Tech Responds to Student Data Disclosure

As part of its commitment to keeping campus informed, the following represents an overview of the developments and progress in the aftermath of Georgia Tech’s 2019 data disclosure.



Apr. 28, 2020, update: Georgia Tech’s data security task force continues to make progress in improving the Institute’s data governance, policies, and practices. Under the leadership of Professor Raheem Beyah, the team has established the following controls organized into the three-pronged strategy: Know, Protect, and Govern:

Mandatory Training Campaign; Upcoming Policy and DLP Rules

Georgia Tech’s Data Management Security Fundamentals training campaign ended Monday, April 20. However, employees are still encouraged to complete the mandatory training by the end of this week in preparation for new and refined policy and data loss prevention (DLP) rules that were introduced Monday, April 27. Moving forward, this compliance training will be required on an annual basis for all employees.

New DLP rules will restrict sharing protected data such as employee records, student information, financial data, and regulated research data via email and require employees to use Institute-supported file storage solutions such as OneDrive or Dropbox for sharing this type of information. Learn more about how to leverage these tools at b.gatech.edu/protecteddatapractices.

The new standards also establish safeguards that restrict removing data tags or manipulating files that contain data tags. These policy revisions standardize business practices across the Institute and lower the risk of accidental data exposure.

Endpoint Management and Protection Compliance

To ensure the security of protected data, full adoption of endpoint management and protection solutions will be required for all Institute-owned devices by Nov. 1, 2020. To accommodate employees’ transition to online instruction and remote work, the compliance deadline for securing laptops and any desktops that have been taken home from campus has been extended from May 15 to June 30.

Employees are encouraged to work with their local IT professionals to ensure that the appropriate endpoint solution is installed on their devices by the June 30 deadline. Additional information can be found about endpoint management and protection at b.gatech.edu/endpointcompliance.

The Office of Information Technology (OIT) will communicate additional details around these changes. Online training, tips, and information on how to file storage and sharing solutions is available at b.gatech.edu/protecteddatapractices.

_______________

Mar. 12, 2020, update: Professor Raheem Beyah's cross-functional team has worked to establish more effective controls for managing Institute data for the long term. We are rolling these controls out now to also prevent the risk of data leakages in the event that teleworking and online instruction are required. As part of efforts to protect data, a series of actions will occur in the coming days:

MANDATORY TRAINING STARTING MONDAY, MARCH 16

All employees are asked to complete data governance, data security, and Family Educational Rights and Privacy Act (FERPA) compliance training, which will be available from Monday, March 16, to Monday, April 13. The Office of Information Technology (OIT) will communicate training details.

Moving forward this compliance training will be required on an annual basis for all employees.

STORING AND SHARING PROTECTED DATA

Following mandatory training, new safe data handling practices will go into effect. Sharing protected data such as employee records, student information, financial data, and regulated research data via email will be restricted. All employees will be required to use Institute-supported file storage solutions such as OneDrive or Dropbox for sharing this type of information. The new standards also establish safeguards that restrict removing data tags or manipulating files that contain data tags. These policy revisions standardize business practices across the Institute and lower the risk of accidental data exposure.

To ensure the security of student data, full adoption of endpoint management and protection solutions will be required for all Institute-owned devices by the end of the year. Windows and Mac laptops will be first and must be in compliance by May 15.

DATA MINIMIZATION AND CLEANUP

Data minimization refers to measures that limit the personal data collected and processed to include only information that is relevant or necessary to accomplish work. Current best practices include:

If student data is needed to perform work, limit the data request to information that is necessary to complete the task. When attempting to email a group of students, for example, do not request or take ownership of a file that has demographic information.

Regularly review files stored on the computer as well as on file storage services such as network file shares and cloud-based file sync and storage. Reviews should look for old files that are no longer necessary and can be deleted as well as files that must be retained but contain sensitive personal information that should be encrypted or deleted. Reviews should occur every six to 12 months.

