Everyone needs to be aware of their role in securing Shenandoah University's data and the risks surrounding the storage of institutional data in the cloud or on an external device. Only through knowledge and diligence can we hope to minimize the potential for exposing university data.
If the data you put in the cloud would violate any of the issues below if released, Institutional Computing recommends not storing the data in the cloud or on an external storage device or system. Storing university data outside of the recommendations below raises the risk of exposing university data and could potentially expose Shenandoah University to unwanted publicity or litigation.
Privacy and Security:
Before storing data off-premises, weigh the risks of data loss, data corruption, lack of availability, and disclosure of the data. Also, be conservative about storing critical information in the cloud. You should only use cloud storage for information that can be replaced with little or no consequence. If you need to share critical information you should only share the content, individually, with those requiring access. Publicly shared data or data shared with those who have links will, most certainly, be exposed to the Internet.
Consider the following when deciding whether to put data in the cloud:
- The safely of personal, non-public information like Social Security numbers or credit card information
- The value of the intellectual property of the data to you, your department and the university
- Critical nature of the information
- Grant requirements regarding security and intellectual property, human subject privacy regulations and confidential agreements
- Research requirements regarding human confidentiality, participation of foreign nationals, restrictions on publications or non-disclosure agreements
- Will the provider be able to deliver effective service consistently
- Does the provider have effective management controls in place to cover oversight of third parties, adequate insurance, disaster recovery, and business continuity plans
- May cloud providers locate their servers outside the United States, because you do not know the location where your data may be stored, exercise caution if any of the information you store in the cloud is subject to any international or export restrictions
- What if the provider is bought by another company, maybe a foreign company, could the sale affect data ownership, disaster recovery, privacy policies, and other issues that might affect the Universities data stored with a cloud service provider
It can be appropriate to use cloud storage for non-critical, non-confidential, or non-sensitive information. However, Institutional Computing urges faculty, staff, and Students to assess the relevance of federal privacy regulations, federal law, contractual obligations, and grant restrictions before moving university-related files and data to any cloud provider or external device.
Federal and State Regulations:
The university is regulated in many areas. You need to know the privacy rules and regulations surrounding the type of data you plan to store externally. Examples include but are not limited to:
- Family Educational Rights Privacy Act (FERPA) - The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
- Health Insurance Portability and Accountability Act (HIPAA) - (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information.
- Sarbanes-Oxley Act (SOX) - The Sarbanes-Oxley Act of 2002 (SOX) is an act passed by U.S. Congress in 2002 to protect investors from the possibility of fraudulent accounting activities by corporations. The SOX Act mandated strict reforms to improve financial disclosures from corporations and prevent accounting fraud.
- Payment Card Industry (PCI) - The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.
- Gramm-Leach-Bliley Act (GLBA) - The Gramm-Leach-Bliley Act (GLB Act or GLBA), also known as the Financial Modernization Act of 1999, is a federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals.
These regulations come with requirements on how data can be accessed and where it can be stored. For example, it is not appropriate to store data regulated by the Health Insurance Portability and Accountability Act (HIPAA) or the Family Educational Rights and Privacy Act (FERPA) on cloud services.