Protection of Social Security Numbers

To: UCSC Staff and Faculty

From: Mary Doyle Vice Chancellor, Information Technology Services; David S. Kliger Campus Provost and Executive Vice Chancellor

We write to remind you of the importance of removing Social Security Numbers (SSNs) from laptops, desktops, thumb drives, cell phones, mp3 devices, storage cards, and any other electronic medium. You might be surprised to discover that you have SSNs stored in old files, e mail, and attachments, especially those prior to 2004 when student and employee ID numbers tended to be an individual's social security number.

Recently, a laptop containing UCSC information was stolen during a home break-in. This computer held old unencrypted class lists, grades, and applicant files which included SSNs. The theft resulted in the personal identity of several hundred former students and applicants being exposed to potential compromise.

California State Law (Civil Code 1798.29), requires that Personal Identity Information (PII) is appropriately protected and that if the data is acquired by an unauthorized person through a security breach, affected individuals must be notified. Under this law, "personal identity information" means first name or initial and last name in combination with:

. Full Social Security Number;

. Driver's license number or California Identification Card number;

. Financial account, credit card, or debit card numbers; and/or

. Medical or health insurance information

Clearly, some of the files on this stolen computer fell within the definition of PII because they contained both names and SSNs, and the campus was therefore required to find contact information and notify each individual of the potential compromise of their PII. This incident unnecessarily exposed a number of people to the potential for identity theft, and put the institution at risk of lawsuit that could result in fines, reputational damage and loss of public trust. In addition, the process of finding and notifying individuals of the potential compromise to their personal information was time-consuming and expensive.

ACTION REQUESTED

The best way for you to protect PII is to not have it in the first place. We ask you to review information stored on all your electronic media to eliminate any non-essential PII. If you need assistance in eliminating PII, please work with ITS (Information Technology Services), either through the Support Center or divisional IT staff. In the very rare case that it is essential to retain such data (use of SSNs is allowable only for very limited and specific business purposes), work with your technical support staff to encrypt the files. If you do not know whether you have any PII stored, ask for a scan of your files to locate any such information, and then either eliminate or encrypt it as appropriate. This scanning process does not require a review of content; rather, it utilizes a system identification of data strings that might represent PII. If you do not know if it is essential to retain the SSN or other PII, check with Linda Beaston (email lbeaston@ucsc.edu or telephone 459-2666) for clarification.

Last month, President Yudof issued a letter to the Chancellors requiring each campus to provide, no later than June 30, 2010, a summary of the level of campus compliance with the UC policy protecting SSNs and a plan for any needed corrective actions. Your action on this very critical matter is an important part of our response to President Yudof's request, and your attention and assistance is greatly appreciated.