Skip to main content
more options

Consequences of Mishandling Sensitive Data

Mishandling sensitive data can lead to Cornell suffering financial loss or loss of reputation. The exposure, or possible exposure, of certain types of data requires Cornell to report the event to government agencies and notify the affected individuals.

If there is even a possibility of data loss, responding can easily consume hundreds of hours and is, as a result, an expensive activity. It can also involve many people from both within your department and elsewhere around campus and, consequently, can significantly disrupt university business.

The repercussions of losing sensitive data include:

  • Regulatory fines
  • Loss of funding from government agencies
  • Lawsuits
  • Loss of donations and gifts
  • Loss of reputation

What Happens When Cornell Data May have Been Exposed to an Intruder or Malicious Software

If an intruder has gained access to a computer used at Cornell that contains sensitive data, the IT Security Office will lead an investigation of the incident.

  1. The computer’s hard drive will be copied for analysis.
  2. Information on the computer’s hard drive and other data, such as network traffic history, are analyzed to determine whether sensitive data may have been exposed.
  3. The university’s response to the incident is determined by the Data Incident Response Team (DIRT). Members include:
    • Vice President for Information Technologies (chairs the group)
    • IT Policy Office
    • IT Security Office
    • Audit Office
    • University Counsel
    • Cornell Police
    • University Communications
    • Risk Management
    The DIRT team will also bring in the unit head, IT staff, and other staff from the department where the incident occurred, as well as the university data steward (for example, the Vice President for Student and Academic Services for incidents involving student data, or the Vice President for Human Resources for incidents involving employee data). See University Policy 4.12 for a complete list of data stewards.
  4. DIRT meets to review the incident and determine how the university should respond to it. If there is a reasonable likelihood that sensitive data could have been accessed in an unauthorized fashion, DIRT determines which potentially affected parties need to be notified. DIRT also considers what needs to be done to avoid similar incidents in the future.