Downstream Data poses a significant security risk to otherwise protected computer systems and networks. Downstream data is defined as sensitive and private information (SPI) such as the combination of names, social security numbers, birth dates, etc. This data is initially held on a protected server system, but downloaded onto less secure desktops or laptops in the form of file extracts or spreadsheets. The majority of current confidentiality breaches and disclosures stem from improperly secured downstream data systems: stolen laptops; misplaced thumb drives; etc.
Many states, including Washington, have passed strict laws governing the notification requirements associated with the disclosure of SPI data. Disclosure of SPI is a very costly mistake for any organization both in terms of reputation and monetary damages.
Avoid disclosure of downstream data:
- Keep SPI data on original systems only.
- If data is downloaded, wipe out any information that is protected as SPI.
- Contact CIS for additional assistance.
Report confirmed or suspected disclosures of SPI data immediately to CIS.