Online Cloud Storage and E-mail

On this page:

 Q:  Are online storage solutions like Google Drive and Dropbox appropriate for class work as well as personal files?

A:  Yes.  Cloud storage is appropriate for storing class work and personal files, and is very convenient because you can access the files from wherever you are as long as you have an Internet connection. Read the full answer

Q:  Where should I store University data?

A:  University documents should be stored on Bay or in system of record. Read the full answer

Q:  Is it safe to store Level 1 or Level 2 University data in the cloud?

A:  No. Currently-available cloud storage solutions do not provide the level of protection required for Level 1 or Level 2 data. Chico State recommends storing University data on Bay or in the system of record.  Read the full answer

Q:  What is the definition of University data?

A:   University Data covers any item of information that is collected, maintained, and used by the University for the purpose of carrying out the business of the University, subject to or limited by any overriding contractual or statutory regulations. Read the full answer

Q:  Is it safe for me to store Level 1or Level 2 data on Dropbox? 

A:  No. Dropbox does not provide the level of protection required for the storage of Level 1 or Level 2 data. There are no contracts or agreements with the University that protect the privacy, ownership, or confidentiality of data stored on Dropbox servers. Read the full answer

Q:  Can I send sensitive information through e-mail?

A:  No. Neither e-mail messages nor their attachments are secure unless the information is encrypted. Sensitive data, especially Level 1 protected data, should never be sent via e-mail unless it has been encrypted using Chico State approved strong encryption. Read the full answer

Q:  How do I share sensitive University data if I can't use e-mail?

A:  Encrypt the data. Chico State has identified several methods to quickly and securely encrypt sensitive information. Store the sensitive data in a University-managed system that can provide security and e-mail a link to the data.  Examples of secure systems are the Chico State portal or data warehouse; using this will improve the student and faculty experience and ensure that messages are reliably delivered to the correct person. Read the full answer

Q:  Is e-mail a safe way to send medical (HIPAA) data?

A:  No. E-mail is not safe for HIPAA data, which is subject to similar rules as Level 1 protected data. Read the full answer


GO TO TOP

Q:  Are online storage solutions like Google Drive and Dropbox appropriate for class work as well as personal files?

A:  Yes. Cloud storage is appropriate for storing class work and personal files.  It is very convenient because you can access the files from wherever you are as long as you have an Internet connection. The CSU has a contract with Google that protects the ownership and privacy (but not the security) of files you store in their system, but no similar arrangements exist with Dropbox or any other provider of cloud storage solutions, so files stored with these other providers are more vulnerable.

GO TO TOP

Q:  Where should I store University data?

A:  Employees should store University data on the "Bay" file server.

GO TO TOP

Q:  Is it safe to store Level 1 or Level 2 University data in the cloud?

A:  No. Currently available cloud storage solutions do not provide the level of protection required for Level 1 or Level 2 data. Employees should store University data on the "Bay" file server. Many online storage solutions are available such as Dropbox, SkyDrive and Google Drive, but these should never be used to store Level 1 data such as social security numbers and medical information, or Level 2 data such as grades, human resources, and FERPA information.  The full definitions of Level 1 and Level 2 data can be found here.

GO TO TOP

Q:  What is the definition of University data?

A:  University data covers any item of information that is collected, maintained, and used by the University for the purpose of carrying out the business of the University, subject to or limited by any overriding contractual or statutory regulations. University data may be stored either digitally or on paper and may take many forms, including, but not limited to, text, graphics, images, sound, and video. Research data, scholarly work by faculty or students, and intellectual property that does not contain personally identifiable information or other data protected by law or University policy is not considered University data, nor is an individual’s own personally identifiable information (PII)  unless it's used as described above. University data must be available to the University and other individuals as required under University policies and is subject to CSU Policy & Standards, CSU Data Classification, and other appropriate controls depending on the sensitivity of the data.

GO TO TOP

Q:  Is it safe for me to store Level 1 or Level 2 data on Dropbox?

A:  No. Dropbox does not provide the level of protection required for the storage of Level 1 or Level 2 data. There are no contracts or agreements with the University that protect the privacy, ownership, or confidentiality of the data stored on Dropbox servers. Note, too, the statement on the Dropbox website that 
Dropbox does not currently have HIPAA, FERPA, SAS 70, ISO 9001, or PCI certifications. 

GO TO TOP

Q:  Can I send sensitive information through e-mail?

A:  No. Sensitive data, and in particular University data that has been classified as Level 1 protected data, should never be sent via e-mail, either in the body of the e-mail or in an attachment, unless that data has been encrypted using Chico State approved strong encryption.

