If you have received a Sensitive Data Discovery report indicating that potentially sensitive data has been found on your U-M computer or an IT system you are responsible for, you need to take appropriate action as outlined in this document.
About Sensitive Data Discovery
Information Assurance performs Sensitive Data Discovery checks twice a year of MiWorkspace computers and storage, as well as on-request checks of other unit computers and storage to help ensure that sensitive and regulated data is not being stored unnecessarily. The checks help you identify files with sensitive data you may have forgotten about and prompt you to review those files to see if they are still needed.
Information Assurance maintains a software tool that automatically checks for potentially sensitive information. Our team will work with you and your unit staff to help review the results and take appropriate action.
The Sensitive Data Discovery tool:
- Checks for two types of sensitive data: Social Security numbers (SSN) and credit card numbers. The tool can check for additional patterns if requested by a U-M unit.
- Looks for numeric patterns formatted like Social Security and credit card numbers, so it sometimes misidentifies files as sensitive.
- Does not check Personal and Private folders.
- Produces a report listing all your files that may contain sensitive data. The report provides the location of each file and an excerpt (the last four digits of the number) from it.
Sensitive data discovery helps the university comply with laws and regulations governing the storage of sensitive and regulated data, including federal regulations (Gramm Leach Bliley Act), State of Michigan regulations (Michigan Social Security Privacy Act), university standards (Social Security Number Privacy and Protection (DS-10)), and the Payment Card Industry Data Security Standard.
Review Your Report
- Log in to your Sensitive Data Discovery Report from a University of Michigan network (MWireless or ethernet on campus; use a university VPN from off campus).
- Review the files identified for you as containing potentially sensitive information.
Take Action for Each File Listed
For each file listed in your report:
- Find the file on your computer or in your online storage. Follow the path listed in the report, search for the file name, or search for the last four digits of the number found in the file in the Excerpt column.
- Find the Action column. Depending on the size of your monitor and the amount of data in your report, the Action column may or may not be displayed automatically. If you do not see, try scrolling to the right. If It's not there, click the Columns button to reveal the columns menu, and activate the Action button on the menu. The Action column should now appear.
- Does the file contain Social Security or credit card numbers?
- No. In the Action column, select Data was incorrectly identified and is not regulated. No further action is needed for that file.
- Yes. In the Action column, select the appropriate option and continue to Step 3 to take action on the file. These are the options you can choose from:
- Data was incorrectly identified and is not regulated.
- Data was incorrectly identified and is now removed.
- Regulated data was correctly identified but is required for business processes.
- None of the above. (please describe in notes column)
- For files with sensitive data, decide what to do with the file, take the appropriate action, and record it in your report:
- Data no longer needed
- Delete the sensitive data from the file, or delete the file.
- In the Action column, select Regulated data was correctly identified and is now removed.
- Data needed for U-M business
- In the Action column, select Regulated data was correctly identified, but is required for business processes.
- Data is personal (not work-related)
- Move the file to a Personal and Private folder on your computer, or move it to a personal device and remove it from your U-M computer and/or network storage. (Personal and Private folders are not checked by the Sensitive Data Discovery tool.)
- In the Action column, select None of the above.
- In the Notes column, say that the file was personal and has been moved.
- Data no longer needed
- Your responses in the report are saved automatically. You do not need to save or submit anything yourself when you are finished. Information Assurance staff members will review your responses and get back with you if more follow up is needed.
If you need help working with your Sensitive Data Discovery report, contact your Information Assurance Information Security Lead (ISL) for assistance. If your unit does not have an ISL, contact Information Assurance via the ITS Service Center.