- I. Policy Statement
- II. Reason for Policy
- III. Definitions
- IV. Statement of Policy
- V. Cross References to Related Policies
- VI. Responsible Officer
- VII. Key Office to Contact Regarding the Policy and its Implementation
- VIII. Other Procedures or Forms
Emerson College’s objective in the development and implementation of this Written Information Security Policy is to ensure effective procedural, administrative, technological and physical safeguards for protecting the personal information of the residents of the Commonwealth of Massachusetts, and to ensure compliance with Massachusetts Law 201 CMR 17.00.
This WISP sets forth Emerson College’s procedures for evaluating its electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting PII (Personally Identifiable Information- see definitions below).
All employees and third party vendors will be notified about the WISP, and the document is also available on the Emerson College website.
In formulating and implementing the WISP, Emerson College seeks to:
- identify reasonably foreseeable internal and external risks to the security and confidentiality of any electronic, paper, or other records containing PII;
- assess the likelihood and potential damage from these threats;
- evaluate the sufficiency of existing policies, procedures, information systems, and other safeguards in place to control risks consistent with the requirements of 201 CMR 17.00; and
- regularly monitor the effectiveness of those safeguards.
Emerson College has made the affirmative decision to identify what is and is not PII, and has declined the invitation to treat all records it maintains as PII.
1) WISP: The term “WISP” refers to Emerson College’s Written Information Security Policy.
2) PII: The term “PII” shall mean “Personally Identifiable Information.” PII is encompassing of any and all data regarding Massachusetts residents held by Emerson College, written or electronic, the improper disclosure of which would trigger written notification to both the Massachusetts Attorney General and the affected Massachusetts residents.
Emerson College follows the statutory definition of “personal information” as it is used in 201 CMR 17.00. As such, PII means a Massachusetts resident’s first name and last name, or first initial and last name in combination with any one or more of the following data elements which relate to such resident (a) Social Security Number, or truncated Social Security Number (b) Driver’s License number or state-issued identification card number, or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number (“PIN”) or password that would permit access to a resident’s financial account. PII does not include that information which is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
3) Breach: A “breach” shall mean the unauthorized acquisition or unauthorized use of either unencrypted PII or, encrypted electronic PII along with the confidential decryption process or key that is capable of compromising the security, confidentiality, or integrity of PII maintained by the College, creating a substantial risk of identity theft or fraud against a resident of the Commonwealth.
A good faith but unauthorized acquisition of PII by a person, for the lawful purposes of such person, is not a breach unless the PII is used in an unauthorized manner or subject to further unauthorized disclosure.
A “breach” shall not include disclosure of PII which is legally accessible from an outside legitimate source, or where disclosure is required by court order or where necessary to comply with state or federal regulations.
4) Data Custodian: The College has designated the following officers as Data Custodians:
- The President
- Provost and Vice President for Academic Affairs
- The Vice President for Administration and Finance
- The Vice President for Enrollment
- The Vice President for Institutional Advancement
- The Vice President for Information Technology
- The Vice President and General Counsel
- The Vice President for Diversity and Inclusion
- Vice President & Dean of Campus Life
- Vice President & Executive Director, Los Angeles Center
- The Executive Director, European Center (Kasteel Well)
- Vice President and Artistic Director, Office of the Arts
A Data Custodian is a person or persons, in high-level management or their permitted and documented designee, who have been officially identified as responsible for the operation of a department within the College that requires access to PII. Any Data Custodian may designate a Designee Data Custodian for all or some part of that Data Custodian’s responsibility. Such designation must be in writing to the Vice President for Information Technology, who is the Responsible Officer for this Policy, must specify the Designee Data Custodian by title, and must designate with specificity the unit for whose PII the Designee Data Custodian is responsible. It is recommended, but not required, that responsibilities as Designee Data Custodian be added to the official position description of that Designee. Assignment of a designee by a high-level manager, who is expressly or inherently entrusted with PII, does not relieve that manager of responsibilities regarding the PII.
