Laptop
SPOTLIGHT: Laptop Security and Encryption
Project Sponsor: Dr. Sam Levy
Project Managers: Chris Gregg
Background
We need to improve the security of our UST laptops and the data they hold against loss or theft. In the past twelve months we have lost or had stolen eight university owned laptops. In each case we have been able to determine that the lost computers did not contain any unsecured confidential data. We have been lucky, so far.
At the same time regulations and legal risks for data loss have gone up dramatically. Minnesota became the first state to turn Visa’s Payment Card Industry security standard into a law that allows people to sue a company for losing their payment card information. Minnesota also has a law on the books that requires institutions to disclose when they have lost data that include a person’s name and Social Security Number. And as a university, UST is subject to the requirements of protecting non-directory information as defined by FERPA.
To protect against these risks it is critical that UST implement steps to reduce our risk of data loss or theft from laptops. This can include both technical and non-technical solutions, but ultimately the last line of defense will have to be some type of technical encryption tool that makes a lost hard drive unreadable to a person not authorized to view the data.
At the present rate it is only a matter of time before a UST laptop containing sensitive data is lost or stolen. Such a loss would be costly and embarrassing for the university. In the case of FERPA data, such a loss puts our federal financial aid at risk. In the case of credit card information, we could face up to $500,000 fines from one of the payment card companies. Now with new Minnesota legislation, we could also be exposed to law suits from people affected (or even perceived to be affected) by the data loss.
What are the planned steps of the project?
The solution to this problem will be a three part one…
Update existing policies and procedures to prohibit high risk storage of sensitive data.
Educate the community of laptop users about safe computing, the new policies on storing confidential/sensitive data, and using the form of encryption implemented in #3.
Evaluate, purchase, pilot, and implement technology to secure UST laptops against data loss should they be lost or stolen. This almost certainly will include a hard drive encryption solution, but may include other items to secure USB drives and recover or wipe lost laptops.
What is the project timeline?
| Date | Milestone/Event |
| March 15, 2008 | Evaluate encryptions solutions |
| May 31, 2008 | Pilot encryption product |
| May 31, 2008 | Update policies and procedures |
| June 30, 2008 | Support staff trained on encryption/protection solution |
| September 1, 2008 | Production implementation for encryption/protection solution |
If you would like more information about the Laptop Security and Encryption project at UST, contact Chris Gregg at (651) 962-6265 or by email at csgregg@stthomas.edu
