In the summer of 2012, the University of Illinois licensed Box's online file sharing and collaboration service for faculty, staff and students. CITES Security sees this as a great step forward for the University's ability to securely store and share documents and information. Security controls were a large part of the contract negotiations with Box, and we are very pleased to see that Box is committed to data security. The contract included language that reflects the University's data security policies and practices, including FERPA. For that reason, we recommend that faculty, staff and students use Box to store documents, including certain types of sensitive data.
Generally, any University information considered to be Public, Internal or Sensitive can be stored safely on Box. This includes data that would be considered FERPA information. Therefore, class assignments and course materials can be stored and shared using Box.
Data that is considered Highly Sensitive should NOT be stored on Box. This includes Social Security Numbers, credit card numbers and medical information. For more information on how the University classifies data, please see our Data Classification page. Highly Sensitive University information should continue to be stored on University-managed file shares and other highly secure on campus locations.
Other third party backup and file storage solutions obviously exist. However, due to a variety of state and federal laws, storing University sensitive data on with one of those other services might legally constitute a data breach that you and the University would be responsible for. Our contractual relationship with Box means that University data can be stored on Box without running afoul of data protection laws.
In the future, CITES Security will post more specific information on how to securely use Box. Until then, you can sign up for your University of Illinois Box account and find more support on the University's web site.