Yes, cloud storage is appropriate for storing class work and personal files, and very convenient because you can access the files from wherever you are as long as you have an Internet connection. The CSU has a contract with Google that protects the ownership and privacy (but not the security) of files you store in their system, but no similar arrangements exist with Dropbox or any other provider of cloud storage solutions, so files stored with these other providers are more vulnerable.

The campus currently recommends specific document storage solutions and departmental shares for most departments, as well as individual space on Network Folders, for storage of HSU data. ITS is in the process of implementing a virtual desktop solution that will give employees access from remote and mobile devices to personalized mobile desktops stored on central servers instead of local computers. 

No. Currently available cloud storage solutions do not provide the level of protection required for Level 1 or Level 2 data. Recommended document storage solutions  and departmental shares are provided for most departments as well as individual space on Network Folders for storage of HSU data. Many online storage solutions are available, such as Dropbox, SkyDrive and Google Drive, but these should never be used to store Level 1 data, such as social security numbers and medical information, or Level 2 data, such as grades, human resources, and FERPA information; the full definitions of Level 1 and Level 2 data can be found online.

University data covers any item of information that is collected, maintained, and used by the University for the purpose of carrying out the business of the University, subject to or limited by any overriding contractual or statutory regulations. University data may be stored either digitally or on paper and may take many forms, including, but not limited to, text, graphics, images, sound, and video. Research data, scholarly work by faculty or students, and intellectual property that does not contain personally-identifiable information or other data protected by law or University policy is not considered University data, nor is an individual’s own personally identifiable information (PII)  unless it's used as described above. University data must be available to the University and other individuals as required under University policies and is subject to CSU Information Security Policies, CSU Data Classification Standards, and other appropriate controls depending on the sensitivity of the data.

No. Dropbox does not provide the level of protection required for the storage of Level 1 or Level 2 data. There are no contracts or agreements with the University that protect the privacy, ownership, or confidentiality of the data stored on Dropbox servers required by HSU.

Note, too, the statement on the Dropbox website that: Dropbox does not currently have HIPAA, FERPA, SAS 70, ISO 9001, or PCI certifications.

No. Sensitive data, and in particular University data that has been classified as Level 1 protected data, should NEVER be sent via email, either in the body of the email or in an attachment, unless that data has been encrypted using HSU-approved strong encryption.

Alternatively, you can store the sensitive data in a system protected by passsword security and send an email containing a link to the data. Reporting tools such as OBI (myReports) provide a secure environment for accessing University data. Communication involving student records should use the myHumboldt portal whenever possible. Using myHumboldt provides a better student and faculty experience and ensures that messages are securely and reliably delivered to the correct person.You can also save sensitive data on a University-managed system that requires a password, such as a fileserver, and send a link to the data in an email.

Below are some resources for secure information sharing:

• The US Department of Education, Privacy Safeguards Programstates that one should ”never include personal information within e-mail message text. Names, SSNs, dates of birth, etc…”
• IRS Publication 1075 states thatFederal Taxpayer Information (FTI) is covered by the Code of Federal Regulations and Internal Revenue Code: “E-mail systems shall not be used to transmit FTI data.”
• The California Office of Information Securitystates that: “… email and IM messages hit numerous servers and routers before reaching their final destination ... and can be intercepted at any stage. Therefore, no confidential or sensitive data [Levels 1 or 2] should be sent via email in clear text or transmitted via Instant Messaging.”
• The Federal Trade Commission (15 U.S.C §§ 41-58, as amended)states that: “Regular email is not a secure method for sending sensitive [Levels 1 or 2] data ... the better practice is to encrypt any transmission that contains information that could be used by fraudsters or identity thieves."

You have several options:

1. Encrypt the data. The University has indetified several methods to quickly and securely encrypt sensitive data.
2. Keep the sensitive data in a system that can provide security and send your recipient a link to the data. An ideal way to do this is through the HSU myHumboldt portal, as this will not only ensure that messages are reliably delivered to the right person by also improve the student and faculty experience.
3. Save sensitive data on a University-managed system such as a file server and send a link to the data in an email.

Below are some resources for secure information sharing: 

• The US Department of Education, Privacy Safeguards Program states that one should ”never include personal information within e-mail message text. Names, SSNs, dates of birth, etc.
• IRS Publication 1075 states that Federal Taxpayer Information (FTI) is covered by the Code of Federal Regulations and Internal Revenue Code: “E-mail systems shall not be used to transmit FTI data.”
• The California Office of Information Security states that: “… email and IM messages hit numerous servers and routers before reaching their final destination ... and can be intercepted at any stage. Therefore, no confidential or sensitive data [Levels 1 or 2] should be sent via email in clear text or transmitted via Instant Messaging.”
• The Federal Trade Commission (15 U.S.C §§ 41-58, as amended) states that: “Regular email is not a secure method for sending sensitive [Levels 1 or 2] data ... the better practice is to encrypt any transmission that contains information that could be used by fraudsters or identity thieves."

No, email is not safe for HIPAA data, which is subject to similar rules as Level 1 protected data. HIPAA (the Health Information Portability and Accountability Act) requires that any electronic transmissions containing protected health information (PHI) be encrypted using strong encryption. Messages containing PHI that are transmitted over unencrypted email are archived and can be transmitted onwards by every program or device that receives them. Email messages, their attachments, and archives are highly vulnerable to improper disclosure and may put both the University and the provider sending the email at risk.

Related Federal Laws and Regulations 

• Gramm-Leach Bliley Act of 1999
• HIPAA – Health Information Portability and Accountability Act
• Family Education Rights and Privacy Act of 1974 (FERPA)
• Federal Trade Commission Regulations (16 CFR, Part 314) Standards for Safeguarding Customer Information; Final Rule, May 23, 2002
• Federal Trade Commission Regulations (16 CFG, Part 313) Privacy of Consumer Financial Information
• Payment Card Industry (PCI) Data Security Standard (DSS)

Related CA State Laws and Regulations

• California Information Practices Act of 1977 (California Civil Code Section 1798.85)
• California Education Code, Section 89546, Employee Access to Information Pertaining to Themselves
• California Code of Regulations, Title 5, Sections 42396-42396.5
• Comprehensive Computer Data Access and Fraud Act (California Penal Code, Section 502)
• California: SB 1386: Disclosure of Security Breach of Confidential Information
• California: SB 2246: Customer Records:  Act to add to Title 1.81, Part 4 of Division 3 of the Civil Code
• California Civil Code Sections 1798-1798.78.

• CSU Executive Order 796 (req. compliance with FERPA)Records Access Manual: Office of General Counsel: The California State University, March 2005 (Records exempted from disclosure)
• Chancellor’s Office Memorandum of March 26, 2003: Increased Security Measures for CMS
• California State University HR: 2005-07: New Legislation Regarding the Use of Social Security Numbers (CO)
• California State University HR: 2005-16: Requirements for Protecting Confidential Personal Data
• CSU Information Security Policy - Section 8000 Integrated CSU Administrative Manual (4/19/10)
• CSU Coded Memo HR 2005-16 (4/8/05) [PDF] - Requirements for protecting confidential personal data 
• CSU Coded Memo HR 2007-05 (2/8/05) [PDF] - Requirements for implementing state law regarding use of Social Security number
• CSU Coded Memo HR 2005-01 (1/7/05) [PDF] - Update: Information Practices Act