Desktop Data Encryption Policy

Statement of Policy

Lehigh University strives to maintain the integrity and security of institutional, proprietary, and confidential data entrusted to it. This type of data includes, but is not limited to, student records, financial records (both institutional and personal), and health care related records. Lehigh’s classification of data can be seen at lts.lehigh.edu/services/explanation/classification-data.
To maintain the integrity and security of Lehigh’s data, any university desktop or laptop computer containing any University owned or maintained data covered by any state or federal statute, the disclosure of which exposes the University to possible substantial liability, must be encrypted using full-disk encryption software.

Background

Full disk encryption is required for any University desktop or laptop computer containing University owned or maintained data consisting of financial records, health care records, student records, or information which could be utilized for identity theft. These records are covered by the Financial Services Modernization Act of 1999, also known as the Gramm Leach Bliley Act (GLBA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA - Public Law 104-191), and the Family Educational Rights and Privacy Act (FERPA – 34 CFR Part 99). Identity theft information is covered by the Federal Trade Commission’s Red Flags Rule, which implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003 and various data breach laws. While Pennsylvania state law defines a data breach, the unauthorized access and acquisition of personal computerized data, in relatively narrow terms (i.e., data containing name and Social Security number, name and driver’s license number, or name and credit card number), similar laws within at least 47 other states have slightly different definitions and attempt to apply themselves to state residents living in or out of state. The federal government is also working on a law to consolidate this matter. In order to safeguard all non-directory personally identifiable information, the University requires all such University maintained personal data be encrypted.

Implementation of Policy

Currently, full disk encryption software is available for Windows and Macintosh computers on campus. Newer operating systems have full disk encryption software available as part of the operating system. Please refer to the following:
lts.lehigh.edu/services/explanation/encrypting-securing-your-files
for more information.

The LTS computing consultant assigned to your department should be contacted to discuss the encryption options available based on the computer’s operating system.