University of Florida :: Department of Computer and Information Science and Engineering (CISE)

Privacy

Privacy

This is an informational page for Department employees (including student assistants) about protecting private student data. Related privacy statements, include the following:

Background

The College of Engineering and the University Privacy Office have asked the Department to take preventative actions to protect the privacy of our students. Data breaches are serious and technical measures alone cannot prevent all breaches. All Department members have a responsibility to be educated about and active in protecting our private student data.

Terminology

The Privacy Office uses the term private education records, or UF-PER, to describe the sensitive data that needs to be protected. IT Security Management identifies some examples of UF-PER including names, UFIDs, grades, and any emails to or about a student.

Negative Impact of Data Breaches

Identity data breaches have occurred at the University and have cost an average of about $12.50 per exposed record, according to College Security. One breach cost more than $30,000.

Severe incidents could result in the University no longer being eligible to receive Federal grants. Furthermore, responsible individuals could be criminally prosecuted. Fortunately, the University has not had an incident of that severity, but employees have been terminated.

Detection of Exposed Data

CISE System Administrators run automated scans for exposed data, especially on centrally-managed web servers. Self-managed server owners are strongly encouraged to do the same—email the System Administrators for assistance.

Guidelines for Prevention

UF-PER needs to be both stored and transmitted securely.

Secure Storage

Here are some recommended guidelines for storing UF-PER:

  • When saving sensitive data to files, encrypt the files and set permissions to owner-readable.
  • If you are unable to encrypt a sensitive file, set its permissions to owner-readable.
  • Utilize our Department databases, which have access control functionality.
  • Never store sensitive files in your public_html directory.

Secure Transmission

Even if UF-PER is being stored in a secure manner, it may still be considered exposed if transmitted insecurely. You need to know exactly who has access to the data and they need to be authorized to have such access.

One example is a public-facing research website. The UF-PER may be securely encrypted and stored in a database which requires CISE credentials to access and is further restricted based on the GID of the research group. The website used to display the data, however, might not be password protected and if the web server is not using HTTPS, it is still possible to intercept the plain text sent on the network.

Here are some recommended guidelines for protecting UF-PER on a web server:

  • Never store sensitive files in locations served by your web server.
  • Use an HTTPS server, at least for the portion of your site which will transmit UF-PER.
  • Authenticate users. CISE’s Kerberos or UF’s Shibboleth authentication is preferred, but use htpasswd at a minimum.

Tools

You can download and use our Bash script on your own machines.

Feedback