5) Data Security Coordination Team: Emerson College has designated a team, led by the Vice President for Information Technology and consisting of the Associate Vice President of Information Technology, Director of IT Infrastructure, the Information Systems Security Administrator, the Information Security Officer, and the Director of Enterprise Systems. This Data Security Coordination Team shall be responsible for:
a) initial implementation of the WISP;
b) ensuring that training of employees is taking place in a manner consistent with the requirements of the WISP; and
c) appropriate testing and annual review of the WISP.
Commitment to Limited Collection of, and Access to, PII
Emerson College will collect, maintain and store only that PII which is reasonably necessary to accomplish the legitimate business purpose for which it is collected; limiting the time PII is retained to what is reasonably necessary to accomplish such purpose; and limiting access to those persons who are reasonably required to have access to PII in order to accomplish such purpose or to comply with state or federal record retention requirements. All persons granted access to PII shall be informed of Emerson College’s Written Information Security Policy, Emerson College’s Data Security Policy and shall be provided basic training for compliance with its requirements.
Identified Locations of PII
Emerson College has identified specific electronic databases and servers, along with physical locations, where PII is known to exist. These locations, while not an exhaustive list, are kept by the Data Custodians and are audited by the Information Security Officer. It is incumbent upon the Data Custodians in each department, to promulgate amongst their staff with PII access, any and all identified locations of PII they have access to, and the importance of preserving its confidential nature.
Identified Potential Risks to PII Security
- Weak passwords used with accounts that have access to PII.
- Computers in publicly accessible areas that are not locked when an assigned employee with access to PII has temporarily stepped away from them.
- Insufficient physical security and controls which compromise access to workspaces and permit use of terminals, theft of equipment or access to paper files.
- Termination procedures that are not followed, resulting in continued access by former employees to PII.
- Employees transporting data on laptops, or on USB “thumb drives” and other types of removable media.
- Unencrypted connections to Emerson College data systems over which PII could be carried.
- Incomplete or ineffective training programs explaining to employees what PII is, and what the College’s responsibilities are in its handling.
- Insufficient physical controls, resulting in access to PII by unauthorized persons.
- Malicious software which could compromise the security and integrity of PII.
- Hacking, spoofing and other activities intended to compromise data security and access data and data systems without authorization.
- Social engineering and improper sharing of PII by employees with those not granted permissions to it.
- Lack of audit procedures.
- Insufficient separation of systems into particular subnets.
- Sending/Forwarding PII to non-Emerson email addresses, or off-campus data systems.
- Sending paper-based PII through campus mail.
- Vendors of the College who have been granted access to PII.
- Data accessed through the improper disposal of electronic media (including hard drives from disposed computers) and paper files.
- Improper off-site storage of electronic and paper media.
- Hacking and other activities intended to compromise data security and access data and data systems without authorization.
- Consultants and contractors who are not properly vetted.
- Weak physical security at off-site locations.
3) Electronic Data Safeguards
- Identity Management: Emerson College will maintain a procedure for managing computer accounts for active employees, and will have in place procedures for promptly disabling accounts of those individuals who are no longer employed and/or entrusted by the College.
- Passwords: Emerson College requires passwords for accessing any system that may contain PII. Passwords must meet minimum requirement of complexity set by the Director of Networking and Telecommunications. Accounts shall be locked after excessive unsuccessful login attempts. Enforcement of the password policy shall be maintained through electronic means.
Vendor assigned and default passwords shall be changed reasonably promptly, but must be changed before the system accessed through said password contains any PII.
Access to PII shall be electronically limited to those employees with unique usernames. Usernames and passwords with access to PII shall not be shared amongst individuals.
- Timeouts: On a data system where a significant quantity of PII is stored, where it is practical, electronic timeouts shall be employed to screen-lock or timeout the user’s session.
- Access to Computers: Access to computers shall be restricted to those for whom the access is necessary. Persons entrusted with access to PII from their accounts shall ensure that they lock their computer screens, their office doors, or both, so that unauthorized access to PII does not occur.
