Sensitive Data on Portable and Personally Owned Devices

by Kent Strickland, ITS Information Security Officer

BGSU faculty and staff are reminded that a general information confidentiality policy has been in place since 1998.

ITS Network and Computer Policy #A27 prohibits the following conduct:

“Failure to protect the confidentiality and privacy of computer data. . .When accessing administrative (or other) computer data, failure to take care to protect the confidentiality of the information, or to respect the privacy of the individuals to whom the information refers. . .”

The preceding policy has not softened; yet the proliferation and compelling convenience of inexpensive portable computing devices have resulted in cultural bad habits that threaten information privacy.

Consequently, state of Ohio IT Policy ITP-B.9 was enacted in August 2005 (www.oit.ohio.gov/IGD/policy/pdfs_policy/ITP-B.9.pdf) and applies to state agencies such as universities.
The policy notes that:

“Portable computing devices are increasingly becoming an integral tool for government agencies and businesses. One consequence of this ability has been the co-mingling of business and personal computing assets, particularly portable computing devices such as notebook computers and personal digital assistants.”

With respect to the use of portable and personally owned devices, the OIT policy requires that “appropriate safeguards be in place to protect against the intentional or inadvertent corruption or destruction of system assets.”

The infrastructure support required to facilitate the protection of portable devices on a large scale is substantial–even more so for personally owned devices. It will take time before such an infrastructure can be fully established (see the article on the CELO project). Employees are advised to review the OIT policy to understand their obligations when using portable devices and to gain a sense of potential liability if they were to use personally owned devices to store or process sensitive University data.

Following an incident in May involving the loss of a personally owned flash drive containing sensitive student information that required compliance with the Ohio Breach Notification Act, a new interim Sensitive Data Privacy policy was instituted. The policy further emphasized existing expectations to protect sensitive information with respect to a particular technology–this time on portable devices–and to not use personally owned devices without explicit approval. The complete policy is available at www.bgsu.edu/offices/cio/page32492.html.

In brief, ”BGSU stakeholders are to use University information on University owned media or equipment. BGSU stakeholders are not to store, communicate, transport or process University information on personally owned media, devices or computers without prior written approval from the appropriate vice president and the approval of the personal equipment by Information Technology Services (ITS).

“Information on University-owned portable devices such as flash drives, disks or laptop computers must be stored in physically secure locations and is not to be transported without encrypting the data using University approved software and techniques.”