Few days seem to go by in today’s connected world without another report of a massive data breach jeopardizing the privacy of thousands of people. Target, Neiman Marcus, eBay and AT&T have all been hit by breaches during the past year. Across the state from Drexel, the University of Pittsburgh Medical Center experienced a breach that put the personal information of as many as 27,000 employees at risk.
On Drexel computers, thousands upon thousands of records could be attractive to cyberattackers: personal data for students, patients, faculty and professional staff, plus proprietary knowledge and research data that faculty wouldn’t want to fall into the wrong hands. A data breach could cost Drexel a huge sum of money, because of penalties from federal and state laws and the costly and time-consuming cleanup process that would follow.
These threats help explain why a new data security initiative is underway at Drexel, aiming to put the clamps on the piles of personal and private data stored on Drexel hard drives and protect the University and everyone associated with it from the consequences of a breach.
Data breaches such as the ones that have made headlines lately can often involve hundreds of thousands, maybe even millions, of personal records, said Ken Blackney, associate vice president for core technology infrastructure in the Office of Information Resources and Technology (IRT).
“My joke is always that computers help us make mistakes faster than we can on our own,” Blackney said. But Drexel is taking steps to ensure that doesn’t happen in the area of data security.
In total, the security initiative will have four steps. The first is already complete: the installation of anti-virus and security software on Drexel computers. The second is happening throughout 2014: Information technology professionals from IRT and colleges and schools at Drexel will be installing an encryption tool on those computers. The final two steps, concerning portable devices and email, have begun this month.
The software, called Sophos SafeGuard Enterprise, will automatically encrypt the computer’s data so that it cannot be accessed by potential cyber-thieves, even in the event that the computer itself is stolen.
It means that faculty and professional staff won’t need to worry about encrypting files themselves, and they — along with any students or patients whose data they may handle — will be protected from data theft.
“Making this automatic means that we protect all those people,” Blackney said. “And we protect the University from having to deal with the cost involved in responding to a breach.”
The automatic software also protects the University in the case of a lost or stolen computer, in a way that it wouldn’t be if a faculty or staff member had encrypted his or her own data. Drexel can prove to government bodies, beyond a doubt, that its personal data is not at risk. With HIPAA, FERPA and other laws governing personal data security, that is crucial, Blackney said.
“It’s bad enough to lose a $2,000 computer,” Blackney said. “It’s much, much worse to lose 2,000 records.”
To encrypt Drexel’s computers this summer, IT staff will be making the rounds to different University offices and running a hard drive integrity check — which can be done overnight — and then installing the software, which will take about 15 to 30 minutes. Offices and departments will also have the option of subscribing to a cloud-based backup service, ensuring they can get any important files back if hard drives are stolen or break down, for the price of around $7 a month per person.
This month,, as part of the data security effort, any smartphones and tablets connected to Drexel mail servers have been secured and encrypted. Also, an email data loss protection system, in use since October 2013, will be upgraded to provide additional protection. That system will scan any emails being sent from Drexel to the outside world to ensure that pieces of information such as Social Security numbers and credit card numbers are detected. In the event that such data is found, the system will ask users if they were intending to release that information, so it isn’t leaked inadvertently.
The new email encryption system won’t present any privacy concerns, said Ed Longazel, vice president and chief compliance and privacy officer for Drexel. In fact, it will only protect privacy.
“Nobody’s reading anything,” said Longazel. “The machine is looking at an attachment and saying there are 2,000 Social Security numbers here.”
The security initiative will affect all corners of Drexel, including the Academy of Natural Sciences of Drexel University, Drexel Online and the Sacramento campus.
The data security initiative will go a long way toward protecting records at Drexel, Longazel said, but faculty and professional staff should still exercise care when handling personal data. For instance, anytime a staff member sends an email attachment that contains personal data — or even something copied from a document that also contained personal data — he or she should inspect it closely to make sure it contains only what it needs to. Sometimes spreadsheet columns can be hidden from view but still included in a document sent as an attachment, Longazel noted.
“We shouldn’t be sending around files to each other that have more information than is needed to complete a project,” said Longazel, whose position was created along with Drexel’s new Compliance and Privacy Office in April.
Drexel owes it to the people whose records it stores to keep their data safe, he said, but many other consequences can also come from a data breach. The federal law HIPAA, for example, requires Drexel to notify local media outlets if there is a breach of medical records for 500 or more people from one state. Escalating fines are also possible, up to more than $1 million.
And any breach would likely require thousands of dollars’ worth of employee time to clean up the mess, including paying for identity theft protection for the people involved. According to a study by the Ponemon Institute, the average cost of a data breach in the United States is $201 per individual record — making it easily worth it for Drexel, and its faculty and staff, to take a bit of extra care.