11.09 - Data Loss Prevention

Last Updated: May 13, 2023

Last Reviewed: May 13, 2023

Policy Statement

Weill Cornell Medicine community members are responsible for protecting the confidentiality, integrity, and availability of data created, received, stored, transmitted, or otherwise used by the Weill Cornell Medicine. In accordance with policies 11.01 – Responsible Use of Information Technology Resources and 11.02 – Privacy of the Weill Cornell Medicine Network and Systems, Weill Cornell Medicine reserves the right to restrict the use of its resources in order to preserve data security or comply with law or policy. While Weill Cornell Medicine permits generally unhindered use of its information technology resources, those who use Weill Cornell Medicine information technology resources do not acquire, and should not expect, a right of privacy. 

In order to further secure data and improve regulatory compliance, Weill Cornell Medicine has implemented a data loss prevention (“DLP”) system. The DLP system is used to identify high risk data on the Weill Cornell Medicine network and, in cases where intentional or unintentional use violates policy, Weill Cornell Medicine may block the creation, reception, storage, or transmission of high risk data.

Reason for Policy

Weill Cornell Medicine is legally responsible to protect institutional data, including high risk data as defined in ITS policy 11.03 – Data Classification. High risk data must be treated with extreme care to avoid inappropriate loss or disclosure with possible attendant fines or mandated notifications.

Entities Affected by this Policy

All units of Weill Cornell Medicine, including Weill Cornell Medicine-Qatar.

Who Should Read this Policy

All members of the Weill Cornell Medicine community utilizing Weill Cornell Medicine information technology resources.

All stewards and custodians of Weill Cornell Medicine data.

Web Address of this Policy

https://its.weill.cornell.edu/policies

Contacts

Direct any questions about this policy, 11.09 – Data Loss Prevention, to Brian J. Tschinkel, Chief Information Security Officer, using one of the methods below: 

  • Office:                          (646) 962-2768
  • Email:                           brt2008@med.cornell.edu

 1.   Principles

The data loss prevention system identifies high risk data that may be transmitted without proper safeguards and flags it for further investigation. In some cases, the DLP system will stop the flow of data, such as an email containing high risk data that is sent to an outside entity without the use of encryption. 

The DLP system has the ability to: 

  • Monitor data in motion (e.g., emails, instant messages, web or file transfers, etc.)
  • Search for and analyze data at rest (e.g., data residing on a file server, database, or cloud storage solution) and data at the endpoint (e.g., files on a laptop, desktop, or on a flash drive). 

By gathering this information, the DLP system can determine if data is high risk and appropriately secure it to prevent security policy violations and maintain regulatory compliance. 

Weill Cornell Medicine handles a large amount of high risk data on a daily basis. Technologies that enable Weill Cornell Medicine to function efficiently and make data easy to access and share also increase the risk of unauthorized disclosure and loss of confidentiality. This has potentially serious consequences, including financial penalties, customer dissatisfaction, increased regulatory scrutiny, and reputational damage. 

The DLP system is being used in conjunction with other security tools to protect high risk data and reduce the risk of it being compromised. This helps protect both Weill Cornell Medicine data as well as the Weill Cornell Medicine community from the consequences of losing high risk data.

 

Policy Download: 

Need Help?

myHelpdesk
(212) 746-4878
Monday-Sunday
Open: 24/7 (Excluding holidays)
SMARTDesk
WCM Library Commons
1300 York Ave
New York, NY
10065
M-F
9AM - 5PM
Make an appointment

575 Lexington Ave
3rd Floor
New York, NY
10022
Temporarily Closed

IT Glossary

Type an acronym or term you would like a definition for.