The September 2, 2015 "Important" notice about the use of cloud services such as Box or Google may have led some to conclude both services are inherently and/or equally insecure under the University's data security classification below:
- Level 3. Information specifically designated as sensitive by laws, regulations, or contracts; such as financial and health records or research contracts;
- Level 2. Personally identifiable information (e.g. SSN combined with number holder’s name) protected by Federal or state laws, or data requirements from research sponsors.
- Level 1. UMBC proprietary institutional information; such as educational records protected FERPA or research contracts.
- Level 0. Public Information not classified as level 1-3.
To clarify, Google is not approved for confidential data (levels 2 & 3 above). Since Google stores its data around the world and employs people around the world, ORPC and DoIT do not recommend that Google be used with export controlled data. By contrast, Box.com is approved for level 0, 1, and 2 data. This means that information such as SSNs and passport numbers can be stored in Box. While all Box.com data is currently stored in the USA, there is no guarantee that Box.com will always keep our data in the USA. There are also no guarantees that a foreign person will not be employed by Box.com and have an ability to access our data. Accordingly, Box.com is okay to use with data classified as level 0, 1, and 2, but we would would not recommend it for export controlled data.
For more information, please consult UMBC’s policy for the protection of sensitive information as well as DoIT’s data use guidance for more information. You may also wish to consult with Mark Cather, UMBC's Chief Information Security Officer (CISO), who can be reached at 410.455.3783 or mark.cather@umbc.edu.