1. Protecting Sensitive Information PA Turnpike Commission

2. Sensitive Information Examples of sensitive information include: PTC corporate information. Personal Information. Health or Medical Information. Financial information (credit card data, bank account number). Personal Information Protected by Anti-Discrimination and Information Privacy Laws.

3. PTC Corporate Information Every effort must be made to ensure the confidentiality, integrity, and availability of PTC information assets. All members of the PTC workforce must be prudent in the use of information acquired in the course of their duties, and not use confidential information for any personal gain nor in any manner which would be contrary or detrimental to the welfare of the PTC. The unauthorized access to, disclosure or dissemination of PTC or other sensitive information is not permitted.

4. Personal Identity Information An individuals first name or first initial and last name in combination with and linked to any one or more of the following elements, when these elements are not encrypted or redacted: Social Security Number, (SSN). Drivers License Number or state ID card. Financial account number, credit or debit card number, in combination with any security code that could permit access to an individuals financial account. Note: The term redact means alteration or truncation so that no more than the last 4 digits of the SSN or drivers license number is accessible as part of the data.

5. Personal Identity Information Personal Identity Information is protected by state law. PA SB 712 – Breach of Personal Information Notification Act requires that PA residents be notified in instances where their personal data was or may have been disclosed due to a security system breach, and it further imposes penalties for failure to provide the required notifications.

6. Electronic Protected Health Information (ePHI) Computer based patient health information which is created, received, stored or maintained, processed and/or transmitted by the PTC. Examples: Medical record number, account number, or SSN. Patient demographic data, e.g. address, date of birth, date of death, sex, email/web address. Dates of service, e.g. date of admission, discharge. Medical records, reports, test results, appointment dates.

7. Electronic Protected Health Information (ePHI) ePHI is protected by federal law. Health Insurance Portability and Accountability Act, (HIPAA), Privacy & Security Rules mandate protection and safeguards for access, use and disclosure of PHI and/or ePHI with sanctions for violations.

8. Credit Card Information Credit card information is regulated by the Payment Card Industry (PCI) Data Security Standard. Description of the PCI Standard: A set of data security requirements that apply to all employees, merchants, vendors, service providers, contractors and business partners who store, process or transmit [credit] cardholder data, as well as to all system components included in or connected to the cardholder data environment. System components include network components, servers or applications.

9. Personal Information Protected by Anti- Discrimination and Information Privacy Laws Examples: Ethnicity. Gender. Date of birth. Citizenship. Marital Status. Religion. Sexual orientation. Home address or home telephone number.

10. How To Protect Sensitive Information 1. Know where this data exists. All sensitive information must be protected. Knowing what you have and where it is, is an important first step. Note: Remember, sensitive information can also be in current or old hardcopy or electronic files, including archives.

11. How To Protect Sensitive Information 2. Destroy sensitive information which is no longer needed. The best way to protect restricted data is not to have it in the first place. Shred or otherwise destroy sensitive data before throwing it away. It is not uncommon to find all sorts of sensitive and even confidential information in trash cans, and dumpsters.. Even vacation schedules could be used by a resourceful hacker to justify a phony request for information, so consider anything that is not public information to be sensitive. Dispose of electronic media, such as CDs appropriately. Contact the IT Service Desk, at ext. 5678, for additional information.

12. How To Protect Sensitive Information 3. Never share or discuss sensitive information with unauthorized individuals. And, never share your user ID with another individual, or use another individual’s user ID. 4. Know who has access to network drives and folders before you put sensitive information there. 5. Don’t put sensitive information in locations that are accessible from the Internet. 6. Don’t leave sensitive information lying around, including on remote printers, fax machines, or copiers - or even in your area when you step away. 7. Set up your workstation so that passersby cannot see the information on your monitor.

13. Storage of Sensitive Information The storage of sensitive information on any non-PTC computing device or media is expressly prohibited. The permanent storage of sensitive information on any portable PTC computing device, i.e. laptop, personal digital assistant (PDA), smart phone, is not permitted. In instances where sensitive information must be temporarily stored on a portable PTC computing device, an approved corporate solution, typically encryption, must be installed and enabled on the device. Contact the IT Service Desk, at ext. 5678, for additional information. They will assist in obtaining the appropriate encryption solution, or appropriate media, such as a password protected encrypted USB drive, to meet your business need.

14. Transferring and Downloading Sensitive Information Transmission of sensitive information in clear text over a public network is not permitted. Sensitive information must only be transmitted over secure channels or using an encryption solution. Examples: When using the Internet, secure channels such as HTTPS, or SFTP will provide a relatively secure connection. When using e-mail, the contents of the e-mail must be encrypted using a PTC approved encryption solution.

15. The different modules of this tutorial will: Discuss the risks to your computer and the data it contains. Provide some guidelines for avoiding risks. Suggest some practical and easy solutions. Please review these modules at your convenience.