Online Cloud Storage and Email FAQ

Q: Are online storage solutions like Google Drive and Dropbox appropriate for class work as well as personal files?

Q: Is it safe to store Level 1 or Level 2 University data in the cloud?

Q: What is the definition of University data?

Q: Is it safe for me to store Level 1 or Level 2 data on Dropbox?

Q: Can I send sensitive information through e-mail?

Q: How do I share sensitive University data if I can't use e-mail?

Q: Is e-mail a safe way to send medical (HIPAA) data?

Applicable References and Legislative Resources

Q:  Are online storage solutions like Google Drive and Dropbox appropriate for class work as well as personal files?

A.Yes. Cloud storage is appropriate for storing class work and personal files.  It is very convenient because you can access the files from wherever you are as long as you have an Internet connection. The CSU has a contract with Google that protects the ownership and privacy (but not the security) of files you store in their system, but no similar arrangements exist with Dropbox or any other provider of cloud storage solutions, so files stored with these other providers are more vulnerable.

Q:  Is it safe to store Level 1 or Level 2 University data in the cloud?

A:  No. Currently available cloud storage solutions do not provide the level of protection required for Level 1 or Level 2 data. The full definitions of Level 1 and Level 2 data.

Q:  What is the definition of University data?

A:  University data covers any item of information that is collected, maintained, and used by the University for the purpose of carrying out the business of the University, subject to or limited by any overriding contractual or statutory regulations. University data may be stored either digitally or on paper and may take many forms, including, but not limited to, text, graphics, images, sound, and video. Research data, scholarly work by faculty or students, and intellectual property that does not contain personally identifiable information or other data protected by law or University policy is not considered University data, nor is an individual’s own personally identifiable information (PII)  unless it's used as described above. University data must be available to the University and other individuals as required under University policies and is subject to CSU Policy & Standards, CSU, Chico Data Classification, and other appropriate controls depending on the sensitivity of the data.

Q:  Is it safe for me to store Level 1 or Level 2 data on Dropbox?

A:  No. Dropbox does not provide the level of protection required for the storage of Level 1 or Level 2 data. There are no contracts or agreements with the University that protect the privacy, ownership, or confidentiality of the data stored on Dropbox servers. 

Q:  Can I send sensitive information through e-mail?

A:  No. Sensitive data, and in particular University data that has been classified as Level 1 protected data, should never be sent via e-mail, either in the body of the e-mail or in an attachment, unless that data has been encrypted using Chico State approved strong encryption.

Alternatively, you can store the sensitive data in a system protected by password security and send an e-mail containing a link to the data. Communication involving student records should use the Chico State portal whenever possible. Using the Portal provides a better student and faculty experience and ensures that messages are securely and reliably delivered to the correct person.

You can also save sensitive data on a University-managed system that requires a password, such as a file server, and send a link to the data in an e-mail.

Below are some resources for secure information sharing:

• The US Department of Education, Privacy Safeguards Program (PDF) states that one should "never include personal information within e-mail message text. Names, SSNs, dates of birth, etc…”
• IRS Publication 1075 (PDF) states that Federal Taxpayer Information (FTI) is covered by the Code of Federal Regulations and Internal Revenue Code: “E-mail systems shall not be used to transmit FTI data.”
• The California Office of Information Security (DOC) states that: “… e-mail and IM messages hit numerous servers and routers before reaching their final destination ... and can be intercepted at any stage. Therefore, no confidential or sensitive data [Levels 1 or 2] should be sent via e-mail in clear text or transmitted via Instant Messaging.”
• The Federal Trade Commission (15 U.S.C §§ 41-58, as amended) states that: “Regular e-mail is not a secure method for sending sensitive [Levels 1 or 2] data ... the better practice is to encrypt any transmission that contains information that could be used by fraudsters or identity thieves."

Q:  How do I share sensitive University data if I can't use e-mail?

