Educause Security Discussion mailing list archives

Re: Universities riskiest place for SSN

From: Judith House <housej () GEORGETOWN EDU>
Date: Mon, 8 Nov 2010 17:23:32 -0500

It's required for Federal financial aid, tax reporting, Medicare/Medicaid
reporting, and a few other more exotic reasons.  I think part of the issue
here is the difference between collecting and retaining SSNs and using them
as an identifier on the record.  

Given the federal requirements, we can't really eliminate the collection of
SSNs.  However, we can (and most of us do by now) use another identifier.  

Agreed, universities are open about data loss, potential loss, and breach.
I just read a report from Verizon
(http://www.verizonbusiness.com/resources/security/databreachreport.pdf)
which shows Higher Ed is a very small proportion of the actual data loss
over all -- it's a very interesting report in many ways.  

Judith F House
Associate University Information Security Officer
Georgetown University
3300 Whitehaven NW, Ste. 2000
Washington, DC 20007
housej () georgetown edu
202-687-6031 (office)
202-230-2504 (cell)
 

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mclaughlin, Kevin
(mclaugkl)
Sent: Monday, November 08, 2010 5:17 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Universities riskiest place for SSN

Some medical insurance policies/providers require it.


----- Original Message -----
From: The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Mon Nov 08 16:22:23 2010
Subject: Re: [SECURITY] Universities riskiest place for SSN

I think the SSN is required to apply for financial aid.  Other than that, we
don't require it, but most students provide it.

Steven Alexander Jr.
Online Education Systems Manager
Merced College


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dan Peterson
Sent: Monday, November 08, 2010 1:13 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Universities riskiest place for SSN

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I agree that High-Ed does report things that private industry does not;
however, why does Higher-Ed need the student SSN in the first place

All the school I have ever been at when you complain you can get a student
ID.

- --
Dan

- -----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Lococo
Sent: Monday, November 08, 2010 12:23 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Universities riskiest place for SSN

On 11/08/2010 02:32 PM, Eric Case wrote:

The original post,
http://blogs.mcafee.com/consumer/identity-theft/top-ten-most-dangerous
-place s-to-leave-your-social-security-number, says, "Robert
Siciliano, on behalf of McAfee,  analyzed data breaches published by
the Identity Theft Resource Center, Privacy Rights Clearinghouse and
the Open Security Foundation that involved Social Security number
breaches from January 2009 - October 2010 to reveal the riskiest
places to lose your ID."

It is unclear if they ranked by number of records/breach or number of
breaches.


My read is that the number in parens at the end of each top-10 entry is a
breach-count (it's certainly not a record-count), which is used as the
ranking/sorting key.  Since the data is from a report covering 2009-2010,
it's fairly recent.

If one is looking for a methodology flaw that excuses Higher-Ed's number-one
spot on the list, it's probably the failure to account for our culture of
openness.  You don't see other industries announcing a breach and then
saying "there was no evidence of unauthorized access, but we're calling this
a breach and announcing it anyway", which is fairly common from higher-ed
institutions.  We might get dwarfed on record count as-well, but that you
can't see that data without buying the original report.

Cheers,
Mike Lococo


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.9.1 (Build 287)
Charset: us-ascii

wj8DBQFM2GfF5chTNtilRz8RAn4wAJ9gymPQEqAIIVg01pDhBOhXqdy5zwCeLTDC
Hn1Gf7GfUsZ6SRGyz8+NSdM=
=vdAe
-----END PGP SIGNATURE-----

This email has been scanned by a Spam/Virus Firewall. If your email has been
classifed as Spam please contact the HelpDesk at (209) 384-6180.

Current thread:

Universities riskiest place for SSN Allison F Dolan (Nov 08)
- Re: Universities riskiest place for SSN Martin Manjak (Nov 08)
  - Re: Universities riskiest place for SSN Tracy Mitrano (Nov 08)
    - Re: Universities riskiest place for SSN Eric Case (Nov 08)
    - Re: Universities riskiest place for SSN Mike Lococo (Nov 08)
    - Re: Universities riskiest place for SSN Dan Peterson (Nov 08)
    - Re: Universities riskiest place for SSN Steven Alexander (Nov 08)
    - Re: Universities riskiest place for SSN Mclaughlin, Kevin (mclaugkl) (Nov 08)
    - Re: Universities riskiest place for SSN Judith House (Nov 08)
    - Re: Universities riskiest place for SSN John Ladwig (Nov 08)
    - Re: Universities riskiest place for SSN Allison F Dolan (Nov 09)
    - Re: Universities riskiest place for SSN Moore, Frank (Nov 08)
    - Re: Universities riskiest place for SSN Morrow Long (Nov 08)
    - Re: Universities riskiest place for SSN David Escalante (Nov 08)
    - Re: Universities riskiest place for SSN Dan Peterson (Nov 08)
    - Re: Universities riskiest place for SSN Kevin Shalla (Nov 09)
    - Re: Universities riskiest place for SSN John Ladwig (Nov 09)
    - Re: Universities riskiest place for SSN Jeffrey Schiller (Nov 09)
    - Re: Universities riskiest place for SSN Kimberly Heimbrock (Nov 09)

(Thread continues...)