Home > Computing policies > L&S Recommendations for Protection of Computerized Personal Information

L&S Recommendations for Protection of Computerized Personal Information

• What we do
• Who we are
• Rates and contracts
• Advice and how-to
• Computing policies
  • Supported software
  • Security
• Contact us
• News

Senate Bill 1386 and Assembly Bill 700, effective July 1, 2003, added a new provision to the California Information Practices Act. This new provision requires any state agency (including the University of California) with computerized data containing "personal information" to disclose any breach of security of a system containing such data to any California resident whose unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorized person.

The Civil Code defines "personal information" to be an individual's first and last name in combination with any of the following elements:

• Social Security Number
• Driver's license number
• Financial account or credit card number, in combination with any password that would permit access to the individual's account
• Medical records

UCOP has issued an amendment to the Electronic Information Security policy which requires us to take inventory of our at-risk systems, and prepare a plan for dealing with potential breaches of security. The Berkeley implementation plan is available at <http://technology.berkeley.edu/policy/protected.data.html>.

It is likely that there are data sets on some L&S computers which contain personal information under the SB1386 definition. We believe that these data sets represent a significant potential liability; we must act now to reduce our vulnerability. If the security of one of your vulnerable machines is compromised, your department may be required to contact everyone whose information is stored in any data set on that machine.

I recommend the following:

• If you have data sets (such as databases, Excel spreadsheets, or flat files) which contain people's names, connected with Social Security numbers, driver's license numbers, or bank/credit card information, you should remove the personal information from those databases. Most departments do not have a business need to store this information.
• If you feel your department must store personal information, you should take measures to reduce your liability. You could:
  • Install a firewall and place the vulnerable machine(s) behind it.
  • Install personal firewall software on the machine itself.
  • Devise a management scheme for the machine to ensure it will stay up to date with security patches.
  • Ensure that the data set includes contact information for each person within it.
  • Avoid using the machine for tasks which might place it at greater risk, i.e., don't use it as a general-purpose workstation. In particular, don't use the machine to read email.
  • Redact the data set to remove the first and last name of the individual.

If your review determines that you have data sets which contain personal information, you must contact Tom Holub, Director of Computing, tom@LS.berkeley.edu, with the following information:

• Nature of the data set (e.g. "A database of declared undergraduates in our major").
• IP address of machine housing the data set.
• Reasons you need personal information in the data set.
• Measures taken to ensure the security of the data set.
• Whether the data set contains contact information for the people within it.

The campus is requiring us to produce an inventory of vulnerable systems; this information will allow us to prepare for and respond to incidents in the future. You can register your data set yourself with the online Restricted Data Management tool.

When considering the data sets you have on your computers, you will need to think creatively and expansively. SB1386 applies not only to formal databases, but to any data stored on your computer. Here are some examples of data sets which could be liable under this law:

• The graduate admissions data dump the Grad Division provides, or any database which imports that data.
• A report from BAIRS or HRMS that includes employees' Social Security numbers. (In this case, my advice would be to not download reports from BAIRS or HRMS which contain SSNs).
• An HR database in FileMaker that includes SSNs.
• Survey data for sociological research which includes SSN or driver's license numbers.
• Any data set which contains bank account information to allow direct deposit.
• Any data set which includes credit card numbers.

Please contact Tom Holub, L&S Director of Computing, if you have any questions.

---

Tom Holub (tom@LS.berkeley.edu)
Director of Computing
College of Letters & Science