As part of the Enterprise Data Governance effort, further details regarding data retention and cleanup will be forthcoming. Additional resources and FAQs regarding data security activities are available at b.gatech.edu/datasecurity.

_______________

Mar. 11, 2020, update—Didier Contis, director of Technology Services for the College of Engineering (CoE), has been named interim associate vice president for Data Strategy and Analytics, effective March 1. He will be reporting to Raheem Beyah in his temporary role that reports to the president. Contis’ position provides vision and strategic leadership for all data management activities and is responsible for global data management, utilization, security, governance, and privacy across the Institute.

_______________

Dec. 20, 2019, update:

The following message was sent to all Georgia Tech staff from the Office of Information Technology:

As part of Georgia Tech’s continued enterprise data loss prevention (DLP) efforts, the Office of Information Technology is deploying a new DLP rule, effective today, that will further reduce the risk of accidental data exposure.

This new rule is focused on detecting attachments that may contain student data and are sent to mailing lists. This rule is using newly introduced document labeling mechanisms for sensitive FERPA information.

Users who attempt to email files with any of this data type will receive a bounce back which will prevent them from sharing. If this a valid business case, users can still allow the message to be sent by resending with "[Allow Send]" in the subject line.

The ultimate goal of the DLP program is to manage vulnerabilities, reduce risk, and prevent the transmission and unauthorized access of any data protected under regulations such as FERPA, HIPAA, and PCI DSS. A list of Frequently Asked Questions (FAQs) are provided below. Additional FAQs and support information are also available at: https://faq.oit.gatech.edu/dlp.

Questions and comments can be directed to datagovernance@gatech.edu.

_______________

Dec. 11, 2019, update: Georgia Tech continues to make progress in improving the Institute’s data governance policies and practices.

Under the leadership of Professor Raheem Beyah, the effort has been organized around a three-pronged strategy: Know, Protect, and Govern. Planned activities under this strategy will occur over the next few months.

Know:

A cross-functional team continues an in-depth audit of Georgia Tech systems housing sensitive data, prioritizing student data. Further consultations will focus on documenting data-related business processes and associated workflows.

Protect:

Data Loss Prevention (DLP) protections have been enabled, providing some protections for sensitive information within the Office365 email environment. The cross-functional DLP team will keep monitoring and improving this initial implementation as well as beginning to focus on the deployment of an Enterprise Data Loss prevention program encompassing the Institute’s entire data and IT environment.

Govern:

The Institute will continue to implement a comprehensive Enterprise Data Governance program ensuring compliance with Institute and USG policies as well as implementing improvements to the data environment. To accelerate this process, the Institute has selected and will soon engage with outside expertise. Student data will be the initial focus of this engagement.

The Enterprise Data Governance program rollout will include resources dedicated to partnering with the campus community to transition to new data management practices.

Questions and comments can be directed to datagovernance@gatech.edu.

_______________

Nov. 22, 2019, update: Professor Raheem Beyah briefed President Ángel Cabrera and his cabinet on Tuesday, Nov. 19, regarding the progress of Georgia Tech’s response to the recent inadvertent data disclosure. During his presentation, Beyah outlined a three-pronged strategy: Know, Protect, and Govern.

In support of this strategy, the following has been put in place:

Know Georgia Tech data:

Following an initial review of the complex Georgia Tech data ecosystem, further consultations with campus data constituents continue. The focus is on how sensitive student data are being used and documenting associated business processes.

A cross-functional team, composed of members of the Office of Information Technology (OIT) and Enterprise Data Management (EDM), with assistance from the Registrar’s office, will conduct an in-depth audit of Georgia Tech’s student data reporting systems. The audit has begun and will continue for several weeks.

Protect Georgia Tech data:

A team from Cyber Security, OIT, and EDM are conducting a security risk assessment of the Office of Diversity, Equity, and Inclusion.

