Data leaks as a result of sensitive data that is e-mailed to users’ home computers, downloaded to flash drives, copied to unencrypted laptops, stored in shadow databases on local computers or improperly destroyed or disposed when no longer needed. To protect the universities’ sensitive data, we must plan a data-centric approach to our security programs to protect against data leaks. We can never prevent all sensitive data leaks, but steps can be taken to minimize such leaks. This presentation discusses some of the steps taken at East Carolina University to minimize sensitive data leakage, our continual efforts in this battle and explores future options to address this issue.

1. Battle Against Sensitive
Data Leakage
Margaret Umphrey
Director IT Security – East Carolina University
streeterm@ecu.edu
(252) 328-9187
Paula Hutcherson
User Account Manager – East Carolina University
hutchersonp@ecu.edu
(252) 328-9186

2. Sensitive Data Leaks
o What are Sensitive Data Leaks?
o Why Should Data Leaks Concern Us?
o How Can We Slow Data Leaks?
o Discussion of Strategies You Use

3. Sensitive Data Leaks
Data leakage: Unauthorized transmission of
data (information) to an external source.1
o Electronic
o Physical (paper)
o Human
1© SANS Institute 2007

4. Sensitive Data Leaks
Sensitive data leaks loom over us like storm
clouds; coming from every direction

5. Why are Universities More
Susceptible?
Decentralized IT
staff with own
IT policies and
practices
Huge amount of
data handled
Students
accessing with
limited training
and supervision

6. Why are Universities More
Susceptible?
Open nature of the
university physical
and technical
environment
Early adoption of
mobile devices,
social networking,
cloud computing,
etc.
Numerous
databases
maintained outside
of the centrally
managed databases

7. Why are Universities More
Susceptible?
Business partners
or research
sponsors failure to
protect data
Non-enforced
data-security
practices
Budget constraints

8. Why Should we be Concerned?
oUniversity of Hawaii at Manoa suffered a major data
breach that exposed the confidential records of more than
40,000 former students. A faculty member accidentally
uploaded the files that contained personal student records
to an unencrypted Web server2
oEight cabinets full of tax records were stolen from a
residence. The records belonged to a deceased tax
preparer2
2PHIPrivacy.net

9. Why Should we be Concerned?
oA flash drive containing over 280,000 patient names,
addresses, and personal health information was lost or
stolen by Keystone Mercy Health Plan and AmeriHealth
Mercy Health Plan in Philadelphia, Pennsylvania2
oA portable point of care device was stolen from an
employee of HomeCall Inc. Rockville, Maryland. Client
names, addresses, Social Security Numbers, medical
record numbers, diagnoses and treatment information were
on the unencrypted device2
2PHIPrivacy.net

10. Why Should we be Concerned?
oThe full names, driver's license numbers and Social Security
Numbers of 2,484 full and part-time employees of Arkansas
State University were accidentally emailed to university emails2
oRite Aid paid one million dollars to settle HIPAA privacy
violations; Rite Aid also agreed to update corporate policies and
procedures so that patient medical information would be properly
disposed, employees would be properly trained in disposal of
patient information, and employees would be held
accountable if they did not dispose of patient information
properly2
2PHIPrivacy.net

11. Data Breach Costs

12. Regulatory FERPA
NC
Identity
Theft
GLBA
PCI
Red
Flag
HIPAA
Compliance
Requirements

13. How Can We Slow the Leaks?
oIdentify Location of all Confidential Data
Conduct External DLP Assessment
Purchase and Implement DLP Solution
Conduct Internal Sensitive Data Scans
 Integrate Data Security into Data Ownership
 Integrate Security Awareness and Training into Culture
oEliminate Duplicate Data
Don’t Download from Centralized Systems
Remove Copies of Confidential Data
De-identify Personally Identifiable Data
Don’t Create Shadow Systems

14. How Can We Slow the Leaks?
oProtect Confidential Data
Implement Appropriate Security Controls
Encrypt Data at Rest
•Database, Server, Desktop, Laptop, Mobile Device
Encrypt Data in Motion
•Email, File Transfer, Remote Access, Data Entry
Securely Dispose of Data
•Paper, Hard Drives, Video, FAX, Printers, Medical Devices, etc.
oImplement Polices, Standards and Procedures
Data Ownership and Classification
Data Security Standards
Required Security Awareness and Training
Integrate Security into Design Phase
Incorporate Security into Governance

15. Challenges
oImplementing Encryption Standard
oImplementing DLP Solutions
oImplementing Required Training
oLimited Resources
oIT Security Incorporated into Governance

16. Challenges
oIntegrating Data Security into Data Ownership
oCentralizing IT Operations and Standards
oIntegrating Security into Research Protocols
oIntegrating Security into Purchase of Medical Devices
oEnforcing Non-compliance Sanctions

17. Where Do We Go From Here?
oHow Does Your University Manage Sensitive Data Leaks?
oShare Your Success
oWhat have You Found as the Top Challenges?
oWhat Recommendations can You Provide?

18. Battle Against Sensitive
Data Leakage
Margaret Umphrey
Director IT Security – East Carolina University
streeterm@ecu.edu
(252) 328-9187
Paula Hutcherson
User Account Manager – East Carolina University
hutchersonp@ecu.edu
(252) 328-9186

19. References
o A Comprehensive Study of Retail Data Security Breaches in the
United States - Kevin Prince - Perimeter eSecurity
o http://www.privacyrights.org/data-breach/new
o http://www.nymity.com/Free_Privacy_Resources
o http://www.sans.org/critical-security-controls/
o http://www.darkreading.com/insiderthreat/index.jhtml
o http://www.educause.edu/CybersecurityInitiative/Resources/1225