Protecting Sensitive Data

Keeping sensitive data safe from inappropriate access and disclosure is of the utmost importance. Virginia Tech has many policies, procedures, and standards in place to protect sensitive data. It is the responsibility of everyone handling sensitive data from Virginia Tech to be familiar with these policies, procedures, and standards. It is important to find out what sensitive data you are handling and what steps are needed to protect it.

Where to start?

There are 6 specific data elements that Virginia Tech has protected with the “Standard for High Risk Digital Data Protection.” The data elements covered under this standard include:

  1. Social Security number
  2. Credit card number
  3. Debit card number
  4. Bank account number
  5. Driver’s license number
  6. Passport number

Why might I have this data?

Virginia Tech does not typically use Social Security numbers (SSNs) in its daily operations. It is important to recall that Virginia Tech formerly used SSNs as identification numbers. What files might you have that would contain the “old ID numbers?”

  • Personnel files?
  • Student work or student grade files?
  • Accounts receivable files?
  • Have you ever stored credit (or debit) card numbers? Did you make travel arrangements for yourself or others that may have included such information? Have you made purchases where storing such a number may have occurred?
  • Arranging travel may also have led to recording and storing passport numbers —- check likely places.
  • Are any of these files defined-as-originals that must be kept for a defined period of time? Has that period of time expired? If so, remove them. If not, where can these data be kept more securely?

Tips for types of files

Technology has allowed people to become digital packrats. It is not uncommon for people at Virginia Tech to have files that date back years. It can be challenging to locate sensitive information among the large array of files and file types.

  • Spreadsheets may have “hidden” columns, rows, or cells that may contain covered data but not be visible on first opening the file.
  • Be sure to review potential locations for covered data in e-mail files, including archived files that you may have kept on your device.

Scanning files

Scanning for SSNs and credit/debit card numbers with one of the tools designed for this purpose is a good way of finding portions of covered data. Some notes may be helpful:

  • All scanning tools will generate “false positives” — that is, strings of numbers that match possible SSNs or credit card numbers, but are something else entirely. False positives may be:
    • Numbers you can see in the document that are clearly something else (a serial number, for example);
    • Numbers you cannot see and are part of the embedded computing instructions within the document.
  • Remember to use common sense about removing SSNs and credit/debit card numbers.
  • No scanning tool covers all information that may be sensitive - typically, they cover SSNs and credit/debit card numbers.
  • No scanning tool covers all types of files. Scanning e-mail files is unusual; other tools may not scan PDF documents or even PowerPoint files.

To help discover sensitive data, Virginia Tech has purchased a site license for Identify Finder. Identity Finder is commercial software that can help discover and mitigate sensitive data. Identity Finder is available to Faculty and Staff at Virginia Tech.

Handling Data Exposure