Alternatively, you can store the sensitive data in a system protected by password security and send an e-mail containing a link to the data. Communication involving student records should use the Chico State portal whenever possible. Using the Portal provides a better student and faculty experience and ensures that messages are securely and reliably delivered to the correct person.

You can also save sensitive data on a University-managed system that requires a password, such as a file server, and send a link to the data in an e-mail.

Below are some resources for secure information sharing:

  • The US Department of Education, Privacy Safeguards Program states that one should "never include personal information within e-mail message text. Names, SSNs, dates of birth, etc…”
  • IRS Publication 1075 states that Federal Taxpayer Information (FTI) is covered by the Code of Federal Regulations and Internal Revenue Code: “E-mail systems shall not be used to transmit FTI data.”
  • The California Office of Information Security states that: “… e-mail and IM messages hit numerous servers and routers before reaching their final destination ... and can be intercepted at any stage. Therefore, no confidential or sensitive data [Levels 1 or 2] should be sent via e-mail in clear text or transmitted via Instant Messaging.”
  • The Federal Trade Commission (15 U.S.C §§ 41-58, as amended) states that: “Regular e-mail is not a secure method for sending sensitive [Levels 1 or 2] data ... the better practice is to encrypt any transmission that contains information that could be used by fraudsters or identity thieves."

GO TO TOP

Q:  How do I share sensitive University data if I can't use e-mail?

A:  You have several options:

  1. Encrypt the data. The University has identified several methods to quickly and securely encrypt sensitive data.
  2. Keep the sensitive data in a system that can provide security and send your recipient a link to the data. An ideal way to do this is through the Chico State portal, as this will not only ensure that messages are reliably delivered to the right person by also improve the student and faculty experience.
  3. Save sensitive data on a University-managed system such as a file server and send a link to the data in an e-mail.

Below are some resources for secure information sharing: 

  • The US Department of Education, Privacy Safeguards Program states that one should ”never include personal information within e-mail message text. Names, SSNs, dates of birth, etc…”
  • IRS Publication 1075 states that Federal Taxpayer Information (FTI) is covered by the Code of Federal Regulations and Internal Revenue Code: “E-mail systems shall not be used to transmit FTI data.”
  • The California Office of Information Security states that: “… e-mail and IM messages hit numerous servers and routers before reaching their final destination ... and can be intercepted at any stage. Therefore, no confidential or sensitive data [Levels 1 or 2] should be sent via e-mail in clear text or transmitted via Instant Messaging.”
  • The Federal Trade Commission (15 U.S.C §§ 41-58, as amended) states that: “Regular e-mail is not a secure method for sending sensitive [Levels 1 or 2] data ... the better practice is to encrypt any transmission that contains information that could be used by fraudsters or identity thieves."

GO TO TOP

Q:  Is e-mail a safe way to send medical (HIPAA) data?

A:  No.  E-mail is not safe for HIPAA data, which is subject to similar rules as Level 1 protected data. HIPAA (the Health Information Portability and Accountability Act) requires that any electronic transmissions containing protected health information (PHI) be encrypted using strong encryption. Messages containing PHI that are transmitted over unencrypted e-mail are archived and can be transmitted onwards by every program or device that receives them. E-mail messages, their attachments, and archives are highly vulnerable to improper disclosure and may put both the University and the provider sending the e-mail at risk.

GO TO TOP

Applicable References and Legislative Resources

Related Federal Laws and Regulations

  • Gramm-Leach-Bliley Act of 1999
  • HIPAA – Health Information Portability and Accountability Act
  • Family Education Rights and Privacy Act of 1974 (FERPA
  • Federal Trade Commission Regulations (16 CFR, Part 314) Standards for Safeguarding Customer Information; Final Rule, May 23, 2002
  • Federal Trade Commission Regulations (16 CFG, Part 313) Privacy of Consumer Financial Information
  • Payment Card Industry (PCI) Data Security Standard (DSS)

Related CA State Laws and Regulations

  • California Information Practices Act of 1977 (California Civil Code Section 1798.85)
  • California Education Code, Section 89546, Employee Access to Information Pertaining to Themselves
  • California Code of Regulations, Title 5, Sections 42396-42396.5
  • Comprehensive Computer Data Access and Fraud Act (California Penal Code, Section 502)
  • California: SB 1386: Disclosure of Security Breach of Confidential Information
  • California: SB 2246: Customer Records:  Act to add to Title 1.81, Part 4 of Division 3 of the Civil Code
  • California Civil Code Sections 1798-1798.78.

Related CSU Policies