Case Study

Reducing sensitive data by 75% at Barry University

Barry University logo

Customer Challenge

Barry University, a private Florida-based Catholic institution founded in 1940,  was unable to determine the amount, type, and location of personal data at its two main campuses and 12 satellite campuses. To protect the university’s reputation and comply with many data security regulations, Barry University needed a process to effectively manage and protect the personal data of students, employees, and faculty​.

Spirion Solution

After a data breach scare, the university began using Spirion to accurately and consistently discover, classify, and protect personal information according to compliance regulations and university policy.

Spirion Results

Barry University identified over 8 million potential records containing personal data. By implementing Spirion’s remediation actions to protect, shred, redact, and quarantine, the university reduced that volume by 75%. Automating data protection saves the Office of Information Security significant time and helps the university comply with the growing number of regulations.

Industry Challenge: Protect student privacy and comply with regulations

Trust is central to a university’s relationship with students, families, employees, and donors. When a breach occurs, and the media reports the loss of millions of records, that university’s reputation experiences significant damage. According to Identity Theft Resource Center, more than 2.2 million records were exposed in over 100 education related breaches in 2019. These breaches cause the public to view those institutions differently—and many people may decide not to make donations to, attend, or work there due to their lack of trust.

Because “educational institutions” rank in the top five industries in terms of the volume of data breaches, universities must follow numerous rigorous regulations for handling personal data. The Family Educational Rights and Privacy Act (FERPA) strictly defines personal information and establishes the process for managing and protecting this data.

Additionally, higher education institutions are accountable for compliance with the Gramm-Leach-Bliley Act (GLBA) when collecting, storing, using, and safeguarding sensitive financial records that contain the personal information of students and their guardians, including social security numbers, tuition payments, financial aid, and bank accounts.

No longer surprised by sensitive data

“After using the tool for eight years, we are no longer surprised by personal data. We know about the personal data—where and what. In addition to the visibility and protection, Spirion creates a high level of transparency between my team and Barry University’s Board of Trustees.”

-Hernan Londono, Chief Security Office at Barry University

The Need: Create a data privacy program to identify and reduce PII

Eight years ago, Barry University suspected a breach of data stored on a specific machine.

Because they did not have a formal process or tools for either data protection or responding to incidents, the university was challenged to determine whether a breach had occurred. Fortunately, a breach had not occurred, but Barry University leadership recognized the risk associated with a potential breach and decided to prioritize data protection and security.

Additionally, the university must comply with both FERPA and GLBA. The Florida locations of Barry University are also accountable to the Florida Information Protection Act (FIPA). While FERPA requires protection of basic personal information, Barry University goes beyond the requirement by providing the same level of protection for all data in the students’ records.

To protect the institution from incurring costly fines and reputation damage due to a breach, Barry University leadership approved additional funding for privacy and security and launched the Information Security Office. When Hernan Londono moved into the newly created CSO role to address data privacy and security issues, he realized that he needed to shift the focus of security. Instead of concentrating on defending the perimeter and working inward with the data as the last focus, Londono realized he needed to take the opposite approach.

First step was to find all sensitive data

“We shifted our focus and began putting close controls on the data. The first step to protecting sensitive data was to find the location of our sensitive data. I was surprised by the amount of data I found—so much more than I expected—and quickly realized we needed a tool to help find and classify the data.”

-Hernan Londono, Chief Security Office at Barry University

The Solution: Spirion provides comprehensive data protection

In addition to changing the mindset and processes around data, Londono began searching for a tool that would provide a flexible and accurate approach to finding, classifying, and protecting personal data. After evaluating several products, Londono realized that Spirion provided the dynamic set of features his university needed, instead of focusing on firewalls. Because the protections were close to the data and user, Barry University selected Spirion to protect its data.

The Results: Reducing sensitive data by 75% in 3 months

Spirion’s initial discovery scans found 8.4 million personal data records, which opened the university’s eyes to the massive amount of unprotected personal data. In addition to a large amount of data, Londono found personal data in unexpected locations.

When students are applying for admission, Barry University creates student financial aid need reports in Microsoft Excel. The reports contain massive amounts of personal data, including social security numbers. Spirion discovered these reports, along with the OST files, on employees’ desktops and in their email accounts.

No one thinks about privacy and security until something bad happens

“The university views privacy and security as an operations center. Nobody thinks about it until something bad happens, and then everyone takes notice. If you keep the institutions’ data protected and the reputation clean in terms of privacy and security, the university has a competitive advantage by exclusion.”

-Hernan Londono, Chief Security Office at Barry University

It also demonstrated the extensive amount of data duplication, such as having the same report in three different employees’ accounts. Because each report contained the SSN and DOB attached to each record, the duplication dramatically increased the risk of a breach. Barry University processes many types of payments, such as tuition, fees, summer camps, non-degree seeking courses, and certificates. Previously, employees scanned all documents with credit card authorizations. During the discovery scan, Londono found that these document files were saved on employees’ hard drives and often duplicated in multiple email accounts.

“Spirion showed us some eye-opening PCI and FERPA gaps with personal information, both because of the large amount of data and the level of sensitivity, especially social security numbers and credit card data,” says Londono.

After using Spirion to classify and remediate the personal data, Londono was able to report to university leadership that his department had reduced the university’s sensitive data footprint to 2 million records. Londono uses the tool to gain visibility into the amount of personal data as well as to plan for compliance purposes. His team also creates and refines the process for managing data and educating employees on proper handling of personal data.

Londono says that Spirion saves him and his team a significant amount of time. Before using Spirion, he says it was virtually impossible to find their data. “Today, it’s a dramatically different story. I only have one dedicated employee besides myself in the Information Security Office. With the automation that Spirion provides, we don’t have to manage the data and troubleshoot manually. I can’t even begin to quantify the time savings because it is so great.”

Barry University will focus on classification as the next step in its data protection journey. By giving control to the user to classify data at the point of origin, the university can begin protecting data on a more granular level.

Related Resources

resource
The essential guide to detecting and protecting sensitive data-at-rest
resource
Supercharge Your DLP Security Program
resource
Supercharge your DLP investment with accurate and automated data classification
resource
Complimentary Forrester report: “The Zero Trust eXtended Ecosystem: Data”
resource
Practitioner’s Guide to Meeting PCI DSS Audit Deadlines at Rapid Speed
resource
Automate Your NIST Security Framework with Context-Rich Data Classification