A:  You have several options:

1. Encrypt the data. The University has identified several methods to quickly and securely encrypt sensitive data.
2. Keep the sensitive data in a system that can provide security and send your recipient a link to the data. An ideal way to do this is through the Chico State portal, as this will not only ensure that messages are reliably delivered to the right person by also improve the student and faculty experience.
3. Save sensitive data on a University-managed system such as a file server and send a link to the data in an e-mail.

Below are some resources for secure information sharing: 

• The US Department of Education, Privacy Safeguards Program (PDF) states that one should ”never include personal information within e-mail message text. Names, SSNs, dates of birth, etc…”
• IRS Publication 1075 (PDF) states that Federal Taxpayer Information (FTI) is covered by the Code of Federal Regulations and Internal Revenue Code: “E-mail systems shall not be used to transmit FTI data.”
• The California Office of Information Security (DOC) states that: “… e-mail and IM messages hit numerous servers and routers before reaching their final destination ... and can be intercepted at any stage. Therefore, no confidential or sensitive data [Levels 1 or 2] should be sent via e-mail in clear text or transmitted via Instant Messaging.”
• The Federal Trade Commission (15 U.S.C §§ 41-58, as amended) states that: “Regular e-mail is not a secure method for sending sensitive [Levels 1 or 2] data ... the better practice is to encrypt any transmission that contains information that could be used by fraudsters or identity thieves."

Q:  Is e-mail a safe way to send medical (HIPAA) data?

A:  No.  E-mail is not safe for HIPAA data, which is subject to similar rules as Level 1 protected data. HIPAA (the Health Information Portability and Accountability Act) requires that any electronic transmissions containing protected health information (PHI) be encrypted using strong encryption. Messages containing PHI that are transmitted over unencrypted e-mail are archived and can be transmitted onwards by every program or device that receives them. E-mail messages, their attachments, and archives are highly vulnerable to improper disclosure and may put both the University and the provider sending the e-mail at risk.

Related Federal Laws and Regulations

• Gramm-Leach-Bliley Act of 1999
• HIPAA – Health Information Portability and Accountability Act
• Family Education Rights and Privacy Act of 1974 (FERPA
• Federal Trade Commission Regulations (16 CFR, Part 314) Standards for Safeguarding Customer Information; Final Rule, May 23, 2002
• Federal Trade Commission Regulations (16 CFG, Part 313) Privacy of Consumer Financial Information
• Payment Card Industry (PCI) Data Security Standard (DSS)

Related CA State Laws and Regulations

• California Information Practices Act of 1977 (California Civil Code Section 1798.85)
• California Education Code, Section 89546, Employee Access to Information Pertaining to Themselves
• California Code of Regulations, Title 5, Sections 42396-42396.5
• Comprehensive Computer Data Access and Fraud Act (California Penal Code, Section 502)
• California: SB 1386: Disclosure of Security Breach of Confidential Information
• California: SB 2246: Customer Records:  Act to add to Title 1.81, Part 4 of Division 3 of the Civil Code
• California Civil Code Sections 1798-1798.78.

Related CSU Policies

• CSU Executive Order 796 (required compliance with FERPA)
• Records Access Manual: Office of General Counsel: The California State University, March 2005 (Records exempted from disclosure)
• Chancellor’s Office Memorandum of March 26, 2003: Increased Security Measures for CMS
• California State University HR: 2005-07: New Legislation Regarding the Use of Social Security Numbers (CO)
• California State University HR: 2005-16: Requirements for Protecting Confidential Personal Data
• CSU Information Security Policy - Section 8000 Integrated CSU Administrative Manual (4/19/10)(opens in new window) 
• CSU Coded Memo HR 2005-16 (4/8/05) (PDF)- Requirements for protecting confidential personal data 
• CSU Coded Memo HR 2007-05 (2/8/05) (PDF) - Requirements for implementing state law regarding use of Social Security number
• CSU Coded Memo HR 2005-01 (1/7/05) (PDF) - Update: Information Practices Act(opens in new window)