Take steps to safeguard sensitive data

Is your organization responsible for complying with one or more of the many privacy-related pieces of legislation that the U.S. government has enacted over the past decade? It's a good bet that it is.

Whether it's the Health Insurance Portability and Accountability Act (HIPAA), which addresses healthcare information, the Gramm-Leach-Bliley Act (GLBA), which addresses financial information, or even the Family Educational Rights and Privacy Act (FERPA), which addresses education information, chances are good that one of these affects your organization in some way.

Compliance is nothing to fool around with, and it's imperative that your organization understand its responsibilities for safeguarding protected data. Protected data is any information that someone could use to identify an individual. Information protected by legislation can include:

  • Salary and fringe benefits (except for federal employees)
  • Terms of employment (including performance and disciplinary records)
  • Academic and educational history
  • Criminal investigation and arrest history
  • Employment history (including general or security clearance information)
  • Biographical history
  • Social Security information
  • Identification codes
  • Personnel profile (including home address and phone number)
  • Medical history

Your organization's network obviously contains and/or processes protected sensitive information. Unauthorized disclosure of such sensitive information could adversely impact your organization with both civil and criminal liabilities. To protect yourself and your company, it's vital that you implement some extra precautions.

Administrator responsibilities

If you're responsible for the security of your company's network, then you're also responsible for overseeing the day-to-day collection, storage, and use of personal data subject to such legislation. You must apply adequate data security safeguards to protect data from the following:

  • Inappropriate disclosure
  • Improper use
  • Access by unauthorized or unapproved users
  • Data tampering

Individuals who fail to follow specific requirements can face fines up to $5,000 per violation, as well as misdemeanor charges. That's one more reason your organization needs to take appropriate security measures to protect sensitive information. But don't forget that security measures, no matter how solid, are only as good as the educated employee who wants to do the right thing.

Employee responsibilities

An organization's users are potentially the weakest link in your security efforts. You've heard it before, but it's worth repeating: Educate your users.

To better protect sensitive data, train all users to do the following:

  • Label all media (e.g., disks and documents) containing sensitive information.
  • Securely store sensitive information.
  • Immediately notify supervisors of any security breach.
  • Don't send unencrypted sensitive information via e-mail.
  • Log off or use a screen saver with a password when leaving workstations unattended.
  • Erase all data from hard disks before sending PCs off-site for maintenance.
  • Store data on network drives instead of workstations.
  • Be on the lookout for hardware keystroke loggers.

Final thoughts

Privacy-related legislation grew out of a concern over the potential misuse of the vast amounts and types of personal information collected and maintained on corporate networks, which store, manipulate, and transmit the data for a variety of reasons. Don't become a statistic in the news by mishandling protected information -- protect that information with adequate safeguards, and train your users to do the same.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.


I think meeting the HIPAA standards also helps in complying with many other regulations. A crosswalk matrix poster between different regulations is a very useful tool for compliance team and risk management office. This poster is crosswalk between: ISO 17799, COBIT 4.0, Sarbanes Oxley, HIPAA, Payment Card Industry (PCI), GLBA, NERC standards CIP and PIPEDA (Canada).


I think that with banking computers no transactional data is ever stored in the bank computer itself.All of this data is held in a Federal system.If the bank's computer system were to stop working no data would be lost.That's networking!


BALTHOR - Transactional data does indeed reside on "banking computers." The scope and volume of local data will vary bank by bank based, primarily, on whether they handle their own core processing in-house or use one of the many 3rd party providers. Many of the same companies that will handle a bank's processing sell versions of their software for banks to handle their own processing in-house. There is NO master, or even multiple sub-computer systems, owned and operated by the Federal Government for processing and/or data reporting of all day-to-day banking transactions. In fact, "on us" (e.g. you write a check to someone that uses the same bank) items will not even leave the banks network. The Federal Reserve Bank, which is the agency/system I assume you were referring to above, amongst other functions, acts as a conduit that paper checks, Check 21, electronic transactions (ACH) flow thru. The FRB does not retain/store that data such that a bank can rely on them for Disaster Recovery.


Before users can be trained to be compliant, the user role in compliance should be laid out in policy. If the proper security and privacy policies are not in place, there will be no ability to enforce the user training that takes place.

Editor's Picks