Educause Security Discussion mailing list archives
Re: Universities riskiest place for SSN
From: Kimberly Heimbrock <heimbrockk () NKU EDU>
Date: Tue, 9 Nov 2010 11:19:29 -0500
Most of our problems are sourced from "old" (legacy) data which was SSN-based, and continues to be stored in old office documents, emails, etc. Even if they get a new system the old files are backed-up and copied over. We have also found significant Credit card information which proliferated within browsers, emails, etc. over the years. We purchased Identity Finder to help find and remediate the data, and also began encrypting new laptops, but the 'adoption' of this has been a real challenge. Most people don't know they still have the data inadvertently stored, and don't really think they need to scan, clean, encrypt. Even with extensive awareness campaigns, it remains a challenge. One bright note - our purchasing department and bursar are considering requiring the use of Identity Finder for anyone using credit cards (which also pertains to PCI of course). Education and awareness is still the key...easy to say, hard to do throughout a busy campus. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Shalla Sent: Tuesday, November 09, 2010 10:48 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Universities riskiest place for SSN Given that SSNs are needed to apply for and receive financial aid, and financial aid is used by ... let me guess -- 90% of students, we'll be using SSNs indefinitely. We cannot stop. SSNs are great because they're so good at identifying matching records -- the IRS does the work of eliminating duplicates for us. They're poor for authentication, because so many places store SSNs, and millions of employees in varied industries across the country have access to some subset of them. This brings me back to my old idea. Keep using SSNs, make them public, and place the burden of combating fraud on those that can solve the problem -- the SSN-using industries. With legislation, make them liable for debts or other harm when authentication isn't done well, specifically prohibiting them from using SSN as an authenticator. This way individuals would rarely suffer from impersonation fraud. At 04:53 PM 11/8/2010, Dan Peterson wrote:
http://home.hiwaay.net/~becraft/ScottSSNLetter.pdf So a SSN is need to report to IRS and the SSA. From your list that is: (all report to IRS related) - - Student employees on work-study have their wages reported to the government. - - Students with federally guaranteed student loans are reported to
the
government. - - Individual contractors paid directly instead of through a company
must be
reported to the government. - - Speakers receiving honoraria must be reported to the government. - - Regular employees' wages must be reported to the government. This likely is due to money but I am not sure: - - The NCAA uses it and requires it in reporting regarding recruiting activities. That leaves: - - Students provide the information to the College Board while in high
school
and it comes in over the transom with SATs, sometimes before the
student has
actually filed an application, and it is therefore useful, though maybe
not
required, in Admissions to differentiate between potential applicants
with
the same name. I would bet that this is a lions share of the SSN collected. Most
students
don't work for the school and are not part of NCAA. I would venture a guess that on every student application form it has "SSN_____" and does not indicate any choice for the student and they do
have
a choice. - --------------- How can I protect my Social Security number? You should treat your Social Security number as confidential
information and
avoid giving it out unnecessarily. You should keep your Social Security card in a safe place with your
other
important papers. Do not carry it with you unless you need to show it to an employer or service provider. We do several things to protect your number from misuse. For example,
we
require and carefully inspect proof of identity from people who apply to replace lost or stolen Social
Security
cards, or for corrected cards. One reason we do this is to prevent people from fraudulently obtaining Social Security numbers to establish false identities. We maintain the privacy of Social Security records unless: . The law requires us to disclose information to another government
agency;
or . Your information is needed to conduct Social Security or other
government
health or welfare program business. You should be very careful about sharing your number and card to
protect
against misuse of your number. Giving your number is voluntary even when you are asked for the number directly. If requested, you should ask: . Why your number is needed; . How your number will be used; . What happens if you refuse; and . What law requires you to give your number. The answers to these questions can help you decide if you want to give
your
Social Security number. The decision is yours http://www.ssa.gov/pubs/10002.html#protect - ------------ My point in asking this question was to get people to think about the
need
for the SSN. I have found that in 60% of the time when asked for an SSN its not
required
but Don't like the risk? Don't collect the number unless you have to. - -- Dan - -----Original Message----- From: David Escalante [mailto:david.escalante () bc edu] Sent: Monday, November 08, 2010 1:32 PM To: drpeterson () es net Cc: The EDUCAUSE Security Constituent Group Listserv Subject: Re: [SECURITY] Universities riskiest place for SSN On Nov 8, 2010, at 4:12 PM, Dan Peterson wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I agree that High-Ed does report things that private industry does not; however, why does Higher-Ed need the student SSN in the first placeThere are a host of reasons, a few examples...: - - Student employees on work-study have their wages reported to the government. - - Students with federally guaranteed student loans are reported to
the
government. - - Students provide the information to the College Board while in high
school
and it comes in over the transom with SATs, sometimes before the
student has
actually filed an application, and it is therefore useful, though maybe
not
required, in Admissions to differentiate between potential applicants
with
the same name. - - The NCAA uses it and requires it in reporting regarding recruiting activities. - - Individual contractors paid directly instead of through a company
must be
reported to the government. - - Speakers receiving honoraria must be reported to the government. - - Regular employees' wages must be reported to the government. Morrow's comments overlap mine, so I'll stop there. :-) - -- David Escalante -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.9.1 (Build 287) Charset: us-ascii wj8DBQFM2H955chTNtilRz8RAnjzAJ4xL4GAqfzSQ1iBW8c8MhhTHkOgUQCfVpFY GqGN4xk65Q0+aEElih3rwUw= =8MlR -----END PGP SIGNATURE-----
Current thread:
- Re: Universities riskiest place for SSN, (continued)
- Re: Universities riskiest place for SSN Judith House (Nov 08)
- Re: Universities riskiest place for SSN John Ladwig (Nov 08)
- Re: Universities riskiest place for SSN Allison F Dolan (Nov 09)
- Re: Universities riskiest place for SSN Moore, Frank (Nov 08)
- Re: Universities riskiest place for SSN Morrow Long (Nov 08)
- Re: Universities riskiest place for SSN David Escalante (Nov 08)
- Re: Universities riskiest place for SSN Dan Peterson (Nov 08)
- Re: Universities riskiest place for SSN Kevin Shalla (Nov 09)
- Re: Universities riskiest place for SSN John Ladwig (Nov 09)
- Re: Universities riskiest place for SSN Jeffrey Schiller (Nov 09)
- Re: Universities riskiest place for SSN Kimberly Heimbrock (Nov 09)
- Re: Universities riskiest place for SSN Willis Marti (Nov 08)
- Re: Universities riskiest place for SSN Hoag, Martin (Nov 08)
- Re: Universities riskiest place for SSN Dan Peterson (Nov 08)
- Re: Universities riskiest place for SSN Dexter Caldwell (Nov 09)