CSUMB website privacy statement

California State University Monterey Bay (CSUMB) is committed to protecting the privacy of visitors to our website, as well as our applicants, students, and employees. CSUMB has established this Privacy Policy to explain what information we collect through our websites and how it is used, as well as protections for our employee and student’s personal information.

In this policy, "CSUMB" refers to all students, staff, faculty, contractors, or other individuals who have access to your information.

CSUMB does not sell or rent applicant, student, employee, or website visitor information under any circumstances, and we do not share applicant, student, employee, or visitor information without prior consent except as compelled by law.

This policy only covers the main campus website, which is every URL that begins with “csumb.edu,” and excluding subdomains (i.e. “cmsweb.csumb.edu”). It does not cover other web applications run by the university or its vendors, including CMS Student and Cal State Apply.

Information gathered by CSUMB’s site

Logging

CSUMB logs traffic by visitors and logged in users for a variety of purposes. In all cases, these logs are hosted with third-party providers with their own privacy policy. Each log has a different timeline for deletion, but in all cases where we download logs to do further research, we follow the Electronic Frontier Foundation’s Best Practices for anonymizing and obfuscating traffic. Logs are used to for

  • site testing,
  • diagnosis of technical problems,
  • defending against attacks to the site,
  • handling a spike in traffic or other abnormal, short-term circumstances, or
  • research projects (in anonymized form) that serve our overall mission.

There are three different solutions that CSUMB uses for logging:

System logs - These are internal logs used by the website and retained for no more than 10,000 entries, which is usually less than 24 hours. They only log actions like logging in and out of the website, and any errors visitors might run into. Logs are only kept on logged-in users, as anonymous traffic does not hit our system directly. These logs are only used to troubleshoot problems.

New Relic - New Relic is used to track overall site performance, and see effects of changes to the website. All information in New Relic is anonymized, as outlined in their privacy policy.

Nginx Logs - These logs are retained for up to three days, and do not contain personal information for logged-in users. They are accessed rarely by CSUMB and our hosting provider Pantheon in case of an attack, or unusual traffic patterns. These logs could be used to possibly track the activities of individual visitors using advanced fingerprinting techniques.

Analytics

CSUMB uses Google Analytics (GA) to track web site usage and trends. GA has a privacy policy which includes anonymization of user data. Because we use GA to track user interactions across multiple web pages, the tool places a unique cookie on every user’s browser. This cookie stays on the computer until you quit your browser. The cookie does not include personally identifiable information, and we do not use GA events or other tools to send information about logged-in users to GA.

Other external services

We use Headway to show changelog information, which includes Headway setting a cookie on the browser to track if a user has viewed the changelog. This is only shown to logged-in users who are editors of content on the website. We do not send any information to Headway.

Voluntarily submitted user information

CSUMB collects and retains information you voluntarily submit to us. It is up to you whether to submit information to us, and how much information to provide. We may ask for additional personal information when you provide feedback or comments, or otherwise communicate with us. You are not required to provide any personal information in page feedback.

We may ask for personal information when giving a donation or making a transaction. Several departments use services to collect email addresses for sending newsletters.

Third party providers

For all of CSUMB's service providers and any other providers we may use in the future, the information collected from CSUMB users remains protected by the terms of our agreements with those providers and we will ensure that the information to be kept confidential and disclosed only to employees who require such access in the course of their assigned duties. CSUMB also requires all of our third-party service providers to notify CSUMB if they receive legal process seeking information about visitors to CSUMB’s website.

CSUMB may change the specific third-party providers from time to time, and will transfer stored information to any new provider subject to similar restrictions and agreements.

Disclosure of your information

While CSUMB endeavors to provide the highest level of protection for your information, we may disclose personally identifiable information about you to third parties in limited circumstances, including: (1) with your consent; or (2) when we have a good faith belief it is required by law, such as pursuant to a subpoena or other judicial or administrative order.

If we are required by law to disclose the information that you have submitted, we will attempt to provide you with prior notice (unless we are prohibited or it would be futile) that a request for your information has been made in order to give you an opportunity to object to the disclosure. We will attempt to provide this notice by email, if you have given us an email address, or by postal mail if you have entered a postal address. If you do not challenge the disclosure request, we may be legally required to turn over your information.

Exceptions for employees

University employees are not protected for disclosure, and their data can be retained for information gathering during legal proceedings. As a university employee, your account is not owned by you, but instead by the university and the state of California.

Security

CSUMB employs industry standard security measures to protect the loss, misuse, and alteration of the information under our control. CSUMB has turned on HTTPS by default.

Security Vulnerability Reporting Policy

CSUMB values the work done by security researchers in improving the security of our website and applications. We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities. We encourage the community to participate in our responsible reporting process.

If you are a security researcher and would like to report a security vulnerability, please send an email to: webservices@csumb.edu. Please provide your name, contact information, and company name (if applicable) with each report.

Responsible Disclosure Guidelines

We will investigate legitimate reports and make every effort to quickly correct any vulnerability. To encourage responsible reporting, we commit that we will not take legal action against you or ask law enforcement to investigate you if you comply with the following guidelines:

  • Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC)
  • Make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our services
  • Do not modify or access data that does not belong to you
  • Give us a reasonable time to correct the issue before making any information public

We will attempt to respond to your report within 1-2 business days.