When a laptop owned by the University of Sydney containing information about students – including names, dates of birth, contact details and medical details – was lost in 2016, the outcry was understandably significant. The university declined to comment on whether the files or the disk were encrypted. A message sent to the students said the computer was password-protected, and that ‘this does not absolutely guarantee the security of the information [stored on the device]’.The importance of protecting research data from cyber-attacks cannot be overstated. Ethical obligations, organisational policy and privacy laws all compel researchers to take this issue seriously. Also, researchers should be motivated by self-interest to avoid the hassle that comes with losing research data and the exposure that comes with research data falling into the wrong hands.
While working from the relative security of a campus or other location managed by your organisation’s IT department, it is easy to forget about these obligations. Although researchers still have a role to play in securing data at home, it’s when travelling that their behaviour has the biggest impact.
Researchers who are travelling need to be particularly aware of the relevant threats and take steps to avoid being the victim of a cyber security breach.
In February 2018, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 is expected to come into operation. This new law will apply to all entities that are currently subject to the Australian Privacy Principles under the Privacy Act 1988. Under this law, organisations must notify eligible data breaches to the Office of the Australian Information Commissioner and affected individuals as soon as practicable after the applicable entity becomes aware that ‘there are reasonable grounds to believe that there has been an eligible data breach of the entity’ (section 26WK of the Bill).
Research data stored on any type of portable device is at risk of being lost or stolen. While many organisations do an excellent job of securing their corporate notebook computers, the same is not always true for employee-supplied devices or for tablets, phones and USB storage devices. If an unsecured device containing research data is lost or stolen, it is at risk of being accessed by unauthorised people and there may be an obligation under new mandatory reporting legislation to report the loss to any person whose privacy may have been affected.
Lost or stolen devices aren’t the only threat to research data – government officials in several countries, including the US, have the right to demand travellers unlock digital devices for examination (see box p. 20). Travelling researchers are not exempt from this. If you have research data on a device you are bringing into another country, that device may be legally examined and you can be forced to hand over passwords so data can be examined and even copied by officials of that country.
While travelling, your device may need to connect to third-party networks; these networks may not be secured to an adequate standard and there is additional risk of data sent or received using these networks being intercepted or modified.
The root cause of these problems is the same: any data stored on any device in the possession of a researcher is at risk of loss or disclosure to unauthorised people. In solving this problem, the first option that must be considered is leaving the data at home. Do you really need a copy of the whole project folder? If not, leave it on the department share drive where it belongs.
If you need a computer at all, ideally it should be a ‘burner’ device that contains no sensitive information. This device can be used to securely access your organisation’s network remotely as and when research data needs to be accessed or updated. This should be the default solution whenever possible and researchers should encourage their IT departments to explore options for secure remote access via virtual private networks (VPNs) to remote desktop or virtual applications that leave no data cached on the remote device.
If remote access to your organisation’s network is impossible, you can take steps to provide a multilayer approach to security (see box). It reduces but cannot eliminate risk.
In addition to these technical controls, researchers must take all possible steps to ensure the physical security of their devices. Keeping your devices with you or locking them in a safe is a good idea. If you are travelling to a country where border officials have the legal right to access your data, you are left with a real problem. Again, the best solution is not having the data on your device at all. Even if you can’t manage this as a permanent solution while travelling, you may be able to cross the border without the data on your device and then copy it via your VPN to the device from your destination. If this isn’t possible, the only alternative is using a courier service to transport the device.
Too hard? Maybe … and even with all the controls we’ve listed here, there is a risk that you’ll have your data stolen. Talk to your IT department – if they can set up a secure remote access solution for you, it will save everyone a lot of grief.