The cross-functional Data Loss Prevention (DLP) team has consulted with vendors and local experts. The team completed an initial assessment of DLP technologies within Office365. Based on the results, an initial set of DLP rules will be enabled on Monday, Nov. 25. DLP rules will identify specific types of sensitive data. This is a first step toward building an enterprise data loss prevention program. An upcoming communication from OIT will provide details on the additional changes to email services. The team is also creating documentation and support processes.

Govern Georgia Tech data:

Georgia Tech continues to receive proposals from outside experts for assistance in accelerating data governance. Proposals are now under review. It is anticipated that a vendor selection process will be completed in the coming weeks, with targeted engagement kickoff in early December 2019.

Questions and comments can be directed to datagovernance@gatech.edu.

_______________

Nov. 15, 2019, update: An inadvertent disclosure originated within the Office of Diversity, Equity, and Inclusion (DEI). In response, immediate actions have included:

Enacting new short-term restrictions on mass communications in DEI.

Initiating a security risk assessment for DEI beginning Nov. 18.

Training DEI staff on data security and FERPA.

Looking more broadly at campus policies and practices concerning the use and sharing of sensitive data, the small group led by Professor Raheem Beyah has:

Distributed new guidance on data stewardship and separation of duties to campus leadership;

Received a proposal from the Enterprise Data Management team for short-term data governance actions;

Started consultation with campus data constituents at large, including data stewards, end users, and application owners, to identify areas for risk reduction; and

Continued to receive proposals from outside experts for assistance in accelerating data governance.

In addition, a cross-functional project team that includes leadership in the Office of Information Technology; Jimmy Lummis, chief information security officer; Didier Contis, director of Technology Services in the College of Engineering; and SGA Vice President of Information Technology Sidartha Rakuram has been formed to assess short-, medium-, and long-term risk reduction and improve protections for data loss prevention (DLP). Its first action items, such as initiating DLP technologies within Office365, will be completed Friday, Nov. 15. The project team is consulting with local experts and colleagues at other University System of Georgia institutions on DLP guidance and rapid implementation. A long-term DLP strategy with more effective controls will require a new institutional approach to identifying and monitoring sensitive data and classifications at their source.

Questions and comments can be directed to datagovernance@gatech.edu.

_______________

Nov. 12, 2019, update: The small group led by Professor Raheem Beyah to review campus policies and practices concerning the use and sharing of sensitive data has released a preliminary recommendation as a first step toward reducing the risk of accidental exposure. The guideline recommends that the individual with permission to generate datasets containing sensitive data should be separate from the individual who communicates with large constituencies.

All users with access to sensitive databases are expected to comply with Institute policy, including the Data Access Policy: http://policylibrary.gatech.edu/information-technology/data-access.

Questions and comments can be directed to datagovernance@gatech.edu.

_______________

Nov. 8, 2019, update: President Ángel Cabrera sent a message to campus earlier today announcing Electrical and Computer Engineering Professor Raheem Beyah will lead a review to address "existing vulnerabilities in data access across the Institute and implement whatever changes are necessary to deal with the most critical of them."

Professor Beyah, who is also vice president of Interdiciplinary Research for Georgia Tech, will coordinate the work of the Office of Information Technology (OIT) and other administrative and academic units and will engage internal and external consultants as needed. Didier Contis, director of Technology Services for the College of Engineering, will assist Beyah in leading the review.

_______________

Nov. 7, 2019: Georgia Tech is taking steps to correct its internal policies and protocols following an inadvertent disclosure of protected student information.

Yesterday, a Georgia Tech staff member sent an email to approximately 1,100 students that erroneously included a file attachment with student names, ethnicity, Georgia Tech ID numbers, Georgia Tech e-mail addresses, and GPAs. The file did not include social security numbers or birthdates.

Since being notified of the incident, the Office of Information Technology has worked to recall as many of the emails as possible. Students affected by this mistake were notified last evening.

An emergency response team has been convened. The team will work to implement immediate corrective action and enact comprehensive changes to Georgia Tech’s data governance enterprise.

Institute leadership will provide further details in the coming days to keep the campus informed on how it plans to prevent future disclosures.