SSN Privacy

1
SSN Privacy Safeguarding

• College of Food, Agricultural Environmental
  Sciences
• Human Resource Professionals
• April 12 2007

2
Agenda

• Project Overview Update
• Policy Concepts
• Transition Steps
• Related Projects
• Best Practices
• Contacts

3
Project Overview Update Why?

• Legislation Policies
• FERPA
• House Bill 104 (ORC Section 1347) effective
  2/17/06
• Requires notification to affected individuals for
  data exposure unless encryption used
• Resulted in OSU interim policy Disclosure or
  Exposure of Personal Information (see
  http//cio.osu.edu/policies/disclosure.html)
• Notify CIO at security_at_osu.edu or 247-2020 to
  report actual or potential data breaches
• SSN Privacy Safeguarding policy
• University leadership prefers to discontinue SSN
  use, where possible

4
Project Overview Update Why?

• Identity theft
• Federal Trade Commission
• Reports 237 security breaches nationwide from
  February, 2005 to July, 2006 comprising 89
  million records. High education breaches was 83
  (35).
• Estimates that 10 million people were victims of
  identity theft in 2005, with a total cost to
  victims, government and businesses of 55
  billion. Gartner survey indicates 15 million
  victims for 12 month period ending July, 2006
  average loss 3,257
• Reports that the largest age group of identity
  theft victims is between 18 and 29 years of age.
  Second largest age group is 30-39 years.

5
Project Overview Update

• Goals
• Develop policy which encourages SSN
  discontinuation, appropriate use and protection
• Educate community
• Update
• Collected SSN usage information through survey
• 1300 submissions, 930 for identification purposes
  with
• at least 25 unprotected
• Formed advisory group subcommittee
• Drafted policy procedures
• Preparing educational materials

6
Policy Concepts

• SSN Collection Retention
• Requires pre-approval for each business process
• Approval required from dean/vice president,
  business owner and Privacy Office
• Annually renewed by June 30th
• Lists legitimate activities
• Requires distribution of privacy notice
• Mandatory training for employees sign
  confidentiality statement
• Lists prohibited SSN use
• Primary identifier
• Primary key
• User account creation/login/password
• Storage on non-University owned/operated
  equipment

7
Policy Concepts

• SSN Protection
• Physical as well as technical
• Business associates (vendors, external agencies,
  etc.)
• Implementation
• Breaches
• Departments may share in costs

8
Transition Steps

• Identify SSN Use
• Where is SSN being used?
• How is it retained?
• Who has access to SSN information?
• Plan for Transition
• Determine timeline
• Prioritize remediation

9
Transition Steps

• Communicate Plans
• Internally
• Externally (especially third parties)
• Transition ASAP

SSN
10
Transition Steps

• Share Progress
• Share SSN Messages
• Remediation, Protection Best Practices

11
Related Projects

• Institutional Data Policy (in draft)
• Requires classification of data into one of three
  categories
• Unrestricted public data
• Examples High-level Enrollment Statistics,
  Course Catalog, Current Funds Budget, Financial
  Statements
• Sensitive - users must obtain specific
  authorization to access since the data's
  unauthorized disclosure, alteration, or
  destruction will cause perceivable damage to the
  university. Note All institutional data in the
  enterprise-level administrative systems is
  classified as sensitive unless otherwise
  indicated.
• Examples Date of Birth, Ethnicity

12
Related Projects

• Institutional Data Policy (continued)
• Protected - highest levels of restriction should
  apply, both internally
• and externally, due to the risk or harm that may
  result from disclosure or
• inappropriate use. This includes information
  whose improper use or
• disclosure could
• 1. Adversely affect the ability of the university
  to accomplish its mission.
• 2. Lead to the possibility of identity thief by
  release of personally identifiable information of
  university constituents.
• 3. Put the university into a state of
  non-compliance with various state and federal
  regulations such as FERPA, HIPPA, GLBA, or Ohio
  Public Records Law.
• 4. Put the university into a state of
  non-compliance with contractual
• obligations such as payment card industry
  data security standards.
• Examples Social Security Number, Patient Care
  Data, Credit Card Information

13
Related Projects

• Legacy SSN Protection
• Selected Student Reports remove SSN
• Operational Data Store secure transmission
  mandate use of desktop encryption
• BuckeyeLink assess security risks on student
  web applications fix
• Credit Card Security Standards
• http//www.treasurer.ohio-state.edu/staff/polsroc.
  htmlsectionC

14
Best Practices

• Telephone Fax
• Requesting/Accepting SSN over phone
• Voicemail
• Cover sheet for fax, redact if possible
• Paper
• Lock up with limited access
• Destroy documents preferably cross-cut shred
  (follow Universitys retention schedule)

15
Best Practices

• Remote access
• Same rules apply use VPN or other secure
  transmission
• New systems, applications or processes
• Use alternative identifier (name.n, OSU ID, etc.)

16
Best Practices

• Electronic (PC, laptops, PDA, etc.)
• Email
• Encryption Advanced Encryption Standard
  preferred
• Screen saver/lock desktop
• Password protection
• No password sharing
• Delete unused files
• Shred or destroy CD, DVD hard drives

17
Contact Information

• Project Director
• Joyce Wagner
• Wagner.21_at_osu.edu
• (614) 247-8206
• Project Team
• buckeyesecure_at_lists.acs.ohio-state.edu
• Web Site
• http//cio.osu.edu/buckeyesecure/