Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Data Risk Classification Category

Category 3 - Restricted

Minimum Security Standard

 800-53 High

Risk from Disclosure



  • Protection of the data is required by law/regulation. The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.
  • Restricted data is defined using the definition of private information in the New York State Security and Breach Notification Act as a foundation: bank account/credit card/debit card numbers, social security numbers, state-issued driver license numbers, and state-issued non-driver identification numbers. To this list University policy adds protected health information (PHI), I.T. authentication credentials, and passport numbers.
  • Restricted data may be exempt from disclosure/release under the New York State Freedom of Information Law (FOIL). The Information Security Breach and Notification Act requires the University to disclose any breach of the data affected individuals.


  • Social security number (SSN)
  • Driver license number
  • State-issued non-driver ID number
  • Bank/financial account number
  • Credit/debit card number (CCN)
  • Protected Health Information
  • Passport number
  • University I.T. authentication credentials
  • Documents protected by attorney-client privilege