Protecting Sensitive Data
If sensitive data falls into the wrong hands, it can lead to a security breach, fraud, and/or identity theft. By taking steps to secure confidential data, you can protect the University community from these cyber security risks. Keep reading to learn more about sensitive data and how to secure it.
Classifying Sensitive Data
Knowing which types of data are classified as “sensitive” can help you make informed decisions about when and how to store University data. In ITS, we classify sensitive data in the following categories:
Personally Identifiable Information (PII)
Personally identifiable information (PII) is any data that could potentially identify a specific individual. PII can be labeled sensitive or nonsensitive. Nonsensitive PII can be easily gathered from public records, phone books, corporate directories and websites.
Sensitive PII is information that, when disclosed, could result in harm to an individual. This type of sensitive data often has legal, contractual or ethical requirements for restricted disclosure. Examples of sensitive PII include: social security numbers, driver’s license numbers, and passwords.
Family Educational Rights & Privacy Act (FERPA) Data
FERPA classifies protected information into three categories: educational information, personally identifiable information, and directory information. Although personally identifiable and directory information are often similar or related, FERPA provides different levels of protection for each. PII can only be disclosed if the educational institution obtains the signature of the parent or student (if over 18 years of age) on a document specifically identifying the information to be disclosed, the reason for the disclosure, and the parties to whom the disclosure will be made.
Payment Card Industry (PCI) Data
The PCI Security Standards Council (SSC) developed the Payment Card Industry Data Security Standard (PCI DSS) in 2004 to combat credit card fraud. PCI data includes cardholder data such as the cardholder’s name, the primary account number, and the card’s expiration date and security code.
PCI data can also include sensitive authentication data, including magnetic-stripe data, the equivalent data contained on a chip, and PINs.
Protected Health Information (PHI)
Under HIPAA, protected health information is considered to be individually identifiable information relating to the health status of an individual. Health information such as diagnoses, treatment information, medical test results, and prescription information are considered protected health information under HIPAA, as are national identification numbers and demographic information such as birth dates, gender, ethnicity, and contact and emergency contact information.
Managing Sensitive Data
The first step in managing sensitive data is to identify where the data is being stored. ITS offers Spirion, a data discovery and remediation tool that helps organizational units throughout the University not only find where their sensitive data may be located, but also facilitates remediation of that information.
Secure File Storage
Georgia Southern provides a secure Google drive for departments who utilize sensitive data to assist with secure storage needs.
Last updated: 2/16/2022