Educause Security Discussion mailing list archives
Re: Bare Social Social Security Numbers
From: Leo Tran <ldtran () TULANE EDU>
Date: Mon, 27 Mar 2006 11:38:27 -0600
In Louisiana, SSN's alone would not constitute a breach. Louisiana Database Security Breach Notification Law defines "personal information means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when the name or the data element is not encrypted or redacted: Social security number (SSN). Driver's license number. Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account." --- Lieu (Leo) Tran, CISSP Information Security Officer Tulane University - Phone: 504.988.8514 -----Original Message----- From: Joel Rosenblatt [mailto:joel () columbia edu] Sent: Monday, March 27, 2006 11:20 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Bare Social Social Security Numbers In NY, the new privacy law .... Law applies to electronic data only "Private Information" Any personally identifying data (name, number,...) in conjunction with SSN Driver's license (or non-driver ID card) number Account/Credit/Debit card number with access code Encrypted with encryption key that also has been acquired or unencrypted data This would be that just a list of SSN's would not count as a breach Check with your GC office, but that is the way we read the law. YMMV. Thanks, Joel Rosenblatt Joel Rosenblatt, Senior Security Officer & Windows Specialist, CUIT Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel - You can't spell seCUrITy without CUIT --On Monday, March 27, 2006 11:39 AM -0500 "Geoffrey S. Nathan" <geoffnathan () wayne edu> wrote:
Quick poll (apologies for cross-posting..) Suppose a file was stolen/accessed containing only social security numbers with no names attached. Would this constitute a security breach necessitating notification of those whose numbers were compromised? (Leaving aside the question of whether the theft/access itself is a
breach).
Geoff
Joel Rosenblatt, Senior Security Officer & Windows Specialist, CUIT Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel - You can't spell seCUrITy without CUIT
Current thread:
- Bare Social Social Security Numbers Geoffrey S. Nathan (Mar 27)
- <Possible follow-ups>
- Re: Bare Social Social Security Numbers scott hollatz (Mar 27)
- Re: Bare Social Social Security Numbers H. Morrow Long (Mar 27)
- Re: Bare Social Social Security Numbers Christopher E. Cramer (Mar 27)
- Re: Bare Social Social Security Numbers Thomas R. Davis (Mar 27)
- Re: Bare Social Social Security Numbers Steve Worona (Mar 27)
- Re: Bare Social Social Security Numbers Charles R. Morrow-Jones (Mar 27)
- Re: Bare Social Social Security Numbers Ken Connelly (Mar 27)
- Re: Bare Social Social Security Numbers Joel Rosenblatt (Mar 27)
- Re: Bare Social Social Security Numbers H. Morrow Long (Mar 27)
- Re: Bare Social Social Security Numbers Leo Tran (Mar 27)
- Re: Bare Social Social Security Numbers Gary Golomb (Mar 27)
- Re: Bare Social Social Security Numbers H. Morrow Long (Mar 28)
- Re: Bare Social Social Security Numbers Keith Schoenefeld (Mar 28)
- Re: Bare Social Social Security Numbers H. Morrow Long (Mar 28)
- Re: Bare Social Social Security Numbers H. Morrow Long (Mar 28)
- Re: Bare Social Social Security Numbers Keith Schoenefeld (Mar 28)
- Re: Bare Social Social Security Numbers Gary Flynn (Mar 28)
- Re: Bare Social Social Security Numbers Kevin Shalla (Mar 28)
- Re: Bare Social Social Security Numbers Pullman, Nick (Mar 28)
- Re: Bare Social Social Security Numbers scott hollatz (Mar 28)
(Thread continues...)