Other Places to Look for Sensitive Data
Some areas we may not think about, but which may remain vulnerable to a data breach, are ones we often see every day. They simply don't come to mind when considering risks to data.
The following list provides some idea of where to look for hidden sensitive data:
- Outside service providers such as 401(k) administrators, benefit providers, Medicare, or claim administrators - when sharing our business data with these companies, what are you and they doing to protect the information? Is the information encrypted before put on a CD, is it on a shared server, or is it transferred over an secure network with a password or encryption?
- Insurance beneficiaries - SSN are collected for those whom employees list as their beneficiaries. Was the information emailed, faxed, put on paper and then scanned or copied? Where does the information reside today?
- Any records that predate the use of the MIT ID - for example, Employee ID (ee id) used Social Security numbers prior to 2004.
- Legal documents - subpoenas for records related to individuals may include SSN.
- Audits - depending on the nature of the audit, the records provided to auditors may include SSN, personal credit card or financial account numbers, or other sensitive information.
- System backups - when systems are backed up using an external hard drive or server, are they protected with strong passwords, or placed in safely locked areas?
- Archives - Paper archives, or anything on microfiche, tape, CD or other media should be locked and given limited access if there's the possibility that PIRN is stored on them.
- Printers/scanning/copy/multifunction devices - these devices often contain a hard drive where images of what is printed, scanned or copied can remain for long periods of time. What happens to the hard drive after the device is repurposed or returned to the vendor?
- Computers to be redeployed - computers, external hard drives, mobile phones and other devices that have memory are often redeployed or recycled. Do you know how to remove the data so that it can no longer be accessed? Do the devices get stored in a safe place until the data can be wiped?
- Emails - they can be forwarded, saved, printed and have attachments. How many emails do you have on your computer that contain PIRN?
- Recycling bins/trash - take a look at your copier collection bins where papers may have been left behind or never picked up, and in trash or recycling bins or pre-shredder collection stations, holding unshredded materials possibly containing PIRN.
- Work station areas - the amount of sensitive information on an employee's desk should not be forgotten. Security badges, identification or swipe cards, passwords on sticky notes, and keys hanging from thumb tacks or lying in open desk drawers are just a few items that can be used by an unauthorized person to gain access to personal information.