Emerging technology allows for the storage and transportation of large amounts of information on all manner of devices. Examples of portable computing devices are BlackBerrys, laptops, tablet computers, personal digital assistants (PDAs). Examples of portable storage devices are CDs, DVDs and USB drives/flash drives/USB keys. All of these objects can be easily lost or stolen and, without protection, the information on them can be accessed by others. The information on these devices needs to be protected in order to avoid the loss of valuable university or personal information, and minimize the risk of identity theft.
Consider this: 89% of IT security practitioners report that someone in their organization has had a laptop lost or stolen and 47% report that it resulted in a data breach.[1]
Be aware of the implications of a stolen or lost device before loading personal information or sensitive university records. The following common types of information create the greatest risk:
- Financial information
- Personal banking information
- Customer credit card information
- Student information, grades, Social Insurance Numbers
- Employee information
- Personal health information
- Unpublished meeting minutes
- Unpublished research drafts
- Personal contact information including telephone numbers and email addresses
- Encryption keys and passwords
Review the Privacy Breach guidelines so that you are aware of what to do in case of the loss or theft of personal information.
Limit the amount of personal or sensitive information on portable devices
- USB drives are very easily lost; do not use them for transporting very sensitive information. Deleting a file from one of these devices does not necessarily mean the information is gone. Use an application like Drop Box to safely transfer files.
Tip
Transport only what information is needed to do your job and delete it as soon as you are finished with it.
Protect information on portable devices
- Consult your local IT unit to set up appropriate encryption for your BlackBerry or portable device. USB drives, PDAs and laptops can all be encrypted.
- Keep a copy of your encryption password in a separate, secure location.
- Choose strong passwords for all portable devices. Create a password that is at least 8 characters long, using a combination of letters, numbers and other symbols.
Tip
See University Information Technology (UIT) tips on choosing a secure password
- Do not leave passwords in accessible locations (post it notes on your desk) or in easily accessible locations on your portable devices.
- Consider using VPN (virtual private network) when using a wireless connection.
- Transfer files electronically with Drop Box instead of transporting them on drives or emailing them. Files are kept in Drop Box for 7 days and are then deleted.
- Keep portable devices with you as much as possible; don’t leave them unattended your car.
- If you must leave a device in your car, keep it out of sight either covered or in the trunk and be sure to lock the vehicle.
- Use locks or alarms if you need to leave a portable device unattended. Use a security cable to attach your laptop to a fixed object such as a desk.
- Keep anti-virus software and firewalls up to date.
- Lock laptops, BlackBerrys and electronic devices in hotel safes if you must leave them unattended in a hotel room.
Report any loss or theft of portable devices as soon as you are aware of the loss or theft
- Report to University Information Technology (UIT), the Information and Privacy Office and Security Services as appropriate.
[1] The Human Factor in Laptop Encryption: Canada Study, Ponemon Institute, December 2008.
This document has been developed to assist in establishing good practices and procedures. Additional questions or requests for advice on records and information management or information and privacy issues should be referred to the Information and Privacy Coordinator: info.privacy@yorku.ca.