Make sure all personal data is secure, new directive tells campus

Four campus leaders have signed a new directive asking everyone who works or teaches at UC Davis to improve, or at least double-check, their efforts to prevent identity theft. The message includes a warning: Individuals are held responsible for security breaches involving personal information when the breach could have been prevented.

The directive, addressed to all members of the Academic Senate, Academic Federation and staff, sets out five measures:

--Understand your responsibilities.

--Identify all electronic identity records.

--Run a personal identity locator software tool. (Two--Cornell Spider and PowerGrep--are available to technical support staff on the campus software site.)

--Remove or secure the data.

--Encrypt electronic devices.

Laws and university policies require the protection of personal identity information, says the directive signed by Virginia Hinshaw, provost and executive vice chancellor; Linda Bisson, chair of the Academic Senate; Stan Nosek, vice chancellor of the Office of Administration; and Pete Siegel, vice provost of Information and Educational Technology. It was issued on Tuesday.

Such information typically includes Social Security numbers, California driver ID numbers, or financial account data. It might be stored electronically or on paper. It might be contained in forgotten computer storage files created by someone who has since retired, or in reference letters, student rosters, or databases of job applicants--any number of places.

Regardless, members of the campus community are obliged to protect personal identity information from theft.

Following the five measures will reduce the number of computer security breaches involving personal identity information, the directive says, "and you will help protect yourself and o ther members of the UC Davis community from the costly, time-consuming and embarrassing consequences of identity theft."

"We also want to ensure you are aware that ... individuals are held responsible for preventable security breaches involving personal information, up to and including dismissal."

The responsible unit would also have to pay for any notifications and repairs caused by the lapse.

For more on the subject, see the Security Web site. More information on protecting personally identifiable information is available here.