From the moment a person submits an employment or admissions application until the day they leave the University, Pitt collects a wide array of data about the people in our community. This information is necessary to track academic progress, run payroll and benefits, apply financial aid, enable smart IDs, grant system access, and nearly every other facet of daily operations.

With this level of data access comes the responsibility for securing that information. Pitt Information Technology (Pitt IT) and the Office of Compliance, Investigations, and Ethics (CIE Office) work together to protect the confidentiality rights of all members of the University of Pittsburgh.

Controlling What, When and How Data Is Collected

The CIE Office provides oversight and guidance related to regulatory compliance and ethical standards at the University, and investigate any concern reported by the campus community. Pitt Privacy Officer Laurel Gift is tasked with ensuring that the University’s collection, use, and disclosure of personal information complies with federal regulations, including FERPA, HIPAA, and more. She works closely with other units responsible for data privacy, governance, and security, including Pitt IT’s Information Security team, the Office of University Counsel, and the Information Technology Advisory Committee (ITAC) and its Information Security and Data Governance subcommittees. 

Gift’s goal is to guarantee people’s privacy and ensure proper handling of their personal information. “My priority is to provide transparency, so there is no mystery. People should know what we collect, how we use it, and when we can share it. It’s all about notice and consent.”

Gift responds to any concern that is reported through the Pitt Concern Connection or reported to the Technology Help Desk related to privacy or confidentiality. “I consider the circumstances under which information is collected, how consent was obtained, and how it can be shared. When someone inadvertently exposes data, I look at how it occurred, the risks the disclosure poses, and the appropriate response to protect the person’s privacy.”

Protecting the Systems that Store Your Data

While Gift focuses administrative controls, Pitt IT’s Chief Information Security Officer Ollie Green is responsible for the technical side of data security. “Our main responsibility is to protect all assets and user identities by all means possible,” Green explains. “That includes access controls, network design and firewalls, identity verification, intrusion detection, and network monitoring.” His group follows the technical requirements of all applicable regulations, as well as meeting the standards set forth by the National Institute of Standards and Technology (NIST).

Constant vigilance is necessary to detect any signs of malicious activity. Pitt employs machine-learning algorithms to collect and analyze data from various computer, system, and network logs. This helps it to recognize abnormal activity that may indicate malware activity. Once Pitt IT detects a potential breach, they can quickly build a timeline of events and work with the affected department’s security administrators to begin an investigation and resolve the problem.

Green emphasizes that the goal is not to track individual activities. “We have no desire to track everything you do. Instead, we’re monitoring University-owned machines, systems, and networks on an aggregate level to identify the footprint of malicious activity that can compromise our data and assets.” He recommends that faculty and staff use only University-issued devices for their work, while using personal devices for personal activities.

Working Together to Stop and Respond to Unauthorized Disclosure

Gift and Green work together to ensure that data remains secure and confidential. “Our responsibilities are different, but connected,” Green explains. “The privacy of data and information depends on the security controls around it, both technical and administrative.”

Whenever a breach or unauthorized disclosure is reported, Gift and Green work together to investigate and resolve the issue on case-by-case basis. Recently, they developed a comprehensive Data Incident Response Plan. Released in October, the plan outlines detailed steps for responding to any data incident, including a formal debriefing to improve policies and practices moving forward.

Green and Gift also prioritize user education and training, because human error is the leading cause of unauthorized data disclosure. The most common issue Gift deals with is people accidentally sharing data with the wrong person. They may type the wrong email address or Outlook auto-completes the wrong user without the person noticing. A person may accidentally use Reply All or send a raw file with more data than they intended. “Working fast can be the enemy of data privacy,” Gift says.

Technical breaches are usually the result of user error, as well. Most hackers rely on users accidentally clicking on a bad link or downloading an infected attachment to gain entry. “While we certainly have controls in place to prevent someone from intentionally compromising data, the most significant risk by far is falling victim to a phishing scheme,” Green says. He emphasizes the importance of not sharing your passwords or letting anyone else in your household use your work device.

Both Green and Gift agree that education, awareness, and training are key. Pitt IT and the CIE Office provide online training, live departmental presentations, and individual consultations to help people work smart and safe. The CIE Office website at compliance.pitt.edu and the Pitt IT Security site at technology.pitt.edu/security contain a wealth of helpful information.

See Something, Say Something

Green and Gift emphasize the importance of seeking help if you think your device has been compromised or you inadvertently shared data. “People can be embarrassed about making a mistake or fear they’ll be disciplined for doing so. But our goal is not to blame. It’s to remedy the situation,” Gift says. Green conquers: “Hackers have become extremely sophisticated, and anyone can become a victim. Notifying the Help Desk immediately limits the damage that can result to both you, individually, and the University.”

If you have a concern about data security, privacy, or handling, please report it through the Pitt Concern Connection. Technical questions about securing your device can be directed to the Technology Help Desk.

-- By Karen Beaudway, Pitt IT Blogger