What information must be protected?
Sensitive information is any information that poses a risk to an individual or an organization if it were exposed or accessed by unauthorized individuals. As per the Data Breach Notification Law in Massachusetts, a breach of personal information (or MIT's acronym PIRN, personal information requiring notification) requires that MIT notify affected individuals because of the risk of fraud or identity theft.
What is MIT doing to protect information?
MIT's Written Information Security Program identifies key areas handling PIRN at the Institute. The goals of the program are to identify and reduce the amount of PIRN contained on computers and in office files. This reduction will help safeguard the MIT community against identity theft and will help MIT comply with relevant state and federal laws.
What do I do with the PIRN found on my computer or in my files?
Check with your business process owner or system owner to determine how to handle the information you find. If you are not sure if the information should be there, discuss the situation with senior management.Unnecessary possesstion of this information should be eliminated. In general, an employee has a legitimate purpose for having access to the Social Security numbers of other individuals when such numbers are required for tax or billing purposes, credit authorization, background checks, or in furtherance of submitting a federal or state governmental application that requires the transmission of an individual Social Security number. In addition, Social Security numbers shall be maintained when required by either court order, subpoena, or by direction of the Office of the General Counsel.
Is MIT ID# considered sensitive data?
Yes, MIT ID# is sensitive (in the sense that it should not be published or shared indiscriminately) however, in general it is not PIRN. In other words, if a file of names with MIT ID numbers were compromised, we would not be required by law to notify people (although MIT may choose to do so). If, however, the same compromised computer had a file of names and MIT ID#, and another file with MIT ID# and Social Security number (SSN), then under the Massachusetts law, we may need to notify, since the name/SSN combination could be easily derived.
How much would a data breach cost MIT?
There are a number of variables that go into calculating the costs of a data breach. The Ponemon Institute has published reports based on many data breaches; their latest report lists the cost at an average of $204 per record. This includes things like the cost to do the forensics, create a letter, send the letter, staff a call center, provide credit monitoring, hire attorneys, pay fines, etc. In addition, there may be unquantifiable costs, such as donors deciding not to give, prospective students deciding not to come to MIT, or potential employees who choose not to apply. See more on the risks.
What if someone gives me sensitive information (e.g. PIRN) I don't want/didn't ask for?
The sender is responsible for the security of the data until you receive it - if it is breached on route to you, the sender will need to follow up. You are responsible for handling the file securely once you receive it - e.g. redact the sensitive information, encrypt it, securely destroy it, and/or secure any transmissions if you forward the information.
If you received one person's information (e.g. a new hire sends you their SSN in an email, or puts their SSN on a resume), then you should redact the information, secure the file, or securely destroy it as soon as practicable. You may want to let the sender know of your concerns for their future awareness. Although the initial transmission of the information is not an MIT data incident (the individual took the risk when they sent the information), if the file is subsequently compromised (e.g. unencrypted laptop with the email was lost), then MIT may need to notify.
If you have requested a file, and the person pulling the data together includes more than you wanted, you can perhaps delete that column; otherwise physically secure (encrypt) the file, or securely destroy it. If you will be getting a similar file on a routine basis, be sure the sender knows of your concerns, and see if the file can be sent without the sensitive data.
If you received a file you didn't expect (e.g. misrouted fax, misaddressed envelope), immediately notify the sender and find out what the sender wants done (for MIT to securely destroy the information or to return to sender). In this case the sender would be responsible for determining whether notification was appropriate.