130 likes | 236 Views
What's All the Hype about SSN and PII?. Federal and state laws such as North Carolina Identity Theft Protection Act (NCIDTPA), FERPA, HIPAA Privacy Rule and other regulations require the University to implement minimum security safeguards to protect confidential data. . What's All the Hype about SS
E N D
1.
East Carolina University
Policy on
Social Security Number and Personal Identifying Information*
February 21, 2008
Presented by the Identity Theft Protection Committee
* Personal Identifying Information (PII)
2. What’s All the Hype about SSN and PII? Federal and state laws such as North Carolina Identity Theft Protection Act (NCIDTPA), FERPA, HIPAA Privacy Rule and other regulations require the University to implement minimum security safeguards to protect confidential data.
3. What’s All the Hype about SSN and PII? Increased Cases of Data Breaches and Security incidents occurring at colleges and universities around the world as reported in the news during 2007.
Total Number of Incidents: 139, a 67.5% increase over 2006
Total Number of Institutions Affected: 112, a 73% increase over 2006
4. What’s All the Hype about SSN and PII? Recent Example……
Stolen Hard Drive Holds Georgetown Univ. Data (January 29, 2008) –
An external hard drive stolen from the Office of Student Affairs at Georgetown University contains personally identifiable information of approximately 40,000 of the school's students, alumni, faculty, and staff. The theft occurred on January 3. The drive was not encrypted.
The theft affects students who were enrolled at the school between 1998 and 2006.
5. What’s All the Hype about SSN and PII? Examples of Data Exposures and Risks at ECU
ECU reported 3 data disclosure incidents since February 2007.
Student Rosters with SSN and grades backed up on home computers (2538 students impacted)
Student Rosters with SSN and grades on computers, laptops and flash drives
Personnel records with SSNs, Birthdates, Addresses and Spouse Names in Excel spreadsheets on local computers
Medical Records on unsecured computer folders
In the past 11 months, 17 University-owned computers or laptops have been reported as stolen (1.5 per month).
6. What’s All the Hype about SSN and PII? Impact of Data Breaches
Impact on affected individuals
Cost of sending the security breach notices
Printing costs >$70,000
Staff time > 100 hours
Civil damages and criminal liability
Negative University publicity
Loss of Alumni trust and contributions
Attorney General’s Office notification
Loss of merchant status - Payment Card Industry standards
7. Why Are We Here? You are the campus leaders
Influential across campus in effecting change among employees
Provide an overview of ECU’s efforts to implement changes
Provide suggestions on what can be done by employees
Provide resources for assistance
Solicit your input on how to best effect behavioral change
8. ECU Efforts to Protect SSN and Other PII ITPC is charged with the following responsibilities:
Establishing policies, standards and procedures for the University to comply with the requirements of the NC Identity Theft Protection Act
Reviewing current campus collection and uses of Social Security Numbers
Approving or disapproving such collection and use (or future proposed collection and use)
Reviewing security measures associated with hard copy forms and electronic files that contain social security numbers
Documenting the University’s processes for these issues, and recommending any institutional changes needed for continuing compliance or best practices
9. ECU Efforts to Protect SSN and Other PII Committee Members:
Angela Anderson University Registrar
Jack Brinn Interim CIO
Frank Evans Director, Clinical Finance
Mary Glascoff Faculty Senate
Tammy Holloman Director, Patient Access Services
Joan Kavuru Director of Compliance and HIPAA Privacy Officer
Hope Murphy Assistant University Attorney
Charles Peele Student Life IT Resource
Wayne Poole Assistant Director, Internal Audit
David Price Director, Financial Services
Margaret Streeter Director Information Security
Karen Summerlin Director, Human Resources
Mary Thompson Director, BSOM Group Practice
John Toller Associate Vice Chancellor, Human Resources
Paul Zigas Interim University Attorney
10. ECU Efforts to Protect SSN and Other PII University’s SSN Policy – Overview
(Approved by Board of Trustees 9/12/07)
SSNs and PII may only be collected, used, and/or disclosed by ECU and its employees and agents as permitted by applicable law and University policy and only in furtherance of legitimate university business.
SSN use must be authorized by the ITPC. This includes the creation of databases, reports, internal spreadsheets or other documents that contain SSNs.
Disclosure statements must be used when collecting SSNs.
Adequate security controls must be implemented to protect data containing SSN and PII.
11. ECU Efforts to Protect SSN and Other PII The SSN Standard provides guidance on the collection, use and
disclosure of SSNs.
SSNs may not be used as a primary identifier in a University system, including as an indexing system for imaged documents, unless the ITPC grants permission.
Access to documents containing SSNs must be limited to authorized persons and secured using authorization controls, including passwords
SSNs or PII shall not be stored on University or personal computers or other electronic devices if not authorized by the ITPC and secured against unauthorized access.
All requests for SSNs must be accompanied by a Disclosure Statement stating the purpose of collecting the SSN.
ECUID has replaced SSN as the primary unique identifier for the University. SSN must be replaced on all forms and templates unless authorized by the ITPC.
12. What Can You Do? Review SSN Policy and Standard
Review forms, templates, documents, files for SSN
Is SSN required (shadow database, old process, old data)?
Can another identifier be used?
Remove SSN wherever appropriate
If not sure what to do, contact ITPC
Send Requests for SSN use to ITPC@ecu.edu to obtain approval for SSN use and disclosure
If use is required and authorized, ensure SSN and other PII is stored securely
Share information within your departments
Provide ITPC with suggestions on how to implement this change
13. We Need Your Help Enormous task to change how the University does
Business
Has word of the new SSN policy trickled down in your areas?
How do we communicate –what forums/methods best to present this information?
What are employees’ concerns about this?
Are you aware of situations where departments are still using/collecting SSNs?
Provide us with suggestions
14. ECU Policy on SSN and PII
Presented by
The Identity Theft Protection Committee
ITPC@ecu.edu
www.ecu.edu/ssnresource
www.ecu.edu/itsecurity