IT Security Topic — Privacy & Identity Theft

Everyone faces the risk of having their identity stolen by those in Jack's shady underworld.  There are important things that you can do to protect your own personal Identity and there are critical tasks that anyone who works with university data must be aware.

Your Responsibility

CU-Boulder employees have access to, and are responsible for protecting, a wide variety of sensitive information. Unauthorized exposure of information such as student academic records, medical information, credit card information, and social security numbers can have a harmful affect on people's lives. Failure to take care of this information places people at risk of identity theft, misuse of personal funds, or unauthorized modification of information. We therefore all have a responsibility to educate ourselves on how best to protect the information we store electronically. CU-Boulder has specific requirements intended to ensure adequate protection of information we store from potential risks such as loss or modification. It is your responsibility to be aware of and understand these policies and procedures.

In an effort to better secure sensitive data at CU-Boulder, the IT Security Office has compiled this quick reference guide for private data.  This type of data should not be stored on workstations or mobile computing devices (laptops, PDAs, flash drives, etc) unless a strong business need exists and proper security precautions have been taken.

Private data and some common occurrences:

• Social security numbers
  • Grade books from prior to 2004 when SID was the student's SSN
  • Administrative documents like travel authorizations from prior to the use of employee ID
  • Documents requesting changes to benefits that might include the SSNs of family members
• Credit card numbers
  • Orders or receipts for purchases using credit cards
  • Documents regarding ACARDs or university travel cards
• Personally identifiable information that could be used for identity theft
  • Documents containing combinations of information like name, birth date, address, drivers license number, etc
• FERPA protected information
  • Records directly related to a student and maintained by the institution or by a party acting for the institution are considered education records. Click here for more information.
• Bank account information
  • Documents regarding employee direct deposit
• Medical records
  • Patient records
  • Prescriptions

Important practices to keep in mind when dealing with private data include:

• Never post private data on the web
• Never send private data via e-mail
• It is best to store sensitive information on servers rather than desktop computers. Those can either be servers maintained by your organizational unit or provided by ITS. Unfortunately, you can't always trust that your information is safe on a desktop or laptop computer.
• If you think you might have sensitive information on a desktop computer, contact ITS or your CSR to have them help you remove the data or move your information to a secure server.
• If for some reason you can't store your sensitive information on a server, ensure that the data is encrypted and backed up. If you are unsure how to do this, ITS can help you.
• Use your campus account and password to login to the network; never share your account or password with others.
• Whenever feasible, use complex passwords on any system storing sensitive information.
• Always enable your screen saver to lock your computer during inactivity and require it to be password protected.
• Always have current antivirus software installed and keep your security patches up to date.
• Always ensure sensitive information sent or received via email or at a web site is encrypted.
• Always destroy electronic media containing sensitive information prior to its decommission.
• Always securely remove all sensitive information from electronic media before re-using it.
• Make an inventory of the sensitive information your department uses or stores.
• Look into ways to de-identify data used in daily tasks such as keeping grades.
• Obtain departmental permission to remove sensitive information from the office.
• On mobile devices and workstations, limit the amount of information stored to the minimum necessary needed to do your job.

Identity Theft

Identity theft criminals are always looking for new ways to get your personal information. This can range from digging though your trash to sending malicious e-mail messages to deceive you.  There are important steps to take to make sure your personal information, such as credit card numbers, bank account information, Social Security Number, passwords, or other sensitive information, is not exposed.  Here are some recommendations from the FTC and others to help protect you against identity thieves.

• If you get an e-mail or pop-up message that asks for personal or financial information, do not reply or click on the link in the message. Legitimate companies don't ask for this information via e-mail. If you are concerned about your account, contact the organization in the e-mail using a telephone number you know to be genuine, or open a new Internet browser session and type in the company's correct Web address. In any case, don't cut and paste the link in the message.
• Be cautious of browser add-ons that websites may push to allow access to content.
• Don't e-mail personal or financial information. E-mail is not a secure method of transmitting personal information. If you initiate a transaction and want to provide your personal or financial information through an organization's website, look for indicators that the site is secure, like a lock icon on the browser's status bar or a URL for a web site that begins "https:" (the "s" stands for "secure"). Unfortunately, no indicator is foolproof; some phishers have forged security icons.
• Review credit card and bank account statements as soon as you receive them to determine whether there are any unauthorized charges. If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.
• Use antivirus software and keep it up-to-date. Some phishing e-mails contain malicious software that can harm your computer or track your activities on the Internet without your knowledge. CU-Boulder has antivirus software available for current faculty, staff, and students.
• Use antispyware software to protect your computer.
• Use secure web browser configurations or security solutions to help protect you from malicious  websites.
• Information about improving Internet Explorer security
• Using “Noscript” will improve the security of the Firefox web browser
• Web of Trust  (WOT) will provide you feedback as to if a site should be trusted and is available for both Firefox (Windows, Mac, and Linux) and Internet Explorer .  A workaround is available for Safari users.
• Always keep your browser software up to date
• Be cautious about opening any attachment or downloading any files from e-mails you receive, regardless of who sent them.

Learn More

• Memorandum from G.P. "Bud" Peterson, Chancellor University of Colorado at Boulder: Essential Guidelines for Protecting Private Information (PDF)
• CU-Boulder Students: Your Educational Record and Privacy Rights (PDF)

Contact Information
Campus IT Security Office
(303) 735-HELP
security@colorado.edu