A higher education institution was unable to determine the amount, type, and location of personal data at its two main campuses and 12 satellite campuses. To protect the University’s reputation and comply with many data security regulations, they needed a process to effectively manage and protect the personal data of students, employees, and faculty.
After a data breach scare, the University began using Spirion to accurately and consistently discover, classify, and protect personal information according to compliance regulations and University policy.
The University identified over 8 million potential records containing personal data. By implementing Spirion’s remediation actions to protect, shred, redact, and quarantine, the University reduced that volume by 75%. Automating data protection saves the Office of Information Security significant time and helps the University comply with the growing number of regulations.
Industry Challenge: Protect student privacy and comply with regulations
Trust is central to a university’s relationship with students, families, employees, and donors. When a breach occurs, and the media reports the loss of millions of records, that university’s reputation experiences significant damage.
According to Identity Theft Resource Center, more than 2.2 million records were exposed in over 100 educationr elated breaches in 2019. These breaches cause the public to view those institutions differently—and many people may decide not to make donations to, attend, or work there due to their lack of trust.
Because “educational intuitions” rank in the top five industries in terms of the volume of data breaches , universities must follow numerous rigorous regulations for handling personal data. The Family Educational Rights and Privacy Act (FERPA) strictly defines personal information and establishes the process for managing and protecting this data.
Additionally, higher education institutions are accountable for compliance with the Gramm-Leach-Bliley Act (GLBA) when collecting, storing, using, and safeguarding sensitive financial records that contain the personal information of students and their guardians, including social security numbers, tuition payments, financial aid, and bank accounts.
No longer surprised by sensitive data
“After using the tool for eight years, we are no longer surprised by personal data. We know about the personal data—where and what. In addition to the visibility and protection, Spirion creates a high level of transparency between my team and the University’s Board of Trustees.”
-University Chief Security Officer
The Need: Create a data privacy program to identify and reduce PII
Eight years ago, the University suspected a breach of data stored on a specific machine.
Because they did not have a formal process or tools for either data protection or responding to incidents, the University was challenged to determine whether a breach had occurred. Fortunately, a breach had not occurred, but university leadership recognized the risk associated with a potential breach and decided to prioritize data protection and security.
Additionally, the University must comply with both FERPA and GLBA. The Florida locations of the University are also accountable to the Florida Information Protection Act (FIPA). While FERPA requires protection of basic personal information, the University goes beyond the requirement by providing the same level of protection for all data in the students’ records.
To protect the institution from incurring costly fines and reputation damage due to a breach, the leadership team approved additional funding for privacy and security and launched the Information Security Office.
When the newly created CSO role was filled to address data privacy and security issues, the University realized that it needed to shift the focus of security. Instead of concentrating on defending the perimeter and working inward with the data as the last focus, they realized they needed to take the opposite approach.
First step was to find all sensitive data
“We shifted our focus and began putting close controls on the data. The first step to protecting sensitive data was to find the location of our sensitive data. I was surprised by the amount of data I found—so much more than I expected—and quickly realized we needed a tool to help find and classify the data.”
-University Chief Security Officer
The Solution: Spirion provides comprehensive data protection.
In addition to changing the mindset and processes around data, the University began searching for a tool that would provide a flexible and accurate approach to finding, classifying, and protecting personal data. After evaluating several products, they realized that Spirion provided the dynamic set of features his university needed, instead of focusing on firewalls. Because the protections were close to the
data and user, they selected Spirion to protect its data.
The Results: Reducing sensitive data by 75% in 3 months
Spirion’s initial discovery scans found 8.4 million personal data records, which opened the University’s eyes to the massive amount of unprotected personal data. In addition to a large amount of data, they found personal data in unexpected locations.
When students are applying for admission, the University creates student financial aid need reports in Microsoft Excel. The reports contain massive amounts of personal data, including social security numbers. Spirion discovered these reports, along with the OST files, on employees’ desktops and in their email accounts. It also demonstrated the extensive amount of data duplication, such as having the same report in three different employees’ accounts. Because each report contained the SSN and DOB attached to each record, the duplication dramatically increased the risk of a breach.
No one thinks about privacy and security until something bad happens
“TThe University views privacy and security as an operations center. Nobody thinks about it until something bad happens, and then everyone takes notice. If you keep the institutions’ data protected and the reputation clean in terms of privacy and security, the University has a competitive advantage by exclusion.”
-University Chief Security Officer
The University processes many types of payments, such as tuition, fees, summer camps, nondegree seeking courses, and certificates. Previously, employees scanned all documents with credit card authorizations. During the discovery scan, they found that these document files were saved on employees’ hard drives and often duplicated in multiple email accounts.
“Spirion showed us some eye-opening PCI and FERPA gaps with personal information, both because of the large amount of data and the level of sensitivity, especially social security numbers and credit card data,” says the University’s CSO.
After using Spirion to classify and remediate the personal data, the CSO was able to report to university leadership that his department had reduced the University’s sensitive data footprint to 2 million records. They use the tool to gain visibility into the amount of personal data as well as to plan for compliance purposes. Their team also creates and refines the process for managing data
and educating employees on proper handling of personal data.
The security lead says that Spirion saves him and his team a significant amount of time. Before using Spirion, he says it was virtually impossible to find their data. “Today, it’s a dramatically different story. I only have one dedicated employee besides myself in the Information Security Office. With the automation that Spirion provides, we don’t have to manage the data and troubleshoot manually. I can’t even begin to quantify the time savings because it is so great.”
The University will focus on classification as the next step in its data protection journey. By giving control to the user to classify data at the point of origin, the University can begin protecting data on a more granular level.