- Data Security and Access Control Lists: Emerson College makes ongoing, self-audited efforts to ensure that only those persons, whose job descriptions and/or College-assigned objectives necessitate access to electronically stored PII will be granted such access. A Data Custodian must authorize, in writing or via help desk ticketing, any permissions that grant electronic access to shared files and folders that are designated to contain PII.
For the purposes of this section, a job description, approved by the appropriate Data Custodian, that necessitates electronic access to share locations which are designated to contain PII, shall constitute written permission.
- Network Design Considerations: Emerson College shall maintain its firewall and Intrusion Prevention Systems so that networks which contain data servers can be discrete from end-user systems.
- Firewall: A commercial-grade firewall shall be maintained at Emerson College protecting systems containing PII from both external and internal unauthorized access. The software running on the firewall shall be reasonably current.
- IPS: Emerson College has as part of its firewall an Intrusion Prevention System that monitors traffic across its network to help mitigate against unauthorized access. The software shall be kept reasonably current.
- Data Encryption: Where electronic files containing PII must unavoidably be taken from an approved storage location and placed on portable media (including, but not limited to, a computer’s internal hard drives, USB “thumb drives,” externally connected drives and other removable media such as CD Rom), the files containing PII must comply with the standards set in the Emerson College Data Classification, Access, Transmission and Storage Guideline.
- Encrypted Network Transmission: Where feasible, when PII is transmitted over a data network where data interception is reasonably foreseeable, PII will be encrypted using Emerson College approved encryption.
Emerson College shall maintain SSL Certificates, managed by a trusted root host, which shall be used on web pages served by the College over which there exists the reasonably foreseeable possibility that PII may be accessed.
- VPN: Emerson College shall maintain a Virtual Private Network (“VPN”), which will necessarily be used to encrypt data connections to the College where there is a reasonably foreseeable possibility that PII will be carried over the connection and an SSL HTTP connection is not feasible.
- Security Patches: There shall be reasonably up-to-date versions of virus/malware protective agents running on College-owned computers, which report back to a central server that is reviewed regularly for compliance with policy.
Reasonable means and methods shall be taken to ensure that security-related critical patches are applied to operating systems and application software.
- Electronic File Storage: The College shall maintain a file server or other secure means of data storage of sufficient speed and storage capacity to hold any and all electronic documents that may contain PII. No PII should be stored on individual desktop/laptop computers. All data must comply with Emerson College’s Data Classification, Access, Transmission and Storage Guideline.
- Encrypted Backups: Wherever feasible, server backups shall be encrypted using an industry-accepted data encryption standard.
- Ongoing Data Security Training and Acceptable Use: The College shall maintain a data security employee training program. Employees whose positions at the College require contact with PII shall be provided additional training, within their departments, commensurate with the potential exposure.
The College will maintain an acceptable use policy with which all persons granted access to Emerson College’s network will be required to comply.
4) Data Retention and Destruction
- Destruction of records will be done in a commercially acceptable manner so that PII cannot be practically read or reconstructed.
- All hard drives from servers or sensitive computer systems designated for replacement or retirement must be erased using DOD approved software or securely destroyed to render any PII data unreadable or unable to be reconstructed.
- Where the College contracts with a third-party data destruction company, the College shall obtain written assurances from the third-party that its disposal practices are in compliance with M.G.L. Ch. 93I
- All data retention must comply with the Emerson College Records Management Policy.
5) Paper Based Data Safeguards
- File Cabinets: Where filing cabinets are to be used for the storage of PII, the filing cabinets are to remain locked unless the need to access the files within is imminent or current. Should removal of files containing PII from a filing cabinet be necessary, the files themselves must be protected against unauthorized access and if the files will not be returned to the filing cabinet promptly, the filing cabinet shall be locked. Files must be returned to filing cabinets, which are then to be locked, no later than the end of the workday of the employee which removed them, unless their overnight storage outside their designated filing cabinet is approved, in writing, by the appropriate Data Custodian.
