What are the best practices to protect confidential information?

Sensitive Data Best Practices

What is Sensitive Data?

Students, faculty, and staff interact with data on a daily basis. It is important to understand that all data cannot be treated equally in terms of how we store, share, and dispose of it. LSU categorizes data in three ways:

• Confidential Data is the most sensitive classification and LSU students, faculty and staff are required by law to protect it. Examples of confidential data include:
  • Social Security Numbers
  • Credit Card Numbers
  • Health Records
  • Financial Records
  • Student Records
• Private Data is not considered confidential, but reasonable effort should be made so that it does not become readily available to the public. Examples of private data include:
  
  • Research Data
  • Personal Contact Data
  • Proprietary information
  • LSU ID (i.e. 89 number)
• Public Data is suitable for public consumption and protection of the data is at the discretion of the owner. Examples of public data include:
  
  • Public budget data
  • Employee contact data
  • Departmental Websites 

How can I protect Sensitive Data?

Encryption is the most effective way to protect your data from unauthorized access. Encryption can be defined as transforming the data into an alternative format that can only be read by a person with access to a decryption key. 

There are various resources available to encrypt data that you store on your machine. Some readily available options include Bitlocker on the Microsoft Windows platform and FileVault for Mac OS X. More information can be found in the following article: https://grok.lsu.edu/Article.aspx?articleid=6983. 

If you are transmitting sensitive data, you must use an encrypted communication channel. For web based transmission, always ensure that the web site is protected by SSL. For FTP transmissions, make sure you are using a secured variety of the protocol (i.e. SFTP or FTPS). Another convenient option at LSU is FilestoGeaux, which is a web based service that allows LSU users to upload files they want to share to a secure LSU web server. 

How should I dispose sensitive data?

Eventually it may become necessary to dispose data or devices containing LSU data. When doing so, remember the following:

• Disposing media (disks, tapes, hard drives) that contains confidential information must be done in a manner that protects the confidentiality of the information. ITSP recommends DBAN.
• Shred paper based media with confidential data when it is no longer needed. Do not discard confidential information in the trash. 
• Do not take confidential information off campus unless it is encrypted. 

Additional Guidelines

Here are some additional things to consider when dealing with LSU data:

• Do not transmit confidential data via wireless technology, email, or the Internet unless the connection is secure, or the information is encrypted.
• Password protect all confidential data, and accounts with access to confidential data.
• Do not share passwords, and do not write passwords down.
• Do not store unencrypted confidential information on PDA, laptop computer/desktop computer's hard drive, USB drive, CD, flash memory card, floppy drive, or other storage media. 
• Eliminate the use of forms that ask for confidential information whenever possible.
• Do not store confidential information obtained from LSU systems on media or other systems unless required by the University or by law.
• Always lock computers, offices, desks, and files that contain confidential information when unattended. 
• Do not publicly display confidential data, or leave confidential data unattended. 
• Do not share confidential documents or information with anyone unless required by government regulations, specific LSU job responsibilities, or business requirements. Be prepared to say "no" when asked to provide that type of information. 
• Do not communicate confidential information to others unless you know they are approved to handle confidential information.
• Notify Information Technology Services (ITS) and the data steward if you suspect confidential information may have been compromised.

If you have any doubts or questions about confidential information, please reach out to ITSP at .  

Protection of confidential corporate information is essential to a company’s capacity to develop products, provide services, and gain economic advantages. Those who wrongfully acquire, misuse, or disclose confidential company information can cause significant damage by impairing or destroying the value of the information.

Overview of Trade Secrets and Confidential Information

Trade secrets and confidential information both are types of information that are kept secret and are valuable in part because they are not known by others. The key distinction between trade secrets and other sorts of confidential information is that trade secrets enjoy greater legal protections. Information only becomes a trade secret if it meets specific criteria established by either statutory law or common law.

The Uniform Trade Secret Act ("UTSA") defines a trade secret as information, such as a formula, pattern, compilation, program device, method, technique, or process, that is both:

Valuable because of secrecy. It is or potentially could be economically valuable at least in part because it is not known by others, or able to be discerned by others, who otherwise could benefit economically from using or disclosing it.

Protected by efforts to maintain secrecy. It is protected by reasonable efforts to maintain its secrecy from others.

By way of example, trade secret protection has been recognized in a various states for:

 •         Marketing plans.

•         Commercial drawings.

•         Recipes (such as chocolate chip cookies and pizza dough).

