Skip to main content
more options

Consequences of Mishandling Sensitive Data


What should I do with my old computer when it’s time to throw it out?

When you retire hardware, be it your old computer, thumb drive, or a stack of CDs, it is necessary to take steps to sanitize and dispose of data appropriately, so it cannot fall into malicious hands. If your computer or other media stores confidential data, give it to your department’s technical support staff for proper disposal.

See Best Practices for Media Destruction to learn about IT Security Office recommendations.

Mishandling sensitive data can lead to Cornell suffering financial loss or damage to its reputation. The law requires Cornell to report the possible loss of certain types of data to government agencies and notify potentially affected individuals.


If there is any possibility of data loss, responding can easily consume hundreds of hours and is, as a result, an expensive activity. It can also involve many people from both within your department and elsewhere around campus and, consequently, can significantly disrupt university business.

Losing sensitive data has repercussions:

  • Regulatory fines
  • Loss of funding from government agencies
  • Lawsuits
  • Loss of donations and gifts
  • Loss of reputation

What Happens When Cornell Data May Have Been Exposed to an Intruder or Malicious Software

If an intruder has gained access to a computer used at Cornell that contains sensitive data, the IT Security Office will lead an investigation of the incident:

  1. The computer’s hard drive is copied for analysis.
  2. Information on the computer’s hard drive and other data, such as network traffic history, are analyzed to determine whether sensitive data may have been exposed.
  3. The university’s response to the incident is determined by the Data Incident Response Team (DIRT) members:
    • Vice President for Information Technologies (chairs the group)
    • IT Policy Office
    • IT Security Office
    • Audit Office
    • University Counsel
    • Cornell Police
    • University Communications
    • Risk Management
  5. The DIRT team also brings in the unit head, technical support staff, and other staff from the department where the incident occurred, as well as the university data steward (for example, the Vice President for Student and Academic Services for incidents involving student data, or the Vice President for Human Resources for incidents involving employee data). For a complete list of data stewards, see University Policy 4.12, Data Stewardship and Custodianship.
  6. DIRT meets to review the incident and determine how the university should respond to it. If there is a reasonable likelihood that sensitive data could have been accessed in an unauthorized fashion, DIRT determines which potentially affected parties need to be notified. DIRT also considers what needs to be done to avoid similar incidents in the future.