Regulated Data

Background

Social Security Numbers, drivers' license information, usernames/passwords, banking access information, health and biometric data are increasingly at risk for identity theft and universities have become attractive targets. Nebraska state law - L.B. 876 - details how data breaches must be disclosed.

In addition, the Family Educational Rights and Privacy Act (FERPA) protects non-directory student data. As part of the process to limit and identify information that must be protected, users with a specifically required business need to access and store such data must apply for authorization via the UNO Regulated Data Security Policy.

Universitywide Policies

Two main Nebraska University Executive Memorandums cover provisions for the security of restricted data. Memorandum 16 deals with the expectation of privacy an individual has when using University of Nebraska networks and computer resources. Memorandum 26 is the University of Nebraska Information Security Plan.

Definitions

Regulated Data: For purposes of this standard, "regulated data" is defined as data that requires the university to implement specific privacy and security safeguards as mandated by federal, state, and/or local law, or university policy or agreement. Regulations or categories of data most applicable to UNO include:

• Family Educational Rights and Privacy Act (FERPA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Social Security Numbers (SSNs)
• Gramm Leach Bliley Act (GLBA)
• Payment Card Industry Data Security Standards (PCI-DSS)
• Sensitive Identifiable Human Subject Research
• Export Controlled Research - International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR)

Sensitive Data: University data routinely used in conducting business not covered by State or Federal Privacy law. It is protected to preserve the privacy, safety, or reputation of individuals and/or the university.

Public Directory Information: University data which are neither “regulated” nor “sensitive.” Generally, it is information that can be made available to the public without risk of harm to the university or any entities with an affiliation to the university.

Examples include:

• Student Name
• Local Address
• Permanent Address
• Telephone Listings
• Year at the University
• Dates of Attendance
• Academic College and Major Field of Study
• Enrollment Status (e.g. undergraduate or graduate; full-time or part-time)
• Participation in Officially Recognized Activities and Sports
• Degrees, Honors and Awards received

UNO Security Policy

The UNO Regulated Data Security Policy was developed in response to Nebraska L.B. 876 to combat increasing instances of identity theft. The policy includes in-depth definitions, responsibilities, data storage, risk reduction procedures, technical storage requirements and authorization form.

Regulated Data Utilities

The Regulated Data File Server is a service Information Services provides for the storage of Regulated Data, this server meets the technical requirements necessary for the storage of Regulated Data. To request space on the Regulated Data File Server please fill out the Regulated Data Server Request. For more information about the Regulated Data File Server please work with the desktop support staff for your area or contact Information Services Technical Support.

Identity Finder is computer software that discovers, monitors, removes and protects data wherever it is stored or used. The software is in use at UNO to perform two functions. The first is a continual scan of all data on end user machines for restricted data commonly referred to as 'data at rest;' those files and folders that reside on University-owned servers, desktop and laptop computers. Please work with the desktop support staff for your area or contact Information Services Technical Support for more information.

VPN (Virtual Private Network)

To connect to the Regulated Data File Server while off campus, UNO faculty and staff will need to be logged into UNO's VPN.