Faculty Can Help Prevent Sensitive Data Loss
Last January, a University of Texas biological sciences professor put class test scores, with Social Security numbers (SSNs), online. In February, a Harvard computer was compromised, resulting in the need to notify about 6,000 individuals that their SSN could have been exposed. In March, Texas A&M University found that SSNs for students enrolled in a 1998 course were available online, and continued to be available in search engine caches even after the offending file had been taken offline. In June, a Stanford laptop containing SSNs as well as other personal information was stolen; over 60,000 faculty, staff, and students were notified. In July, a laptop was stolen from an Indiana State University economics professor; it had names and SSNs for students who had taken his class between 1997 and 2003.
Virtually every week, there is a report of some higher educational institution inadvertently losing custody of personal information.
Because names in conjunction with SSN can be used by identity thieves to get credit cards, loans, medical services and even employment, most states, including Massachusetts, have passed data breach laws, which requires notifying those whose personal information has been exposed.
Admittedly, it is rare that accidental data breaches (e.g., a lost laptop; file discovered by Google) result in identity theft. However, any breach involves costs for the data owner, including notifying impacted individuals, providing credit monitoring, and possibly financial penalties. In addition, for many organizations, the reputational cost of a data breach can be significant, resulting in the loss of customers, or, in the case of higher education, the loss of donors.
MIT has long been concerned about the implications of using SSNs as an identifier. In fact, when the MIT ID number was introduced in 1996, it was explicitly intended to replace the use of SSN for members of the MIT community (see: web.mit.edu/mitid/www/history.html). (Some other major institutions stopped using SSNs only as recently as last year.)
In 2003, with the SAP-HR go-live, SSN was no longer used as an employee identifier in the HR system, and with the 2006 SAP-Payroll implementation, SSN usage was further constrained. MIT HR has worked closely with our benefit providers to use alternate identifiers, and areas within the Office of the Dean for Undergraduate Admissions have taken a number of steps to protect SSN of applicants, admitted students, and their parents.
Nevertheless, there are places where SSNs are still being used, or files related to old processes are still in electronic or paper archives. Because of the risks associated with these “unknown” areas, about a year ago MIT established the program, “Protecting Personally Identifiable Information,” to understand where and how SSNs were still being used, and to work to mitigate the risks of a breach at MIT. Since then, program staff have been working with administrators in departments, labs, and centers, as well as with central offices. However, as can be seen from the stories mentioned above, data losses do not always occur with administrators; the program would like to enlist the help of faculty and other academics in further reducing MIT’s risk.
Some steps that you can take:
If you find you have SSNs (or other personal information) and no longer need them, you should securely destroy them. There are recommendations for redacting as well as secure destruction of paper and electronic files.
For further information about information protection, including processes that still require SSN, and tools for secure destruction, please contact me. I am available for group presentations, and/or 1-1, confidential discussions.