Downstream Data and SPI
"Downstream data" poses a significant security risk to otherwise protected computer systems and networks. Downstream data is defined as sensitive and private information (SPI) such as the combination of names, social security numbers, birth dates, etc, that are initially held on a protected server system, but downloaded onto less secure desktops or laptops in the form of file extracts or spreadsheets. The majority of current confidentiality breaches (disclosures) stem from improperly secured downstream data: stolen laptops; misplaced thumb drives, etc. .
Many states, including Washington, have passed strict laws governing the notification requirements associated with the disclosure of SPI data. Disclosure of SPI is a very costly mistake for any organization both in terms of reputation and monetary damages.
Avoid Disclosure of Downstream Data
- Keep SPI data on original systems only
- If you download data, wipe out any information that is protected as SPI.
- Contact your Micro Systems team representative for additional assistance.
Report confirmed or suspected disclosures of SPI data immediately to the University Chief Information Officer, Dave Tindall, at 206-281-2339.
SPU manages the SPI data threat, in part, through the use of encrypted data stores on University-owned laptops and desktops. See the help pages on Datasync
for more details.