- Transport: All efforts will be made to minimize the physical transport of printed PII, substituting encrypted electronic data transport instead. Where printed PII must be transported, the carrier shall either be commercial and bonded, or a trained member of the Emerson College community.
6) Third Party Entrustment
- Emerson College shall take all reasonable steps to verify that any third-party vendor, contractor or service provider with access to PII maintained by the College has the capacity to protect such PII in the manner required by 201 CMR 17.00.
- Emerson College requires that all third-party vendors, contractors or service providers entrusted with PII complete, and submit to the College, a written manifestation of their current and ongoing compliance with the requirements of 201 CMR 17.00. Should the third-party not provide such documentation, or later withdraw their assent to the requirements, the College shall no longer provide any PII to said third-party and will take affirmative steps to ensure that previously entrusted PII is destroyed in a manner in-line with that which the College would use.
- All vendor contracts that will have access to PII must include standard Emerson contract language for PII.
7) Termination of the Relationship that Requires Entrustment of PII
Employees may leave, be terminated, or switch roles within Emerson College. The relationship between Emerson College and third parties may change. Where the employee or third-party had access to specific PII and the changed relationship negates the need for access, Emerson College shall take specific affirmative steps to ensure that access to PII is withdrawn.
- All records containing PII, in any form, must be returned at the time of termination of the relationship. If return is not feasible, destruction in accordance with industry standards, along with proof of such destruction, is acceptable.
- At the time of termination of the relationship, all electronic and physical access to PII must immediately cease and be blocked. Former employees and third parties must return keys, IDs (if not required for other legitimate purposes), access control tokens and cards. Electronic locks access shall be disabled.
- Continued access to PII by former employees and third parties with whom the business relationship has been terminated must be expressly authorized, in writing, by the appropriate Data Custodian.
8) Disciplinary Actions for Violations of the WISP
Employees must comply with the requirements of the WISP. Use of PII in a manner not expressly or impliedly granted by the College is prohibited during, and subsequent to, employment at Emerson College. Disciplinary action for infractions of the WISP shall be mandatory, the severity of which shall be commensurate to the infraction and may depend on a number of factors, including but not limited to, the nature of the violation, the nature of the PII, and the extent of the unauthorized use, exposure, or disclosure.
9) Breach Procedures
Whenever there is a breach that requires notification under M.G.L. Ch. 93H § 3, the College shall take, at a minimum, the following steps:
- A letter shall be sent to the Massachusetts Attorney General by the Office of General Counsel, minimally putting forth the information in Appendix A. The letter shall include as an attachment a copy of Emerson College’s WISP, but not including the WISP’s appendices.
- A letter shall be sent by the Vice President for Communications and Marketing to the affected Massachusetts residents notifying them of the breach and minimally including the information in Appendix B.
- A letter of notification of breach shall be sent to the College’s insurance carrier by the Director of Treasury and Risk Management
- An immediate mandatory post-incident review of events and actions taken, if any, with a view to determining whether any changes in the security practices are required to improve the security of PII.
- Disciplinary action may be taken against the individual, or individuals, who caused, or contributed to, the breach.
The Vice President for Information Technology is responsible for the policy.
The Vice President for Information Technology and the Office of Information Technology are responsible for the oversight and implementation of the policy.
Appendix A: Minimal Text to be Included in Letter to Attorney General
Pursuant to M.G.L. c. 93H, we are writing to notify you of [a potential breach of security/an unauthorized access or use of personal information] involving [number] Massachusetts residents].
NATURE OF THE SECURITY BREACH OR UNAUTHORIZED USE OR ACCESS
[This paragraph should provide the date of the incident, a summary of the nature of the incident, a description of the categories of personal information involved in the incident, and whether the personal information that was the subject of the incident was in electronic or paper form].
