Presentation on theme: "Planning for the Elimination of Social Security Numbers as Primary Identifiers Mike Corn, University of Illinois Jenny Mehmedovic, University of Kansas."— Presentation transcript:
Planning for the Elimination of Social Security Numbers as Primary Identifiers Mike Corn, University of Illinois Jenny Mehmedovic, University of Kansas Sheila Ochner, University of Texas
Defining the Problem “The first step to recovery is admitting you have a problem.” SSN Users Anonymous
Defining the Problem The Social Security Number Where is it? How is it used? What are the institution’s legal obligations and liabilities in protecting it?
Introductory Snapshots Current state of SSN usage at University of Illinois University of Kansas University of Texas
Legal Requirements? 1974 The Privacy Act (5 U.S.C. 552A) Family Educational Rights & Privacy Act (FERPA) 1986 Electronic Communications Privacy Act (ECPA) 1996 Health Insurance Portability and Accountability Act (HIPAA) 1999 Gramm-Leach-Bliley Act, “Privacy of Consumer Financial Information” 2001 USA Patriot Act Future Legislation At least 9 pending items
Plotting your Approach Tactical? Independent tasks you can undertake to remediate SSN usage Strategic? Comprehensive institutional plan
Planning to Start Designate responsibility See what other universities are doing Define the SSN business problem Educate the community Gain support of administration Identify uses/need for SSN Define universe of systems to be examined Create an SSN replacement plan
When the Worst Happens Real-life examples of SSN exposure Not recommended! But do highlight the need to identify/use SSN alternatives
Next Steps Survey applicable law and resulting legal obligations Assess risk/benefit/viability of SSN removal “What would it cost us in dollars and prestige when a judge orders us into compliance on a very short timescale?” Write policy Implement use of disclosure statements Build a representative body Have a plan for responding to complaints
Continuous Improvement Google is your friend – use it to search for SSN in your campus domain! Address new problems as they arise Long-term process Risk-benefit analysis Managing expectations Can’t accomplish EVERYthing FIRST
Raising Awareness How to do it? Methods/tools to use? Different audiences – different points Univ. systems v. dep’t systems? Start with deans, directors
Lessons Learned Cast the net deep & wide to catch all the distributed systems/uses. Wrap yourself in the law. If you are not in compliance, you must change. In an era where identity theft is the #1 consumer crime, SSN usage needs to be understood as a major privacy concern.
Contact Information Mike Jenny Mehmedovic Sheila Ochner