Personal Identifiable Information: What are you storing and why?
June 2008 | By Damon Armour, IT Security Officer
You run a Banner report to get student information you need for your job. You complete it and save it to a document or desktop. But have you completed your task? NO, not if you haven't taken the proper steps to make the document secure. When a computer was stolen in the past, the thief was normally after the hardware. That is no longer the case. Today's criminals know that the information that might be stored on the computer is more valuable. This is especially true when the computer is owned by an institution such as Augusta State where personal, identifiable information may include such elements as social security numbers, credit card numbers, bank account numbers, passwords, driver's license numbers, passport identifiers, addresses, and phone numbers. These may not be in the one report that you've run, but every day, reports are run that contain valuable information for would-be criminals. As computer users and employees of the University System, we have the responsibility to safeguard information. In 2008, 52 incidents of possible data loss have occurred at U.S. educational institutions; 560,981 people have been affected by these potential data losses. (Source: attrition.org) This figure is for the educational arena alone; if it is broadened to include private and government markets, over 15 million people have been affected.
The importance of safeguarding our data is not only for compliance with regulations, but also to reduce the costs associated with breaches-not to mention the reputation of the institution. Also, there are many state and federal laws that protect an individual's right to privacy. What, then, can you do to help safeguard that information?
Practice good data handling sense. The best method when handling sensitive data is to treat it as if it were your own. That heightens the senses to be extra cautious. But what else can you do to be conscientious when handling data?
Take a step back and look at your job function and the information you handle. Is there a form you collect that has a social security number on it? Do you need that social security number to complete the process, or does it merely save you a minute by not having to look up that person's name in a database? If you are storing information electronically, do you need to collect that information, or has it just always been done that way? If you do need to collect sensitive data electronically or on paper, what are your purging schedules like? Are they followed and properly documented? The more we limit exposure to possible theft, loss, or carelessness, the less chance we have to damage our students', faculty's, and staff's identities, credit records, or reputations.
This may require some additional work, but if the campus makes a unified effort to protect sensitive data as well as takes the proper steps to ensure its need and function, then the campus, our employees, and students will all be better off. ITS is currently evaluating some tools that will assist us in protecting sensitive data, but the responsibility belongs to all of us. If you have concerns with any element of information you are collecting, first take it to your supervisor/department chair who may know the reason behind it. If further efforts are needed, take it up your chain of command, or you may contact me (firstname.lastname@example.org) to assist in the evaluation.