NUMBER OF MASSACHUSETTS RESIDENTS AFFECTED
[This paragraph should specify the number of affected individuals residing in Massachusetts whose personal information was the subject of the incident. This paragraph should also indicate that these Massachusetts residents have received or will shortly receive notice pursuant to M.G.L. c. 93H, s. 3(b) and should specify the manner in which Massachusetts residents have or will receive such notice. We should also include a copy of the notice to affected Massachusetts residents in our notification to the Attorney General].
STEPS TAKEN OR PLAN TO TAKE RELATING TO THE INCIDENT
[This paragraph should outline all the steps we have taken or plan to take relating to the incident including, without limitation, what we did when we discovered the incident; whether we have reported the incident to law enforcement; whether we have any evidence that the personal information has been used for fraudulent purposes; whether we intend to offer credit morning services to consumers; and what measures we have taken to ensure that similar incidents do not occur in the future.]
OTHER NOTIFICATION AND CONTACT INFORMATION
[Finally, our letter should indicate whether we have provided similar notification to the Director of Consumer Affairs and Business Regulation. We should also include the name and contact information for the person whom the Office of the Attorney General may contact if they have any questions or need further information.]
Appendix B: Minimal Text to be included in Letter to Affected Massachusetts Residents
City, MA, Zip
We are writing to notify you that a [potential breach of security/unauthorized acquisition or use] of your personal information occurred on [date(s)].
OUR NOTICE MUST INCLUDE THE FOLLOWING INFORMATION:
Under Massachusetts law, you have the right to obtain any police report filed in regard to this incident. If you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it.
Massachusetts law also allows consumers to place a security freeze on their credit reports. A security freeze prohibits a credit reporting agency from releasing any information from a consumer's credit report without written authorization. However, please be aware that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing or other services.
If you have been a victim of identity theft, and you provide the credit reporting agency with a valid police report, it cannot charge you to place, lift or remove a security freeze. In all other cases, a credit reporting agency may charge you up to $5.00 each to place, temporarily lift, or permanently remove a security freeze.
To place a security freeze on your credit report, you must send a written request to each of the three major consumer reporting agencies: Equifax; Experian; and TransUnion by regular, certified or overnight mail at the addresses below:
- Equifax Security Freeze, P.O. Box 105788, Atlanta, GA 30348
- Experian Security Freeze, P.O. Box 9554, Allen, TX 75013
- Trans Union Security Freeze, Fraud Victim Assistance Department, P.O. Box 6790, Fullerton, CA 92834
In order to request a security freeze, you will need to provide the following information:
- Your full name (including middle initial as well as Jr., Sr., II, III, etc.)
- Social Security Number
- Date of birth
- If you have moved in the past five (5) years, provide the addresses where you have lived over the prior five years
- Proof of current address such as a current utility bill or telephone bill
- A legible photocopy of a government issued identification card (state driver's license or ID card, military identification, etc.)
- If you are a victim of identity theft, include a copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft
- If you are not a victim of identity theft, include payment by check, money order, or credit card (Visa, MasterCard, American Express or Discover only). Do not send cash through the mail.
The credit reporting agencies have three (3) business days after receiving your request to place a security freeze on your credit report. The credit bureaus must also send written confirmation to you within five (5) business days and provide you with a unique personal identification number (PIN) or password, or both that can be used by you to authorize the removal or lifting of the security freeze.
To lift the security freeze in order to allow a specific entity or individual access to your credit report, you must call or send a written request to the credit reporting agencies by mail and include proper identification (name, address, and Social Security number) and the PIN number or password provided to you when you placed the security freeze, as well as the identities of those entities or individuals you would like to receive your credit report or the specific period of time you want the credit report available. The credit reporting agencies have three (3) business days after receiving your request to lift the security freeze for those identified entities or for the specified period of time.
To remove the security freeze, you must send a written request to each of the three credit bureaus by mail and include proper identification (name, address, and Social Security number) and the PIN number or password provided to you when you placed the security freeze. The credit bureaus have three (3) business days after receiving your request to remove the security freeze.
If you should have any further questions, please contact [provide contact information].