Re: Universities riskiest place for SSN

[Morrow Long <morrow.long () YALE EDU>]

Some instances where the school needs an SSN for a student:

	Federal, State and other financial aid - on the FAFSA, to track  
student loans, grants and similar equivalent processes

	US Citizenship verification - not a federal requirement but some  
states require their public higher ed institutions to verify US  
citizenship

        Work study or other cases of student employment on campus
        
I found the following great web page from St. Petersburg College on  
just what they use student's SSN #s for:

        www.spcollege.edu/webcentral/btw/ssn.htm

Morrow



On Nov 8, 2010, at 4:12 PM, Dan Peterson wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I agree that High-Ed does report things that private industry does  
> not;
> however, why does Higher-Ed need the student SSN in the first place
>
> All the school I have ever been at when you complain you can get a  
> student
> ID.
>
> - --
> Dan
>
> - -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Lococo
> Sent: Monday, November 08, 2010 12:23 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Universities riskiest place for SSN
>
> On 11/08/2010 02:32 PM, Eric Case wrote:
> > The original post,
> > http://blogs.mcafee.com/consumer/identity-theft/top-ten-most- 
> > dangerous
> > -place s-to-leave-your-social-security-number, says, "Robert
> > Siciliano, on behalf of McAfee,  analyzed data breaches published by
> > the Identity Theft Resource Center, Privacy Rights Clearinghouse and
> > the Open Security Foundation that involved Social Security number
> > breaches from January 2009 - October 2010 to reveal the riskiest
> > places to lose your ID."
> >
> > It is unclear if they ranked by number of records/breach or number of
> > breaches.
>
> My read is that the number in parens at the end of each top-10 entry  
> is a
> breach-count (it's certainly not a record-count), which is used as the
> ranking/sorting key.  Since the data is from a report covering  
> 2009-2010,
> it's fairly recent.
>
> If one is looking for a methodology flaw that excuses Higher-Ed's  
> number-one
> spot on the list, it's probably the failure to account for our  
> culture of
> openness.  You don't see other industries announcing a breach and then
> saying "there was no evidence of unauthorized access, but we're  
> calling this
> a breach and announcing it anyway", which is fairly common from  
> higher-ed
> institutions.  We might get dwarfed on record count as-well, but  
> that you
> can't see that data without buying the original report.
>
> Cheers,
> Mike Lococo
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.9.1 (Build 287)
> Charset: us-ascii
>
> wj8DBQFM2GfF5chTNtilRz8RAn4wAJ9gymPQEqAIIVg01pDhBOhXqdy5zwCeLTDC
> Hn1Gf7GfUsZ6SRGyz8+NSdM=
> =vdAe
> -----END PGP SIGNATURE-----