By PC Shea, University Privacy Officer
The weakest link in maintaining the privacy and security of confidential information is usually the human one. We implement an array of protocols and tools to help us keep confidential information secure, and we train on their importance to the overall privacy and security compliance effort—and yet we still make mistakes. That’s what people do. And it only takes a second.
Incidents involving inappropriate uses or disclosures of confidential information have consequences not only to the University (through such things as fines, penalties, and reputational damage), but more importantly to the people whose personal information was used or disclosed wrongly – albeit unintentionally. These people are impacted by having their sensitive financial, health, or educational information revealed to their colleagues and friends as well as to strangers, some of whom gather such information for fraudulent and self-serving purposes. The repercussions of such inadvertent and unintentional disclosures can last a lifetime. Simply put, people (our colleagues, friends, patients, students) can be harmed when these incidents occur.
In 2023, the University experienced incidents where confidential information was used or disclosed inappropriately, two of which had to be reported to regulators and the people whose information was disclosed. The University’s Data Security Incident Response Plan provided the blueprint for investigating and responding to the incidents. The plan assigns responsibilities of various University personnel and departments to investigate and specifies the actions to take in response. In all reported cases, human error was the root cause: breakdowns in protocols, innocent mistakes, missed red flags. While the reasons giving rise to the incidents provide great teachable moments, at the end of the day, we simply need to slow down and think about things that seem a little off. That means asking questions and double-checking ourselves, especially when the information we are using or disclosing is personally identifiable information (PII).
We must be knowledgeable about the University’s policies and procedures that specify data classifications, appropriate and permitted uses or disclosures for each data classification, and the repercussions of failing to follow the policies—both to the University and to us. If you have not recently reviewed the University’s policies on data classification and the corresponding privacy and security requirements, starting off 2024 with a refresher is a good idea. You can review the policies at https://sites.udel.edu/generalcounsel/responsible-office/information-technologies/
We must also take advantage of training that the University makes available so we can better understand the changing threats to confidential information and the safeguards available (or, in some cases, required) to mitigate them. We must always be aware. If you have been assigned security training, you should complete it. Even if you have not been assigned training, you can access security training through the following steps:
- Navigate to https://www.udel.edu/connectingu
- Enter your UD SSO credentials.
- Select Certificate Programs.
- Click 2023 Secure UD Training.
When we share links to information over email or post them to public forums, we must verify, verify, and verify again that the links are correct and that the content is appropriate to be included in the first place. If you have any hesitation, err on the side of caution and don’t include the links until you are sure it’s okay. Chances are you can’t “unsend” it before someone sees it.
When mistakes happen, the University’s Information Security Event Reporting Policy requires that they be reported so we can determine what happened, why it happened, and what corrective actions may be required. https://sites.udel.edu/generalcounsel/policies/information-security-event-reporting/.
Failing to report opens the University and you up to potential sanctions. However, if we just take a second to consider and question what we are doing with confidential information before we hit the “send” button, perhaps we can avoid these mistakes altogether.