When Category 1-Restricted Data or personally identifiable information needs to be shared with other authorized individuals, follow these guidelines to ensure information security.
The following steps should be followed when sharing University data to authorized individuals to ensure the University is protected to the best extent possible.
Secure File is a service providing whole disk encryption on Windows desktops and laptops, and CIFS file share encryption on designated file servers. This service addresses the requirements for securely storing Category 1-Restricted Data and/or Personally Identifiable Information.
Often, you may share reports when corresponding with colleagues. If they’re not authorized to access some of the information in the report, you should send it to them as a redacted PDF. Take care not to share Microsoft Office documents that you’ve edited to remove regulated private data; it’s sometimes possible to recover the deleted information if change tracking is enabled in MS Office.
When sharing institutional data with outside vendors, the Office of General Counsel recommends that the following language be included:
"The Contractor hereby acknowledges and agrees to use commercially reasonable efforts to maintain the security of private information (as defined in the New York State Information Security Breach and Notification Act, as amended "ISBNA" General Business Law § 889-aa; State Technology Law § 208) that it creates, receives, maintains or transmits on behalf of SUNY and to prevent unauthorized use and/or disclosure of that private information; and implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic private information that it creates, receives, maintains or transmits on behalf of SUNY("SUNY Data").
"The Contractor hereby acknowledges and agrees to fully disclose to SUNY pursuant to the ISBNA, and any other applicable law any breach of the security of a system where the Contractor creates, receives, maintains or transmits private information on behalf of SUNY following discovery or notification of the breach in the system as to any resident of New York State whose private information was, or is reasonably believed to have been acquired by a person without valid authorization ("Security Incidents"). The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system.
"The Contractor shall be liable for the costs associated with such breach if caused by the Contractor's negligent or willful acts or omissions, or the negligent or willful acts or omissions of the Contractor's agents, officers, employees or subcontractors. In the event of a Security Incident involving SUNY Data pursuant to the ISBNA, SUNY has an obligation to notify every individual whose private information has been or may have been compromised. In such an instance, the Contractor agrees that SUNY will determine the manner in which such notification will be provided to the individuals involved pursuant to the ISBNA and agrees to indemnify SUNY against any cost of providing any such legally required notice. Upon termination or expiration of this Agreement, the Contractor will follow SUNY's instructions relating to any SUNY Data remaining in the Contractor's possession. Upon authorization from SUNY, the Contractor will use data and document disposal practices that are reasonable and appropriate to prevent unauthorized access to or use of SUNY Data and will render the information so that it cannot be read or reconstructed."