When regulated private data or personally identifiable
information needs to be shared with other authorized individuals,
follow these guidelines to ensure information security.
The following steps should be followed when sharing University
data to authorized individuals to ensure the University is
protected to the best extent possible.
- Limit exposure by limiting shared information: Only give the
vendor the minimum information needed to make use of their service.
If there is an alternative piece of information available (for
example, Person Numbers in lieu of Social Security Numbers), use
that information instead.
- When you can’t limit the information that needs to be
shared with the vendor, limit UB’s liability by requiring
that the vendor adhere to NYS laws regarding breach
- Limit acceptable responses to reputable vendors by asking if
the vendor is SAS70/SSAE16 certified (this is usually posted
publicly on their website—for example: http://www.google.com/apps/intl/en-GB/trust/data_protection.html).
It's far simpler to work with vendors that have been through an
industry standard audit such as SAS70/SSAE16 than ask about their
processes and controls during the RFI (Request for Information)
process. There’s more chance of missing something, whereas a
published comprehensive audit is much easier to digest and also
will address all of the process/control points that may have
otherwise been missed.
Secure File is a service providing whole disk
encryption on Windows desktops and laptops, and CIFS file share
encryption on designated file servers. This service addresses the
requirements for securely storing Regulated Private Data and/or
Personally Identifiable Information.
Often, you may share reports when corresponding with colleagues.
If they’re not authorized to access some of the information
in the report, you should send it to them as a redacted PDF. Take care not to share Microsoft
Office documents that you’ve edited to remove regulated
private data; it’s sometimes possible to recover the deleted
information if change tracking is enabled in MS Office.
When sharing institutional data with outside vendors, the Office
of General Counsel recommends that the following language be
"The Contractor hereby acknowledges
and agrees to use commercially reasonable efforts to maintain the
security of private information (as defined in the New York State
Information Security Breach and Notification Act, as amended
"ISBNA" General Business Law § 889-aa; State Technology Law
§ 208) that it creates, receives, maintains or transmits on
behalf of SUNY and to prevent unauthorized use and/or disclosure of
that private information; and implement administrative, physical,
and technical safeguards that reasonably and appropriately protect
the confidentiality, integrity and availability of electronic
private information that it creates, receives, maintains or
transmits on behalf of SUNY("SUNY Data").
"The Contractor hereby acknowledges
and agrees to fully disclose to SUNY pursuant to the ISBNA, and any
other applicable law any breach of the security of a system where
the Contractor creates, receives, maintains or transmits private
information on behalf of SUNY following discovery or notification
of the breach in the system as to any resident of New York State
whose private information was, or is reasonably believed to have
been acquired by a person without valid authorization ("Security
Incidents"). The disclosure shall be made in the most expedient
time possible and without unreasonable delay, consistent with the
legitimate needs of law enforcement or any measures necessary to
determine the scope of the breach and restore the reasonable
integrity of the system.
"The Contractor shall be liable for
the costs associated with such breach if caused by the Contractor's
negligent or willful acts or omissions, or the negligent or willful
acts or omissions of the Contractor's agents, officers, employees
or subcontractors. In the event of a Security Incident involving
SUNY Data pursuant to the ISBNA, SUNY has an obligation to notify
every individual whose private information has been or may have
been compromised. In such an instance, the Contractor agrees that
SUNY will determine the manner in which such notification will be
provided to the individuals involved pursuant to the ISBNA and
agrees to indemnify SUNY against any cost of providing any such
legally required notice. Upon termination or expiration of this
Agreement, the Contractor will follow SUNY's instructions relating
to any SUNY Data remaining in the Contractor's possession. Upon
authorization from SUNY, the Contractor will use data and document
disposal practices that are reasonable and appropriate to prevent
unauthorized access to or use of SUNY Data and will render the
information so that it cannot be read or reconstructed."