Tips for Protecting UB Data When Working with Vendors or Others

The following steps should be followed when sharing University data to authorized individuals to ensure the University is protected to the best extent possible.

1. Limit exposure by limiting shared information: Only give the vendor the minimum information needed to make use of their service. If there is an alternative piece of information available (for example, Person Numbers in lieu of Social Security Numbers), use that information instead.
2. When you can’t limit the information that needs to be shared with the vendor, limit UB’s liability by requiring that the vendor adhere to NYS laws regarding breach notifications. 
3. Limit acceptable responses to reputable vendors by asking if the vendor is SAS70/SSAE16 certified (this is usually posted publicly on their website—for example: https://sites.google.com/site/sekarstacert/home/3-security/compliance-certifications). It's far simpler to work with vendors that have been through an industry standard audit such as SAS70/SSAE16 than ask about their processes and controls during the RFI (Request for Information) process. There’s more chance of missing something, whereas a published comprehensive audit is much easier to digest and also will address all of the process/control points that may have otherwise been missed.

Secure File is a service providing whole disk encryption on Windows desktops and laptops, and CIFS file share encryption on designated file servers. This service addresses the requirements for securely storing Category 1-Restricted Data and/or Personally Identifiable Information.

Often, you may share reports when corresponding with colleagues. If they’re not authorized to access some of the information in the report, you should send it to them as a redacted PDF. Take care not to share Microsoft Office documents that you’ve edited to remove regulated private data; it’s sometimes possible to recover the deleted information if change tracking is enabled in MS Office.

When sharing institutional data with outside vendors, the Office of General Counsel recommends that the following language be included:

"The Contractor hereby acknowledges and agrees to use commercially reasonable efforts to maintain the security of private information (as defined in the New York State Information Security Breach and Notification Act, as amended "ISBNA" General Business Law § 889-aa; State Technology Law § 208) that it creates, receives, maintains or transmits on behalf of SUNY and to prevent unauthorized use and/or disclosure of that private information; and implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic private information that it creates, receives, maintains or transmits on behalf of SUNY("SUNY Data").

"The Contractor hereby acknowledges and agrees to fully disclose to SUNY pursuant to the ISBNA, and any other applicable law any breach of the security of a system where the Contractor creates, receives, maintains or transmits private information on behalf of SUNY following discovery or notification of the breach in the system as to any resident of New York State whose private information was, or is reasonably believed to have been acquired by a person without valid authorization ("Security Incidents"). The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system.

"The Contractor shall be liable for the costs associated with such breach if caused by the Contractor's negligent or willful acts or omissions, or the negligent or willful acts or omissions of the Contractor's agents, officers, employees or subcontractors. In the event of a Security Incident involving SUNY Data pursuant to the ISBNA, SUNY has an obligation to notify every individual whose private information has been or may have been compromised. In such an instance, the Contractor agrees that SUNY will determine the manner in which such notification will be provided to the individuals involved pursuant to the ISBNA and agrees to indemnify SUNY against any cost of providing any such legally required notice. Upon termination or expiration of this Agreement, the Contractor will follow SUNY's instructions relating to any SUNY Data remaining in the Contractor's possession. Upon authorization from SUNY, the Contractor will use data and document disposal practices that are reasonable and appropriate to prevent unauthorized access to or use of SUNY Data and will render the information so that it cannot be read or reconstructed."