Faculty Can Help Prevent Sensitive Data Loss

Allison Dolan

Last January, a University of Texas biological sciences professor put class test scores, with Social Security numbers (SSNs), online. In February, a Harvard computer was compromised, resulting in the need to notify about 6,000 individuals that their SSN could have been exposed. In March, Texas A&M University found that SSNs for students enrolled in a 1998 course were available online, and continued to be available in search engine caches even after the offending file had been taken offline. In June, a Stanford laptop containing SSNs as well as other personal information was stolen; over 60,000 faculty, staff, and students were notified. In July, a laptop was stolen from an Indiana State University economics professor; it had names and SSNs for students who had taken his class between 1997 and 2003.

Virtually every week, there is a report of some higher educational institution inadvertently losing custody of personal information.

Because names in conjunction with SSN can be used by identity thieves to get credit cards, loans, medical services and even employment, most states, including Massachusetts, have passed data breach laws, which requires notifying those whose personal information has been exposed.

Admittedly, it is rare that accidental data breaches (e.g., a lost laptop; file discovered by Google) result in identity theft. However, any breach involves costs for the data owner, including notifying impacted individuals, providing credit monitoring, and possibly financial penalties. In addition, for many organizations, the reputational cost of a data breach can be significant, resulting in the loss of customers, or, in the case of higher education, the loss of donors.

MIT has long been concerned about the implications of using SSNs as an identifier. In fact, when the MIT ID number was introduced in 1996, it was explicitly intended to replace the use of SSN for members of the MIT community (see: web.mit.edu/mitid/www/history.html). (Some other major institutions stopped using SSNs only as recently as last year.)

In 2003, with the SAP-HR go-live, SSN was no longer used as an employee identifier in the HR system, and with the 2006 SAP-Payroll implementation, SSN usage was further constrained. MIT HR has worked closely with our benefit providers to use alternate identifiers, and areas within the Office of the Dean for Undergraduate Admissions have taken a number of steps to protect SSN of applicants, admitted students, and their parents.

Nevertheless, there are places where SSNs are still being used, or files related to old processes are still in electronic or paper archives. Because of the risks associated with these “unknown” areas, about a year ago MIT established the program, “Protecting Personally Identifiable Information,” to understand where and how SSNs were still being used, and to work to mitigate the risks of a breach at MIT. Since then, program staff have been working with administrators in departments, labs, and centers, as well as with central offices. However, as can be seen from the stories mentioned above, data losses do not always occur with administrators; the program would like to enlist the help of faculty and other academics in further reducing MIT’s risk.

Back to top

Some steps that you can take:

• Think back over your career about when you might have had SSN for students – either here or from a prior institution.

• For electronic files, you can use the Search functionality on your computer, and look for files containing phrases such as “SSN” or “Social Security.”

• Consider whether you have kept written or electronic lists of SSNs of colleagues working on grants. Check whether an SSN is still needed. For example, NIH stopped requiring SSNs as of January 2008.

• If you paid an honorarium to an invited guest, then chances are you submitted a Request for Payment that included an SSN. Although it is necessary to have an SSN for such payments, you do not need to keep the SSN on your local copy.

• If you are involved with Human Subject research, you may have asked for an SSN on the payment receipt; for smaller amounts, an SSN is no longer required.

• If you have ever taken orders or collected money, you may want to check if you have paper or electronic personal credit card information for others.

• Consider what you would have delegated to others, such as your administrative assistant, TA/RA, contractors, consultants, and temporary workers. You may want to touch base with them to see how they have handled such information.

If you find you have SSNs (or other personal information) and no longer need them, you should securely destroy them. There are recommendations for redacting as well as secure destruction of paper and electronic files.

For further information about information protection, including processes that still require SSN, and tools for secure destruction, please contact me. I am available for group presentations, and/or 1-1, confidential discussions.

	Back to top
	Send your comments