Read the full data breach feature here.
Educational institutions are at risk for data breaches just like any other organization that holds the personal information of its customers and clients. In 2008, breaches affected educational institutions in 131 separate incidents. New York University encountered some minor data breaches a number of years ago and used its experience to focus administrative and technical resources on upgrading its security and business processes. NYU Associate General Counsel Leona Chamberlin talks via e-mail about the university’s strategy.
Q: What are the biggest challenges NYU has faced regarding data breach issues?
A: The biggest challenge in a large, decentralized institution such as NYU is that sensitive data may be distributed and stored at many levels, so it is difficult to know exactly what needs to be protected and where it is located. Data is stored locally, and people having responsibility for the data do not necessarily delete what is no longer is necessary to retain. NYU continually seeks to identify and purge unnecessary data and to establish standards for data that must be retained.
Q: What are the best solutions you’ve come up with for operating in the university environment?
A: Rather than utilizing a “top down” management style that imposes a set of rules and prohibitions, NYU has relied upon policy development and user education. In situations where data storage and retention are central to a department’s function and which involve servers that we know we can control, we have developed policies that lead to a risk-based determination of how systems should be configured to reduce or eliminate the possibility of a data breach. At the same time, we have implemented a program of education and training for end users at all levels to create awareness of and personal responsibility for data in their custody. NYU is fortunate to have a highly professional Technology Security Services (TSS) department within its Information Technology Services division that identifies issues with regard to data handling and has the forensic skills necessary to determine if a breach may have occurred and the nature of any unauthorized systems activity. For purposes of assessing notice obligations, TSS is the primary watch dog and ties in the Office of Legal Counsel if ever there is a suspected data breach. The Office of Legal also supports TSS in policy development and reviews contracts for services in which data security is an element.
Q:Where is NYU looking to improve its data breach prevention policies and practices?
A: We are continually attempting to reduce the number of places where we use and store data where legal consequences could result if there were a data breach. We also are striving to improve awareness of NYU data protection policies among users. In furtherance of these goals, last year NYU conducted a university-wide survey to determine how and where sensitive data is being used and stored. The survey produced valuable information about use patterns and identified a number of areas where education and awareness could reduce risk.
Q: Please explain the changing use of social security numbers at NYU.
A: In spring 2004, NYU launched a project to replace the social security number–which we then used as the primary personal identifier–with a unique NYU ID number not derived from the SSN. That project was completed for the start of the 2004-2005 academic year, when approximately 50,000 new ID cards were issued with NYU ID numbers. Since that time, all NYU systems have been modified to accept the NYU ID number so that SSNs are accessible only to authorized persons with appropriate security permissions. All routine NYU business now is conducted using the NYU ID.