About the Private University
This private university in the Southeast U.S. was unable to determine the amount, type, and location of personal data at its two main campuses and 12 satellite campuses. To protect its reputation and comply with many data security regulations, it needed a process to effectively manage and protect the personal data of students, employees, and faculty.
“After using the tool for eight years, we are no longer surprised by personal data. We know where and what. In addition to the visibility and protection, Spirion creates a high level of transparency between my team and the University’s Board of Trustees.”
— University’s Chief Security Officer
Because educational intuitions rank in the top five industries in terms of volume of data breaches, they must follow numerous, rigorous regulations for handling personal data. The Family Educational Rights and Privacy Act (FERPA) strictly defines personal information and establishes the process for managing and protecting this data.
Additionally, higher education institutions are accountable for compliance with the Gramm-Leach-Bliley Act (GLBA) when collecting, storing, using, and safeguarding sensitive financial records that contain the personal information of students and their guardians, including social security numbers, tuition payments, financial aid, and bank accounts.
Eight years ago, a private university in the Southeast U.S. suspected a breach of data stored on a specific machine. Because they did not have an established formal process or tools in place for data protection or incident response, the university was challenged to determine whether a breach had occurred. Fortunately, it did not, but university leadership keenly recognized the risk associated with a potential breach and decided to prioritize data protection and security. Out of an abundance of caution, the university went beyond federal and state regulations to provide the same level of protection for ALL student data.
When the Chief Security Officer (CSO) role was created at the university to address data privacy and security issues, the new officer quickly realized he needed to shift the focus of security. Instead of concentrating on defending the perimeter and working inward with the data as the last focus, he took the opposite approach.
Along with changing the internal mindset and processes around data, the CSO began an exhaustive search for a tool that provides a flexible and accurate approach to accurately discover, classify, and protect personal information according to compliance regulations and university policy. After evaluating multiple solutions, Spirion stood out because of the dynamic set of features the university needed— instead of focusing on firewalls— and the protections were close to the data and user.
Spirion’s initial discovery scans found 8.4 million personal data records, which opened the university’s eyes to the massive amount of unprotected personal data. By implementing Spirion’s remediation actions to protect, shred, redact, and quarantine, the university reduced that volume by 75 percent. Automating data protection saves the Office of Information Security significant time and helps the university comply with the myriad of regulations.
In addition to a large volume of data, the CSO found personal data in unexpected locations. When students apply for admission, financial aid reports are created. They contain massive amounts of personal data, including social security numbers. Spirion discovered these reports, along with the OST files, on employees’ desktops and in email accounts. It also revealed an extensive amount of data duplication, such as having the same report in three different employees’ accounts. Because each report contained the SSN and DOB attached to each record, the duplication dramatically increased the risk of a breach.
The university also processes many types of payments, such as tuition, fees, summer camps, nondegree seeking courses, and certificates. Previously, employees scanned all documents with credit card authorizations. During the discovery scan, the CSO found that these document files were saved on employees’ hard drives and often duplicated in multiple email accounts. “Spirion showed us some eye-opening PCI and FERPA gaps with personal information, because of the large amount of data and the level of sensitivity, especially social security numbers and credit card data,” he says.
After using Spirion for three months to classify and remediate personal data, the CSO was able to report to leadership that his department reduced the university’s sensitive data footprint down to a staggering two million records from 8.4 million. He now uses the tool to gain visibility into the amount of personal data and plan for compliance purposes. His team also creates and refines the process for managing data and educating employees on proper handling of personal data— saving his team a significant amount of time.
Before using Spirion, the CSO says it was virtually impossible to find their data. “Today, it’s a dramatically different story. I only have one dedicated employee besides myself in the Information Security Office. With the automation that Spirion provides, we don’t have to manage the data and troubleshoot manually. I can’t even begin to quantify the time savings because it is so great.”
The university will focus on classification as the next step in its data protection journey. By giving control to the user to classify data at the point of origin, the university can bring even greater protection to its sensitive data on a more granular level.