.
• Internal forms should be revised to eliminate unnecessary references to SSNs.
• Paper copies of all documents with SSNs should be stored in locked filing cabinets and disposal must include shredding.

Remember that SSNs are just one example of restricted data, there are other types of restricted data and types that are classified as controlled, each with varying requirements.

So, what does UC offer to help us protect SSNs and other restricted data?

1. Do not store restricted data on a USB device or a mobile phone. These devices are too easy to lose or to be stolen.
2. PGP Full Disk Encryption is available for free. All laptops and most desktops containing restricted data should be encrypted. The strategic solution for full disk encryption at UC is PGP, which is free to all faculty and staff, and is available here. Please contact UC Information Security at 558-ISec (4732) to discuss your needs.
3. Encrypt your attachments prior to e-mailing them, then call the person to provide them the password; do not share the password via the same e-mail.
   MS Office 2007 includes strong encryption. Office 2003 encryption is weak and is not recommended, but Office 2007 uses AES, the current government encryption standard. Go here for instructions on how to encrypt your Word, Excel, or PowerPoint files.
   If someone has sent you an Office 2007 file and you do not yet have 2007, download the Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007. This update will allow you to open the new file formats, including those that are encrypted.
4. Email is automatically encrypted if sent Outlook-to-Outlook inside of UC. If you are sending e-mail from Outlook to another person at UC who is also using Outlook, your e-mail is automatically encrypted while in transit.
   HOWEVER this is NOT recommended: this email will NOT be encrypted if it is sent from/received by any e-mail client other than Outlook or if sent outside of UC. If the e-mail is sent or received using any other client—Blackberry, iPhone, online e-mail services (Yahoo, Google, others), Eudora, Mac Mail, etc.–it will not be encrypted. If restricted data is sent and a person picks it up with their Blackberry, this will be in violation of the Data Protection Policy and referenced regulations.[SLL1] For this reason, it is not recommended that you send any restricted or controlled data via e–mail. If your business process requires that you do so, please contact UC Information Security at 558-ISec (4732) to discuss.
5. Explore other alternatives.
   If your business process requires you to send restricted data to external destinations and the options above will not meet your needs, please contact UC Information Security at 558-ISec (4732) or infosec@uc.edu to discuss other alternatives.