•         Sales data.

•         Manufacturing processes.

•         Chemical formulae (such as insecticides and inks).

•         Detailed information about customers.

Best Practices for Protecting Confidential Information and Trade Secrets

Employers should take the following steps to protect confidential and trade secret information:

1. Limit disclosure to those who need to know. Keep the disclosure of confidential information and trade secrets limited to a discrete group of individuals who need the information to perform their jobs or for other legitimate business functions. Remind employees at meetings or events where confidential information will be disclosed that the information is confidential and that they have a duty to maintain confidentiality.

2. Use appropriate contractual protections. For example:

• use confidentiality agreements and, for confidentiality agreements outside the employment relationship;
• use confidentiality policies with employees that remind employees of their duties to preserve confidentiality;
• ensure that confidentiality agreements and policies comply with the Defend Trade Secret Act notice requirements; and
• use non-compete agreements where permitted by state law.

3. Establish appropriate security measures. For example:

• be consistent in marking documents or materials as confidential or trade secret, as needed, but do not mark materials that are not truly trade secrets or confidential, and do not fail to designate material the company wishes to protect;
• keep sensitive information physically guarded, for example by maintaining single entry into the building, using security personnel, creating sign-in and sign-out procedures, installing security cameras, posting signs limiting general access to areas where sensitive information is stored, and using electronic access controls;
• place strict limits and rules prohibiting employees from removing information from the employer’s premises;
• develop procedures for employee use of company laptops offsite;
• password-protect trade secret and confidential material that is stored electronically, and ensure that only authorized individuals with a need to know the information have access to these passwords;
• set up sufficient firewalls, encryption, anti-hacker initiatives, anti-virus software, and other technical protections;
• disable USB ports or other portable devices or drives on company computers;
• maintain non-electrically stored items in locked cabinets or other secure areas;
• place strict limits and rules on sharing confidential documents with clients, vendors, or other third parties; and
• create rules for visitors, such as requiring that they sign acknowledgments prohibiting disclosure of information viewed or accessed during a visit, preventing them from bringing recording devices (such as cameras, cell phones, PDAs, and USB drives) into restricted areas, and requiring that they be accompanied by employees while in locations where sensitive information might become known.

4. Train employees. Train employees on the importance of confidentiality and define the universe of information that must be protected. As part of that training:

• ask employees to sign documents acknowledging receipt and understanding of confidentiality policies and training; and
• remind employees of their obligations with respect to taking confidential or trade secret information off of the premises and using company laptops remotely.

5. Implement appropriate departing employee procedures. Adopt a departing employee procedure aimed at minimizing risk of misappropriation. For example:

• provide departing employees with copies of any confidentiality agreement they signed during their employment and the company’s policy on confidential information and trade secrets;
• remind departing employees of their continuing obligations to keep information confidential and ask departing employees to sign an acknowledgement of their continuing obligations;
• arrange exit interviews to determine where the employee will be working subsequently and if the employee may be engaging in competitive activity in the future;
• shut off the employee’s access to computer files and other information technology systems immediately on termination;
• review the departing employee’s computer activity, hard drives, email, voicemail, and other communication records for the period before the employee’s termination if there is a high risk of misappropriation;
• ensure that the departing employee surrenders all company documents, files, and other material (including electronic documents) and signs an acknowledgement of having done so;
• ensure that the departing employee returns all company access cards, PDAs, and other electronic devices; and
• change electronic passwords as needed.

6. Ensure that confidential information does not appear in promotional or other public material. Exclude any confidential information and trade secrets from publications, marketing materials, websites, social media, advertisements, and interviews.

7. Adopt a plan for a prompt response to inadvertent disclosure of trade secrets. For example:

• work with information technology professionals to develop a protocol to limit the spread of disclosed information;
• update the protocol as the company’s technology changes;
• ensure that new hires are trained on this protocol;
• remind employees and third parties of the need to maintain confidentiality; and
• adopt a protocol for contacting the individuals to whom inadvertent disclosure was made to alert them of the error, ask them to return or destroy the information, and ask them to sign acknowledgements that they have done so, if appropriate.

The steps and procedures outlined in this article are great starting points for employers to consider in the protection of their company's confidential information.

If you or your company have questions with respect to trade secret protection or otherwise protecting your company's confidential information, feel free to contact me.

What are 5 ways to maintain confidentiality?

How can we protect confidentiality of our important information?