Guidelines For Preventing Accidental Data Exposure

Many individuals at Appalachian State University have job duties that require regular access and use of confidential data.  Unfortunately, in the course of using this information it only takes one minor accident like an unintended email attachment, lost device, or misplaced printout to cause a major issue for the Appalachian community.

To help lower the risks of accidental data loss, the ITS Office of Information Security has provided the following guidelines and recommendations, as well as complete list of Data Elements and their classification levels:

Understanding What Constitutes Confidential Data

Generally speaking, the term Confidential Data relates to any University Information whose unintended disclosure, modification, or loss could result in significant financial, legal, or reputational impacts to the University.

As a rule-of-thumb, the following types of data are regularly confidential in nature:

  • Social Security Number (SSNs)
  • Employer Tax Identification Numbers
  • Drivers License Numbers
  • Passport Numbers
  • State Identification Card Numbers
  • Checking or Savings Account Numbers
  • Credit or Debit Card Numbers
  • Personal Identification (PIN) Code
  • Electronic Identification Numbers
  • Passwords
  • Biometric Data
  • Digital Signatures
  • Privately-Owned Trade Secrets
  • Critical University Application Files (e.g. Financial System Applications Files)
  • Private Contributor Records
  • Pre-Patent Research Data
  • Human Subject Research Data
  • Medical Records (PHI)
  • Disability Records
  • Data Protected by Non-Disclosure Agreements
  • Criminal Investigation Records

If you believe you have files that contain the type of information listed above, the ITS-OIS recommends that you consider 4 Computing Habits listed below.

Four Computing Habits That K.E.E.P. ASU Data Secure

The accidental exposure of confidential data occurs while the information is being used. Therefore by actively observing a few habits, each of us can do our part to help protect the University from unintended data leaks.

KNOW Your Files

When you are dealing with a file it is important to know if it contains confidential data (see above).  Some tips to help with this include:

  • Allow yourself time to open, view, and confirm the content of files before you copy or transmit them. Accidents occur most often when we are rushed.

EVALUATE Your Retention Needs

When you've finished using/reviewing a file that contains confidential data, it is important to consider if the file needs to be retained.  Some tips to help with this:

  • Is there a business need served by retaining the file?
  • Are there contractual or legal requirements for retaining the information?
  • Can the data easily be obtained from an authoritative source (i.e. database records) if it is needed again?

ERASE Confidential Data That Is No Longer Needed

If you have files that contain confidential data and do not have to be retained, then it is best to delete them.  When it comes to confidential data on ASU devices, always remember that less is more!

  • When removing files, remember to delete the files AND empty your trash.

PROTECT Confidential Data That Must Be Preserved

If sensitive data is to be retained then it should be protected.  Some simple steps that you can take to help improve the security of confidential data include:

  • Moving Confidential Data to your Personal Drive (P: Drive on Windows, Ustore on Mac); Moving confidential data to your P drive has many benefits including ensuring that data is not stored on mobile devices which can easily be lost/stolen, speeding up restore operations, and maintaining secure remote access to this data if needed.
  • Do Not Email Confidential Data. Standard email messages are not sufficiently secure for exchanging confidential data with internal or external recipients; In addition, it is far too easy to make mistakes attaching files.
  • Do Not Store Confidential Data On Removable Media.  Standard thumb-drives, hard-drives, and other portable storage are not secure and are very easy to lose.
  • Lock Your Screen & Clear Your Desk - If you step away from a computer that contains confidential information, then you should lock your computer screen.  If you are leaving your computer for more than a few minutes, then (if feasible) you should also lock your office.  Also, make sure that any printouts that may contain confidential information are not left in open sight of individuals who are not authorized to view this material.

Developing and observing these four habits goes a long way toward preventing accidental data exposure.

Data Protection Toolkit

Tools that help users to identify and encrypt confidential data provide the best level of data protection.  Information Technology Services is exploring solutions and funding to develop a data protection toolkit to help campus units more easily identify, review, securely remove, or encrypt confidential data.  More information will be provided soon!

Have a question?  Please feel free to contact us at 828-262-6266 or