How Safe Is Your Data? And Who Do You Tell If It's Not?

Data security and data privacy issues aren't new to higher education. But the pandemic years ramped up remote access to all institutional systems and increased administrative awareness of the compliance risks which accompany our increased electronic operations. Not only are administrators increasingly concerned with addressing these risks, but state and federal legislation has increased the requirements for the management and protection of institutional data, as well as notification to members of the public (including students and other clients) regarding data breaches.

My institution, Washington State University, beefed up its policies and procedures on system data and information security in 2020. Along with revising two executive policies (EP8 on data policies and EP37 on information security), our administrative policy office published a new chapter on information security in our Business Policies and Procedures Manual (BPPM) with seven new information security sections. (See BPPM Chapter 87.) And at the end of 2020, we published an executive policy on the requirements and responsibilities related to the university's designation as a HIPAA hybrid entity. (See EP40).

Our administration recently provided the rough drafts of two new BPPM policies to my administrative policy office for draft preparation and approval routing. One is a policy with related procedures regarding responses to information security incidents and breaches. The other concerns responses to breaches of protected health care information (PHI), which is planned for insertion into a new BPPM chapter on information privacy. The two policies will be linked through a new investigation process which is extensively outlined step-by-step and is to be used for both types of information privacy/security breaches. We hope to have these new policy/procedures sections approved and published by the fall, so you're welcome to revisit our BPPM for reference.

In conjunction with these new policies and procedures, our administration is updating the WSU system data and information security policies and procedures to address issues such as protection of WSU systems, services, devices, and data, including systems and data managed for the university by third parties and external cloud systems.

I'm sure that we're not the only institutions who are working on these types of policies. Are you and your administration working on data security and data privacy policies? Have you addressed how your institution will respond to data breaches?

In trying to understand the reasoning behind our administration's request for these policy changes, I did some looking around to see what recently published news and resources might be available. Here's what I found – I hope this information is useful to you.

• https://library.educause.edu/topics/cybersecurity/data-security
  (EDUCAUSE -- Information portal includes links to a number of helpful articles on data security, cloud security, data breaches, and data privacy)
  
  
• https://techbeacon.com/security/why-safe-harbor-best-way-forward-data-protection
  (July 2, 2021; TechBeacon (author: Stan Wisseman)
  
  
• https://thehill.com/opinion/technology/550959-massive-school-data-breach-shows-we-need-better-privacy-policies
  (Apr. 29, 2021; The Hill (authors: Williamson M. Evers and Jonathan Hofer)
  
  
• https://www.brookspierce.com/digital-media-and-data-privacy-law-blog/data-breach-defense-for-educational-institutions
  (June 16, 2021; Brooks Pierce (author: Will Quick) – Article includes steps to minimize risks)
  
  
• Research data breaches:
  https://er.educause.edu/articles/2021/6/research-raiders-how-to-protect-collaborative-data
  (June 8 2021; EDUCAUSE; Includes proactive safety steps)
  
  
• Data privacy law changes effective 2023 that may require policy changes:
  https://www.jdsupra.com/legalnews/10-key-differences-between-the-2023-5939867/
  (July 1, 2021; JD Supra (authors: Mark Brennan, Ryan Woo, Hogan Lovells))