New university policy requires encryption of some computers
A new policy to protect sensitive information on University of Louisville computers and information storage devices took effect March 1.
The policy requires such information as identifiable medical and health records; grades and other enrollment information; credit card, bank account and other personal financial information; social security numbers; proprietary research data; dates of birth (when combined with name, address and/or phone numbers); and user IDs when combined with a password to be encrypted.
It is intended to keep an unauthorized person from accessing the information if a computer, flash drive or portable hard drive is lost or stolen, said Bruce Edwards, chief information security officer.
Information security requirements to comply with such policies and business practices as HIPAA, credit card use and research grants have escalated over the last few years, he said.
The most prudent approach is to encrypt a computer or device if it contains sensitive information, Edwards continued.
Faculty and staff can decide if encryption is necessary by asking themselves one question, he said.
"If my computer was lost or stolen, would it cause a data breach or security problem for me or the university?"
The new policy is online.
Faculty and staff who have questions about the encryption process or wonder whether the policy applies to them can e-mailt the Information Security Office (ISO). The ISO also will post encryption frequently asked questions to its website.