ITS has been working with faculty and staff since early 2009 regarding the classification and handling of Longwood data.

Below is information that you should be aware of regarding the handling of Longwood's restricted data.

Table of Contents

What is Data Classification?

What is Restricted Data?

What is Data Handling?

What can I do now?

Why bother?

What is Data Classification?

Three categories (Public, Internal and Restricted) were developed to aid in the identification of the sensitivity1 of the university's data; hence Data Classification.

Rings of Data Classification

  • Public Data is the least sensitive information and is acceptable for public consumption.
  • Internal Data is moderately sensitive information. All University data is considered Internal unless classified otherwise.
  • Restricted Data is highly sensitive information for which an unauthorized disclosure may result in identity theft or University liability for costs or damages under laws, government regulations or contract.

Data Classification Links

Table of Contents

What is Restricted Data?

There are two reasons why data would be classified as restricted:

1. The data is Personally Identifiable Information, as defined by the Code of Virginia § 18.2-186.6.

Personally Identifiable Information (PII)

One of these elements

Combined with one of these elements

  1. First name and Last name
  2. First Initial and Last name
  1. Social Security Number
  2. Drivers License Number
  3. State Identification Card Number
  4. Financial Account or
    Credit or Debit Card Number
    (in combination with codes or passwords that would permit account access)

2. An unauthorized disclosure of the data could result in costs or damages to the University. These can include: fines and legal costs, safety and health, productivity, financial, and reputation.

Unauthorized disclosure of the data associated with the following regulations, laws, and standards would cost the university:

  • HIPAA
  • GLBA
  • PCI
  • Code of Virginia
  • etc. 

 Table of Contents

What is Data Handling?

Standards were developed to set minimum requirements for the protection of data that is stored, transmitted or disposed of; hence the Data Handling Standards.

These standards include recurring requirements, such as approval, encryption, and redaction.

What is Encryption? What is Redaction?
This image shows a screen transforming text into This image shows a screen transforming text into
  • Encryption: the transformation of data through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without the use of a confidential process or key
  • Redaction: the alteration or truncation of data such that no more than the following are accessible as part of the personal information:
    • Five digits of a social security number; or
    • The last four digits of a driver's license number, state identification card number, or account number.

Data Handling Links

 Table of Contents

What can I do now?

  • If you do not handle restricted data, or you have no need to store restricted data on a device other than a Longwood server you do not need to take any action.
  • If you do not know if you have restricted data, here are two tools you can run:
  • If you currently have restricted data on your computer or any device other than a Longwood server you should move that data to a server or follow the steps below immediately:
    1. Complete the Authorization to Store Restricted Data (.docx).
      Note: the requestor's supervisor must acknowledge the request.
    2. Upon receipt of the completed form, a work order will be placed, on your behalf, to install University-approved Encryption technology and Eraser software on the computer in your office.
    3. Upon installation of University-approved Encryption technology and Eraser software,
      1. A folder, called crypt, will be created in which restricted data can be securely stored (encrypted)
      2. An Erase option will allow for the secure removal of data. Data "erased" with this software is totally and permanently removed from your computer.
  • If you still have questions email the Information Security Office at infosec@longwood.edu

 Table of Contents

Why bother?

Good question, because you don't have to if...

  • You can move the data to a network space (i.e. a department share drive or your personal network space (B drive).
  • You can take another hassle-free route:
    1. Erase the File: Use the Eraser software, installed upon your work order request, to completely and totally remove the file from your non-network space
    2. Redact the data from the file: Use the delete key to remove what you don't need.
      • For instance, if you only need the last 4 of a social, then delete the rest of it.

But, if you've decided to keep the data in it's restricted form...

Here are some potential consequences of unauthorized disclosure of that data :

  • OUCH :: BUDGET
    A potential fine; levied by the Commonwealth, up to $150,000 per breach.
  • OUCH :: REPUTATION
    A potential blow on state and local media (i.e. radio, television, etc.); as the University's trustworthiness comes into question.
  • OUCH :: CUSTOMER SATISFACTION
    A potential increase in phone calls, emails and general customer relations; as the University Community wonder's "Was my data breached?"

1Sensitivity is the degree of adverse effect a compromise of confidentiality, integrity or availability would have on Commonwealth of Virginia interests, the conduct of university programs or the privacy to which individuals are entitled.

  Table of Contents