Re: Telephone Verification of Identity

["Irish, Adrian L" <Adrian.Irish () MSO UMT EDU>]

Regarding your number 4, I'm not aware of anything in FERPA that prevents this.  There may be other limiting factors 
that influence your decision on whether to use SS# for verification, but it should not be FERPA.  In fact, FERPA does 
not specify "levels" of sensitive data; it's either protected or not, and if it is protected, then your obligations 
apply equally across all the data, whether that's SS#, birth date, grades, etc.

Back to your original question.  One area that has dealt with this issue the most on our campus is the registrar, in 
the context of transcript requests.  They will ask for multiple items when verifying identity, and at least one of 
those will be something related to the persons academic records, such as "Who was your professor for Chemistry 101?", 
etc.  The key in this process is asking for multiple items and varying what they ask for from person to person.

For current and recent student's, we do have challenge questions established, but these are used primarily in the 
context of password resets.

Adrian Irish
IT Security Officer
The University of Montana
SS 126D
Missoula, MT 59812
(406) 243-6375
 
adrian.irish () umontana edu

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kenneth Arnold
> Sent: Thursday, March 19, 2009 7:59 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Telephone Verification of Identity
>
> We are dealing with the problem of how you verify the identity of a
> person over the telephone sufficiently to discuss
> non-directory/confidential information with them.
>
> Do you require the person to supply specific data about themselves?  If
> so, what data?
> Do you have challenge questions/responses on file that you use to
> verify
> identity?
> How are other schools dealing with the problem?
>
> We currently don't have a standard method to verify identity.  We have
> tossed around some ideas like:
> 1.  Is the student ID sufficient?  Is the student ID similar to the SSN
> in that we can't use it for identification either because of FERPA?
> 2.  Is the birthdate sufficient?  Facebook makes this information
> readily available. A doctor's office tends to use this to verify
> identity over the phone.
> 3.  Is the student ID and the birthdate sufficient?
> 4.  It is our impression that we can't use the social security number
> or
> even part of it because of FERPA.
> 5.  Do you call the person back at a telephone number recorded for that
> person in our administrative database?
> 6.  Do you use caller ID to verify that the person is calling from a
> number recorded for that person in the administrative database?  Caller
> ID can be forged.
> 7.  Do you generate a random number, display it to the person answering
> the phone, send the random number to the person through email and then
> require the person to give you the random number?
>
>
> --
> Brother Kenneth Arnold
> Director of Network Systems
> Christian Brothers University
> Memphis, TN
> (901) 321-4333