If you have received a Sensitive Data Discovery report indicating that potentially sensitive data has been found on your U-M computer or an IT system you are responsible for, you need to take appropriate action as outlined in this document.
About Sensitive Data Discovery
ITS Information Assurance performs Sensitive Data Discovery checks twice a year for MiWorkspace computers and storage, as well as on-request checks of other unit computers and storage to help ensure that sensitive and regulated data is not being stored unnecessarily. Sensitive Data Discovery checks help you identify files with sensitive data you may have forgotten about and prompt you to review those files to see if they are still needed.
Information Assurance maintains a software tool that automatically scans for potentially sensitive information. Our team will work with you and your unit staff to help review the results and take appropriate action.
The Sensitive Data Discovery tool:
- Checks for two types of sensitive data: Social Security numbers (SSN) and credit card numbers. The tool can check for additional patterns if requested by a U-M unit.
- Looks for numeric patterns formatted like Social Security and credit card numbers, so it sometimes misidentifies files as sensitive.
- Does not check Personal and Private folders.
- Produces a report listing all your files that may contain sensitive data. The report provides the location of each file and an excerpt (the last four digits of the number) from it.
Sensitive data discovery helps the university comply with laws and regulations governing the storage of sensitive and regulated data, including federal regulations (Gramm Leach Bliley Act), State of Michigan regulations (Michigan Social Security Privacy Act), university standards (Social Security Number Privacy and Protection (DS-10)), and the Payment Card Industry Data Security Standard.
Review Your Report
- Log in to your Sensitive Data Discovery Report from a University of Michigan network (MWireless or ethernet on campus; use a university VPN from off campus).
- Review the files identified for you as containing potentially sensitive information.
Take Action for Each File Listed
For each file listed in your report:
- Find the file on your computer or in your online storage. Follow the path listed in the report. You can search for the file name or the last four digits of the number found in the file in the Excerpt column.
- Find the Action column. Depending on the size of your monitor and the amount of data in your report, the Action column may or may not be displayed automatically. If you cannot locate the Action column, scroll to the right. If it is still not visible, click Columns to open the columns menu, and click Action. The Action column should now appear.
- Determine whether or not the file contains Social Security or credit card numbers.
- No. In the Action column, select Data was incorrectly identified and is not regulated. No further action is needed for that file.
- Yes. In the Action column, select the appropriate option and continue to Step 4 to take action on the file. These are the options you can choose from:
- Data was incorrectly identified and is not regulated.
- Data was incorrectly identified and is now removed.
- Regulated data was correctly identified but is required for business processes.
- None of the above. (please provide details in the notes column)
- For files with sensitive data, decide what to do with the file, take the appropriate action, and record it in your report:
- Data no longer needed
- Delete the sensitive data from the file, or delete the file.
- In the Action column, select Regulated data was correctly identified and is now removed.
- Data needed for U-M business
- In the Action column, select Regulated data was correctly identified, but is required for business processes.
- Data is personal (not work-related)
- Move the file to a Personal and Private folder on your computer, or move it to a personal device and remove it from your U-M computer and/or network storage. (Personal and Private folders are not checked by the Sensitive Data Discovery tool.)
- In the Action column, select None of the above.
- In the Notes column, say that the file was personal and has been moved.
- Data no longer needed
- Your responses in the report are automatically saved and no further action is needed. Information Assurance staff members will review your responses and get back to you if more follow-up is needed.
If you need help working with your Sensitive Data Discovery report, contact ITS Information Assurance via the ITS Service Center.