Re: Universities riskiest place for SSN

[Kimberly Heimbrock <heimbrockk () NKU EDU>]

Most of our problems are sourced from "old" (legacy) data which was
SSN-based, and continues to be stored in old office documents, emails,
etc.  Even if they get a new system the old files are backed-up and
copied over.  We have also found significant Credit card information
which proliferated within browsers, emails, etc. over the years.  We
purchased Identity Finder to help find and remediate the data, and also
began encrypting new laptops, but the 'adoption' of this has been a real
challenge.  Most people don't know they still have the data
inadvertently stored, and don't really think they need to scan, clean,
encrypt. Even with extensive awareness campaigns, it remains a
challenge.  One bright note - our purchasing department and bursar are
considering requiring the use of Identity Finder for anyone using credit
cards (which also pertains to PCI of course).  

Education and awareness is still the key...easy to say, hard to do
throughout a busy campus.


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Shalla
Sent: Tuesday, November 09, 2010 10:48 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Universities riskiest place for SSN

Given that SSNs are needed to apply for and receive financial aid, 
and financial aid is used by ... let me guess -- 90% of students, 
we'll be using SSNs indefinitely.  We cannot stop.  SSNs are great 
because they're so good at identifying matching records -- the IRS 
does the work of eliminating duplicates for us.  They're poor for 
authentication, because so many places store SSNs, and millions of 
employees in varied industries across the country have access to some 
subset of them.

This brings me back to my old idea.  Keep using SSNs, make them 
public, and place the burden of combating fraud on those that can 
solve the problem -- the SSN-using industries.  With legislation, 
make them liable for debts or other harm when authentication isn't 
done well, specifically prohibiting them from using SSN as an 
authenticator.  This way individuals would rarely suffer from 
impersonation fraud.

At 04:53 PM 11/8/2010, Dan Peterson wrote:

> http://home.hiwaay.net/~becraft/ScottSSNLetter.pdf
>
> So a SSN is need to report to IRS and the SSA.
>
>  From your list that is: (all report to IRS related)
> - - Student employees on work-study have their wages reported to the
> government.
> - - Students with federally guaranteed student loans are reported to
the
> government.
> - - Individual contractors paid directly instead of through a company
must be
> reported to the government.
> - - Speakers receiving honoraria must be reported to the government.
> - - Regular employees' wages must be reported to the government.
>
> This likely is due to money but I am not sure:
> - - The NCAA uses it and requires it in reporting regarding recruiting
> activities.
>
>
> That leaves:
> - - Students provide the information to the College Board while in high
school
> and it comes in over the transom with SATs, sometimes before the
student has
> actually filed an application, and it is therefore useful, though maybe
not
> required,  in Admissions to differentiate between potential applicants
with
> the same name.
>
> I would bet that this is a lions share of the SSN collected. Most
students
> don't work for the school and are not part of NCAA.
> I would venture a guess that on every student application form it has
> "SSN_____" and does not indicate any choice for the student and they do
have
> a choice.
>
> - ---------------
>
>
> How can I protect my Social Security number?
>
> You should treat your Social Security number as confidential
information and
> avoid giving it out unnecessarily.
> You should keep your Social Security card in a safe place with your
other
> important papers.
> Do not carry it with you unless you need to show it to an employer or
> service provider.
> We do several things to protect your number from misuse. For example,
we
> require and carefully inspect proof
> of identity from people who apply to replace lost or stolen Social
Security
> cards, or for corrected cards.
> One reason we do this is to prevent people from fraudulently obtaining
> Social Security numbers to establish false identities.
>
> We maintain the privacy of Social Security records unless:
> . The law requires us to disclose information to another government
agency;
> or
> . Your information is needed to conduct Social Security or other
government
> health or welfare program business.
> You should be very careful about sharing your number and card to
protect
> against misuse of your number.
> Giving your number is voluntary even when you are asked for the number
> directly.
>
> If requested, you should ask:
> . Why your number is needed;
> . How your number will be used;
> . What happens if you refuse; and
> . What law requires you to give your number.
> The answers to these questions can help you decide if you want to give
your
> Social Security number. The decision is yours
>
> http://www.ssa.gov/pubs/10002.html#protect
> - ------------
>
> My point in asking this question was to get people to think about the
need
> for the SSN.
> I have found that in 60% of the time when asked for an SSN its not
required
> but
>
> Don't like the risk?
> Don't collect the number unless you have to.
>
>
> - --
> Dan
>
>
>
> - -----Original Message-----
> From: David Escalante [mailto:david.escalante () bc edu]
> Sent: Monday, November 08, 2010 1:32 PM
> To: drpeterson () es net
> Cc: The EDUCAUSE Security Constituent Group Listserv
> Subject: Re: [SECURITY] Universities riskiest place for SSN
>
>
> On Nov 8, 2010, at 4:12 PM, Dan Peterson wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > I agree that High-Ed does report things that private industry does
> > not; however, why does Higher-Ed need the student SSN in the first
> > place
>
>
> There are a host of reasons, a few examples...:
>
> - - Student employees on work-study have their wages reported to the
> government.
> - - Students with federally guaranteed student loans are reported to
the
> government.
> - - Students provide the information to the College Board while in high
school
> and it comes in over the transom with SATs, sometimes before the
student has
> actually filed an application, and it is therefore useful, though maybe
not
> required,  in Admissions to differentiate between potential applicants
with
> the same name.
> - - The NCAA uses it and requires it in reporting regarding recruiting
> activities.
> - - Individual contractors paid directly instead of through a company
must be
> reported to the government.
> - - Speakers receiving honoraria must be reported to the government.
> - - Regular employees' wages must be reported to the government.
>
> Morrow's comments overlap mine, so I'll stop there. :-)
> - --
> David Escalante
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.9.1 (Build 287)
> Charset: us-ascii
>
> wj8DBQFM2H955chTNtilRz8RAnjzAJ4xL4GAqfzSQ1iBW8c8MhhTHkOgUQCfVpFY
> GqGN4xk65Q0+aEElih3rwUw=
> =8MlR
> -----END PGP SIGNATURE-----