East Carolina University Policy on Social Security Number and Personal Identifying Information February 21, 2008 Pres

1. East Carolina University Policy on Social Security Number and Personal Identifying Information* February 21, 2008 Presented by the Identity Theft Protection Committee * Personal Identifying Information (PII)

2. What�s All the Hype about SSN and PII? Federal and state laws such as North Carolina Identity Theft Protection Act (NCIDTPA), FERPA, HIPAA Privacy Rule and other regulations require the University to implement minimum security safeguards to protect confidential data.

3. What�s All the Hype about SSN and PII? Increased Cases of Data Breaches and Security incidents occurring at colleges and universities around the world as reported in the news during 2007. Total Number of Incidents: 139, a 67.5% increase over 2006 Total Number of Institutions Affected: 112, a 73% increase over 2006

4. What�s All the Hype about SSN and PII? Recent Example�� Stolen Hard Drive Holds Georgetown Univ. Data (January 29, 2008) � An external hard drive stolen from the Office of Student Affairs at Georgetown University contains personally identifiable information of approximately 40,000 of the school's students, alumni, faculty, and staff.�The theft occurred on January 3.� The drive was not encrypted. The theft affects students who were enrolled at the school between 1998 and 2006.

5. What�s All the Hype about SSN and PII? Examples of Data Exposures and Risks at ECU ECU reported 3 data disclosure incidents since February 2007. Student Rosters with SSN and grades backed up on home computers (2538 students impacted) Student Rosters with SSN and grades on computers, laptops and flash drives Personnel records with SSNs, Birthdates, Addresses and Spouse Names in Excel spreadsheets on local computers Medical Records on unsecured computer folders In the past 11 months, 17 University-owned computers or laptops have been reported as stolen (1.5 per month).

6. What�s All the Hype about SSN and PII? Impact of Data Breaches Impact on affected individuals Cost of sending the security breach notices Printing costs >$70,000 Staff time > 100 hours Civil damages and criminal liability Negative University publicity Loss of Alumni trust and contributions Attorney General�s Office notification Loss of merchant status - Payment Card Industry standards

7. Why Are We Here? You are the campus leaders Influential across campus in effecting change among employees Provide an overview of ECU�s efforts to implement changes Provide suggestions on what can be done by employees Provide resources for assistance Solicit your input on how to best effect behavioral change

8. ECU Efforts to Protect SSN and Other PII ITPC is charged with the following responsibilities: Establishing policies, standards and procedures for the University to comply with the requirements of the NC Identity Theft Protection Act Reviewing current campus collection and uses of Social Security Numbers Approving or disapproving such collection and use (or future proposed collection and use) Reviewing security measures associated with hard copy forms and electronic files that contain social security numbers Documenting the University�s processes for these issues, and recommending any institutional changes needed for continuing compliance or best practices

9. ECU Efforts to Protect SSN and Other PII Committee Members: Angela Anderson University Registrar Jack Brinn Interim CIO Frank Evans Director, Clinical Finance Mary Glascoff Faculty Senate Tammy Holloman Director, Patient Access Services Joan Kavuru Director of Compliance and HIPAA Privacy Officer Hope Murphy Assistant University Attorney Charles Peele Student Life IT Resource Wayne Poole Assistant Director, Internal Audit David Price Director, Financial Services Margaret Streeter Director Information Security Karen Summerlin Director, Human Resources Mary Thompson Director, BSOM Group Practice John Toller Associate Vice Chancellor, Human Resources Paul Zigas Interim University Attorney

10. ECU Efforts to Protect SSN and Other PII University�s SSN Policy � Overview (Approved by Board of Trustees 9/12/07) SSNs and PII may only be collected, used, and/or disclosed by ECU and its employees and agents as permitted by applicable law and University policy and only in furtherance of legitimate university business. SSN use must be authorized by the ITPC. This includes the creation of databases, reports, internal spreadsheets or other documents that contain SSNs. Disclosure statements must be used when collecting SSNs. Adequate security controls must be implemented to protect data containing SSN and PII.

11. ECU Efforts to Protect SSN and Other PII The SSN Standard provides guidance on the collection, use and disclosure of SSNs. SSNs may not be used as a primary identifier in a University system, including as an indexing system for imaged documents, unless the ITPC grants permission. Access to documents containing SSNs must be limited to authorized persons and secured using authorization controls, including passwords SSNs or PII shall not be stored on University or personal computers or other electronic devices if not authorized by the ITPC and secured against unauthorized access. All requests for SSNs must be accompanied by a Disclosure Statement stating the purpose of collecting the SSN. ECUID has replaced SSN as the primary unique identifier for the University. SSN must be replaced on all forms and templates unless authorized by the ITPC.

12. What Can You Do? Review SSN Policy and Standard Review forms, templates, documents, files for SSN Is SSN required (shadow database, old process, old data)? Can another identifier be used? Remove SSN wherever appropriate If not sure what to do, contact ITPC Send Requests for SSN use to ITPC@ecu.edu to obtain approval for SSN use and disclosure If use is required and authorized, ensure SSN and other PII is stored securely Share information within your departments Provide ITPC with suggestions on how to implement this change

13. We Need Your Help Enormous task to change how the University does Business Has word of the new SSN policy trickled down in your areas? How do we communicate �what forums/methods best to present this information? What are employees� concerns about this? Are you aware of situations where departments are still using/collecting SSNs? Provide us with suggestions

14. ECU Policy on SSN and PII Presented by The Identity Theft Protection Committee ITPC@ecu.edu www.ecu.edu/ssnresource www.ecu.edu/itsecurity