Institute Initiates Written Information
Security Program (WISP)
According to a January 2010 story in The Chronicle regarding educational data breaches, most of the instances of losing “data on the move” occurred “when a professor took home a laptop that was subsequently stolen or lost.” [chronicle.com/blogPost/Educational-Data-Breaches-D/20462/]
Due to a recent set of Massachusetts data protection regulations, such incidents are no longer merely embarrassing; they are a potential legal risk for MIT.
In response to the regulations, MIT has been rolling out a campus-wide written information security program (WISP), which includes administrative, technical, and physical safeguards for certain types of personal information. The WISP can be found at web.mit.edu/infoprotect/wisp.html.
In conjunction with the WISP, MIT has defined a new term: PIRN (Personal Information Requiring Notification) that includes, along with the name:
- social security number,
- driver’s license or Massachusetts issued ID,
- or financial account number including credit card and debit card numbers.
If PIRN is lost or stolen, then MIT may be required to notify state officials, as well as the individuals whose information was compromised.
We would like faculty (as well as all other members of the MIT community) to pay special attention any time they are handling paper or electronic documents with PIRN. The easiest ways to reduce risk are to not collect any PIRN, to redact PIRN from paper or electronic files you still need, and to securely destroy any files you no longer need. Please see web.mit.edu/infoprotect/ for more information.
A couple of common areas where faculty may be exposed to PIRN:
- If you are reviewing student applications, SSNs maybe be included. Although an SSN is useful for the Admissions Office to have, reviewers generally do not need SSNs. Where possible, redact the SSN. Lost or compromised application files would generally be considered a data breach.
- For your personal protection, avoid providing unnecessary PIRN on backup documentation for travel or other reimbursements (e.g., remove your personal credit card number from any receipts or statements). Although administrators will often redact such information, it could slip through and get scanned into SAP.
However, if you need to retain PIRN, then you must take additional steps, specifically:
- Minimum security standards are required for your computer as well as other devices.
- Encryption is required if PIRN is on a laptop or other portable device, or included in a file that is being transmitted across the public network.
- If a third party has access to PIRN, then the contract must describe the third party’s responsibility for the protection of the data.
If you have questions regarding the above requirements, or if you are concerned that paper or electronic files with PIRN may have been compromised, please e-mail firstname.lastname@example.org.