TECH CORNER: Securing data privacy

By KAREN BEAUDWAY

From the moment a person submits an employment or admissions application until the day they leave the University, Pitt collects a wide array of data about the people in our community. This information is necessary to track academic progress, run payroll and benefits, apply financial aid, enable smart IDs, grant system access, and nearly every other facet of daily operations.

With this level of data access comes the responsibility for securing that information. Pitt Information Technology (Pitt IT) and the Office of Compliance, Investigations, and Ethics (CIE Office) work together to protect the confidentiality rights of all members of the University of Pittsburgh.

Controlling what, when and how data Is collected

The CIE Office provides oversight and guidance related to regulatory compliance and ethical standards at the University, and investigates any concern reported by the campus community. Pitt Privacy Officer Laurel Gift is tasked with ensuring that the University’s collection, use and disclosure of personal information complies with federal regulations, including FERPA, HIPAA and more. She works closely with other units responsible for data privacy, governance and security, including Pitt IT’s Information Security team, the Office of University Counsel, and the Information Technology Advisory Committee and its Information Security and Data Governance subcommittees. 

Gift’s goal is to guarantee people’s privacy and ensure proper handling of their personal information. “My priority is to provide transparency, so there is no mystery,” she said. “People should know what we collect, how we use it, and when we can share it. It’s all about notice and consent.”

Gift responds to any concern that is reported through the Pitt Concern Connection or reported to the 24/7 IT Help Desk related to privacy or confidentiality. “I consider the circumstances under which information is collected, how consent was obtained, and how it can be shared. When someone inadvertently exposes data, I look at how it occurred, the risks the disclosure poses, and the appropriate response to protect the person’s privacy.”

Protecting the systems that store your data

While Gift focuses on administrative controls, Pitt IT’s Chief Information Security Officer Ollie Green is responsible for the technical side of data security. “Our main responsibility is to protect all assets and user identities by all means possible,” Green explained. “That includes access controls, network design and firewalls, identity verification, intrusion detection and network monitoring.” His group follows the technical requirements of all applicable regulations, as well as meeting the standards set forth by the National Institute of Standards and Technology.

Constant vigilance is necessary to detect any signs of malicious activity. Pitt employs machine-learning algorithms to collect and analyze data from various computer, system and network logs. This helps it to recognize abnormal activity that may indicate malware activity. Once Pitt IT detects a potential breach, they can quickly build a timeline of events and work with the affected department’s security administrators to begin an investigation and resolve the problem.

Green emphasizes that the goal is not to track individual activities. “We have no desire to track everything you do. Instead, we’re monitoring University-owned machines, systems and networks on an aggregate level to identify the footprint of malicious activity that can compromise our data and assets.” He recommends that faculty and staff use only University-issued devices for their work, while using personal devices for personal activities.

Working together to stop and respond to unauthorized disclosure

Gift and Green work together to ensure that data remains secure and confidential. “Our responsibilities are different, but connected,” Green said. “The privacy of data and information depends on the security controls around it, both technical and administrative.”

Whenever a breach or unauthorized disclosure is reported, Gift and Green investigate and resolve the issue on case-by-case basis. Recently, they developed a comprehensive Data Incident Response Plan. Released in October, the plan outlines detailed steps for responding to any data incident, including a formal debriefing to improve policies and practices moving forward.

Green and Gift also prioritize user education and training, because human error is the leading cause of unauthorized data disclosure. The most common issue Gift deals with is people accidentally sharing data with the wrong person. They may type the wrong email address or Outlook auto-completes the wrong user without the person noticing. A person may accidentally use Reply All or send a raw file with more data than they intended. “Working fast can be the enemy of data privacy,” Gift said.

Technical breaches are usually the result of user error, as well. Most hackers rely on users accidentally clicking on a bad link or downloading an infected attachment to gain entry. “While we certainly have controls in place to prevent someone from intentionally compromising data, the most significant risk by far is falling victim to a phishing scheme,” Green said. He emphasized the importance of not sharing your passwords or letting anyone else in your household use your work device.

Both Green and Gift agree that education, awareness and training are key. Pitt IT and the CIE Office provide online training, live departmental presentations, and individual consultations to help people work smart and safe. The CIE Office website at compliance.pitt.edu and the Pitt IT Security site at technology.pitt.edu/security contain a wealth of helpful information.

See something, say something

Green and Gift emphasize the importance of seeking help if you think your device has been compromised or you inadvertently shared data. “People can be embarrassed about making a mistake or fear they’ll be disciplined for doing so. But our goal is not to blame. It’s to remedy the situation,” Gift said.

Green concurred: “Hackers have become extremely sophisticated, and anyone can become a victim. Notifying the Help Desk immediately limits the damage that can result to both you, individually, and the University.”

If you have a concern about data security, privacy, or handling, please report it through the Pitt Concern Connection. Technical questions about securing your device can be directed to the 24/7 IT Help Desk.

Karen Beaudway is a content specialist for Pitt IT.