Educause Security Discussion mailing list archives

Re: Laptop encryption- Follow-up

From: David Clift <David.Clift () UTAH EDU>
Date: Tue, 16 Nov 2010 11:22:57 -0700

We are requiring all Health Sciences / University of Utah Health Care staff, faculty, and students to have their 
laptops and USB flash drives encrypted.  The above individuals must certify through an online survey that their devices 
have been encrypted.  They can also opt out of encrypting their devices if they certify that they do not and will not 
store PHI on their devices.  However, everyone has been notified that they will not be indemnified by the University in 
the case of a lawsuit if they are found to have unencrypted PHI:

"Once the certification process is complete, maintaining protected health information regarding a patient or research 
participant on an unencrypted laptop computer, or on an unencrypted USB thumb drive, will be outside of the course and 
scope of University employment, and the University of Utah will not indemnify those employees in the case of a lawsuit. 
Additionally, all costs associated with a data breach will be borne by the individual. This includes the cost of 
notifying and taking calls from impacted patients."

We also have plans to use DLP software, but it is not yet in place.

David Clift
University of Utah
Information Security and Privacy Office
650 Komas Drive, Suite 102
Salt Lake City, UT 84108

Office: 801.587.6198
Fax: 801.587.9443
David.Clift () utah edu


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Patria, 
Patricia
Sent: Tuesday, November 16, 2010 10:00 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Laptop encryption- Follow-up

For those that responded to the encryption thread noting that you are using Whole Disk Encryption for portable devices, 
would you mind sharing which group this applies to? Is it just your staff members? Or faculty as well?

We are in the process of rolling out Bitlocker whole disk encryption to all staff with laptops, but are planning to 
allow faculty to opt out of Bitlocker if they sign a waiver stating that they do not store sensitive data on their 
laptop per our Data Classification Policy. Is anyone doing something similar?

From a breach standpoint, if the individual signs a waiver and states that they do not have any sensitive information 
on their computer, do you employ other controls like Identity Finder or DLP software to ensure that is the case? Or is 
their signed waiver enough?


Any feedback, or examples of how you address lost/stolen devices from a breach standpoint, is appreciated. Thank you. 

Patty


Patty Patria
Bentley University

Current thread:

Re: Laptop encryption experiences, (continued)
- - - Re: Laptop encryption experiences Sherry Callahan (Nov 17)
    - Database Encryption for HIPAA Patria, Patricia (Nov 18)
- Re: Laptop encryption experiences A. Harry Williams (Nov 15)
  - Re: Laptop encryption experiences James Farr '05 (Nov 15)
- Re: Laptop encryption- Follow-up Patria, Patricia (Nov 16)
  - Re: Laptop encryption- Follow-up Basgen, Brian (Nov 16)
  - Re: Laptop encryption- Follow-up James Farr '05 (Nov 16)
    - Re: Laptop encryption- Follow-up Dave Koontz (Nov 16)
    - Re: Laptop encryption- Follow-up SCHALIP, MICHAEL (Nov 16)
    - Re: Laptop encryption- Follow-up randy marchany (Nov 17)
  - Re: Laptop encryption- Follow-up David Clift (Nov 16)