Follow these instructions to delete or secure personal information.
1. Locate personal information identified on the log.
Your goal is to look at each file shown on the log and determine how best to handle it. You may find some false positives. Every effort should be made to verify Spider's results before moving, encrypting or removing files. It takes some time to dig through the log.
Cornell Spider identifies email messages in an Outlook mailbox as a single, large file, not as individual files for each message. It identifies Eudora and Thunderbird folders, not individual files for each message. Textpad is available free of charge to University faculty, staff and students at the University Site License webpage.
When you find files with SSNs, payment card numbers or Arizona driver’s license numbers, continue to the following section.
WARNING: The Spider log file can point directly to some very sensitive information. As a result, the file must be very well protected and removed promptly to ensure it is not used by unauthorized persons. Until you can securely delete it, take care to store the log file offline (e.g., by copying it to a CD, DVD or flash drive). Delete the log file when you have finished searching it.
For Windows:
To look at the contents of a file:
- Select the file in the list of results by clicking on it or on the box to the left of it.
-
Click the Run button. The file will open using the default application (e.g., Word, Excel, Adobe Acrobat Reader). If a file does not have a default associated application, try opening them with Wordpad (click the Start button, type WordPad in the search box, and then, in the list of results, double-click WordPad).
To remove from the log a file that does not contain personal information:
- Select the file in the list of results by clicking on it or on the box to the left of it.
- Click the Remove from List button.
-
Click Options > Save Log at the top left of the Log Viewer.
For Macintosh:
The Macintosh version of Spider does not include a Log Viewer. Instead, you must:
-
Open and view the text file.
-
Using the path given in the text file, locate the file. See the screenshot below for more information on how to
interpret your log file.
-
Open the file.
- Determine whether it contains personal information. The log displays a list of files that are likely to contain SSNs, driver license numbers or payment card numbers. The first item on each line is the path, or the location, of the file. The next item on each line displays the criteria Spider used to determine whether the data were SSNs, driver license numbers or payment card numbers. There may be more than one search criterion listed.
For Unix:
- Review the /tmp/spider.log. See the example above.
2. Delete all unnecessary files with personal information.
IMPORTANT NOTE: If you have received a preservation notice (litigation hold letter) from the Office of the General Counsel, contact the Office of the General Counsel before making any changes.
Return to Step 2 for information on how to determine whether a file should be retained. You must have a business need to store personal information. If you can access the personal information from the official secured source when you need it, dispose of it.
Be careful not to delete system (program) files.
Eudora and Outlook email folders appear as files. When you delete a Eudora or Outlook file, you delete an entire folder of email messages.
For Windows:
To delete a file:
- Select the file in the list of results by clicking on it or on the box to the left of it.
- Click the Erase or Delete File button. You will NOT be asked to confirm the deletion.
- Empty the computer trash folder or recycle bin.
To move a file to a jump drive or other physical medium:
-
Select the file in the list of results by clicking on it or on the box to the left of it.
-
Click the Move File button.
-
Browse for the location of the drive. If you are planning on archiving files on a CD we suggest you create a temporary folder on your desktop to temporarily store those files until you are ready to copy them to a CD. Once you have finished copying the files to the CD make sure you delete the temporary folder and empty your recycle bin.
-
Click the location.
-
Click OK.
To remove from the log a file once you've deleted or moved it:
- Select the file in the list of results by clicking on it or on the box to the left of it.
- Click the Remove from List button.
-
Click Options > Save Log at the top left of the Log Viewer.
3. If you can’t delete a file, secure the personal information.
You must have a business need to store personal information. If you can access the personal information from the official secured source when you need it instead of keeping it yourself, dispose of it.
Select from the following options:
- Option A: Transfer files with personal information to physical media and physically secure them
- Option B: Separate the number from the associated name
- Option C: Truncate the number to the last four digits
- Option D: Encrypt personal information
NOTE: As of Fall 2008, SID numbers that are the same as SSNs are no longer in use. If you must store lists or reports with SID numbers from earlier semesters during the record retention period, be sure to secure them with one of these options.
Option A: Transfer files with personal information to physical media and physically secure them
Write files containing personal information to a CD, DVD or flash drive and secure it behind a locked door or in a locked file cabinet.
Delete files from your computer, then empty the computer trash folder or recycle bin. See the File Deletion Guideline for information on secure file deletion.
Additional rules apply to information relating to payment cards that your unit accepts as payment for goods or services.
For Windows:
To move a file to a jump drive or other physical medium:
-
Select the file in the list of results by clicking on it or on the box to the left of it.
-
Click the Move File button.
-
Browse for the location of the drive. If you are planning on archiving files on a CD we suggest you create a temporary folder on your desktop to temporarily store those files until you are ready to copy them to a CD. Once you have finished copying the files to the CD make sure you delete the temporary folder and empty your recycle bin.
-
Click the location.
-
Click OK.
Option B: Separate the number from the associated name
Delete the personal information (the first name or initial, or the number) from the file. In a spreadsheet, highlight the column with the numbers you want to remove and delete it.
Option C: Truncate the number to the last four digits
Delete all but the last four digits of the number.
Option D: Encrypt personal information
If you cannot find any other alternative to storing personal information and you have a business need for it, encrypt it. Encryption is an effective way to protect files, especially from being opened and viewed on a hacked or stolen computer. UA-approved encryption products are not available at this time. You should coordinate encryption measures with your IT staff.
Encryption carries several risks. Encrypted information may not be recoverable if your computer’s hard drive fails. Consistent back up practices are highly recommended.
To read an encrypted file, you must have access to a secret key—or password—that enables you to decrypt it. Some encryption methods carry the risk of permanent loss of information if the key is lost. USE WITH GREAT CARE. Encryption keys must be delivered to your supervisor or a person designated to retain them.
|
Step 9 - Comply with applicable standards
|
