NOTICE: Do not use personal accounts with sensitive university data

Thursday, October 1, 2015

This information was sent to the IT Security Community and Frontline Notify groups on October 1, 2015.

Would you please help us remind people not to use their personal accounts with sensitive institutional data?

Members of the university community often receive email offers for personal accounts for cloud-based storage services such as Dropbox, Evernote, and more. Some of these offers specifically target U-M students, faculty, and staff and appear to be—but are not—connected with the university. For example, many people at U-M received an email from Dropbox on Sept. 29 asking them to join others at U-M in a promotional effort to invite others to use the service.

Please remind the people you work with that personal accounts should never be used to maintain or share sensitive university data. This includes personal accounts for services such as Dropbox, Evernote, iCloud, OneDrive, SugarSync, and so on. It also includes personal accounts for Box and Google.

It is important to understand that university-provided services, such as M+Box and M+Google accounts, are different from personal accounts for the same services, such as Box and Google accounts. Because U-M has contractual agreements for M+Box and M+Google accounts, they are suitable for use with some types of sensitive data. M+Box, for example, has been approved for use with data regulated by HIPAA if certain usage guidelines are followed. Information about which university-provided services can be used with which types of university data, as well as responsible use of those services, is in the Sensitive Data Guide to IT Services.

Please urge people in your units to check the Sensitive Data Guide to help them make informed decisions about where to safely store and share sensitive university data using IT services available on the U-M Ann Arbor campus.


Donald J. Welch, Ph.D.,
Chief Information Security Officer,
University of Michigan