May 22, 2007, Volume 53, No. 34
Social Security Numbers are sensitive data that can be abused by identity thieves to commit fraud. This abuse can cause privacy harm to Penn constituents and can create compliance and reputational risks to Penn itself. Penn has been committed to a multi-year effort to minimize the use of SSN and there are now additional tools that enable faculty and staff to identify where Social Security Numbers reside on their systems and to securely delete, convert, or truncate such information.
This draft policy has been created in recognition of the risks that Social Security Numbers present, as well the opportunities to reduce the availability of such data at Penn. We welcome your comments on this draft policy by June 21. To submit a comment, please e-mail firstname.lastname@example.org.
Robin H. Beck, Vice President, Information Systems and Computing
Mary Lee Brown, Associate Vice President, Audit, Compliance and Privacy
Social Security Number Policy
Authority and Responsibility
The Office of Audit, Compliance and Privacy is responsible for identifying major risks that the University faces and coordinating appropriate responses to mitigate those risks. Information Systems and Computing is responsible for the operation of Penn’s data network and infrastructure (PennNet) as well as the establishment of information security policies, guidelines, and standards. These offices, therefore, have a responsibility to develop a policy in response to the significant privacy, security, and compliance risks concerning Social Security Numbers.
This policy establishes expectations around the use of Social Security Numbers–sensitive data whose misuse poses privacy risks to individuals, and compliance and reputational risks to the University. It calls on staff, faculty, contractors, and agents of the above to inventory their online and offline Social Security Numbers and reduce the above risks by, in priority order: (1) eliminating this data altogether, (2) converting it to PennID, (3) truncating the data to capture and display only the last four digits, (4) when the complete SSN is clearly necessary, ensuring strict security controls to protect the full data.
This policy establishes a formal institutional program around Social Security Numbers for the purposes of protecting the privacy of Penn constituents and reducing compliance and reputational risks to Penn. This policy establishes clearly defined steps and announces available resources to reduce the availability of this sensitive data.
Risk of Non-compliance
Social Security Numbers are often, in the wrong hands, used by identity thieves to commit fraud by opening and using new credit accounts in a victim’s name as well as gaining access to other personal and confidential information. In the case of credit abuse, the result is often a credit report damaged with inaccurate information reflecting the activity of the thief rather than the victim. This credit report can take months or more to correct and in some cases, results in lost opportunities for the victim and at times out-of-pockets costs. In non-credit cases, the damage could be exposure or abuse of private personal data of many sorts, including medical records, financial information, and other sensitive data. In addition, Pennsylvania and other states’ “security breach notification” laws impose compliance obligations to notify data subjects of computer security breaches that expose full SSNs among other data. Failure to comply with this policy exposes individuals and the institution to significant risks. Individuals who fail to comply with the policy are subject to sanctions up to and including termination, depending on the nature, scope and severity of the violation, in accordance with University policies.
A. The individuals subject to this policy are all faculty, staff, contractors, and agents of the above in connection with Penn-oriented functions and activities involving Social Security Numbers.
B. The information subject to this policy includes Social Security Numbers collected and maintained as part of University operations. For example, the handling of one’s own Social Security number, or Social Security Numbers of family members, separate and apart from University operations is not subject to this policy, though many of the measures contained in this policy are recommended as a matter of best practice for such situations.
Statement of Policy
General: Best Efforts to Identify and Reduce Availability of SSNs. It is the responsibility of individuals subject to this policy to use best efforts to know and inventory where they are maintaining Social Security Numbers and to make best efforts to securely delete, convert, truncate, or secure such information.
A. Inventory of SSNs. The inventory requirement is met by:
i. Identifying hard copy documents, including reports from Information Systems, that contain Social Security Numbers.
ii. Identifying electronic files on desktops, laptops, servers, CDs, floppy disks, back-up tapes and USB drives, including files stored in applications and databases, large and small–that contain Social Security Numbers. See Best Practices.
iii. Identifying vendors, contractors, or agents with whom you are working who work with Social Security Numbers of Penn constituents as part of a Penn-sponsored activity.
B. Remediation–Eliminate, Convert, or Truncate
In cases where complete SSNs are not necessary, and Penn’s Records Retention Schedules do not require the retention of such information, the Social Security Numbers identified must be addressed in one of the following ways, in priority order:
i. Securely destroy the information.
1. Paper records may be securely destroyed by utilizing shredding services. For assistance in obtaining shredding bins or related records destruction services, contact the Penn Records Center at (215) 898-9432.
2. Electronic information may be securely destroyed using secure individual file deletion or secure disk wipe utilities. For resources regarding securely deleting electronic information, see www.upenn.edu/computing/provider/recycle.html.
ii. Convert information to Penn ID or other identifier. Penn’s Office of Information Systems and Computing must be consulted to employ the SSN-to-Penn ID conversion utility. Any remaining files with SSNs, once converted, must be securely destroyed.
iii. Truncate SSNs.
1. Collect, maintain, and display only the last four digits of Social Security Number. Truncated SSNs, as compared to complete SSNs, are less harmful to individuals from a privacy perspective and in most cases relieve Penn of compliance obligations under security breach notification laws.
C. Remediation–Securing Complete SSNs
In some cases, the maintenance of a complete SSN is necessary to comply with legal requirements or other business or IT processes that have not yet converted from SSN usage. Complete SSNs may also be necessary for certain Institutional Review Board-approved research activities. In such cases, this sensitive data must adhere to strict security standards, including, but not limited to the following:
i. SSNs may only be stored on secure Penn servers that meet the requirements of Penn’s Critical Host Policy (see: www.isc-net.upenn.edu/policy/approved/20000530-hostsecurity.html). Storage on desktops or laptops is prohibited.
1. Exceptions–When approved and documented by school/center senior management (IT Director-level or above), full SSNs may be stored on desktops or laptops. Approval is only permitted if the desktop or laptop meets the requirements of Penn’s Critical Host Policy and the data is protected at rest with encryption, with a key recovery component, within 3 months of such technology and service being recommended at Penn.1 Further, laptops must contain software that permits, should the laptop be lost or stolen, location of the laptop and secure deletion of the data remotely. The critical host database shall have a notation regarding whether this is a “waived SSN machine.”
ii. Work from home restrictions–Personal/Home machines are not authorized to store SSNs. Any access to SSNs remotely must be encrypted over the network and not stored locally.
iii. SSNs may not be stored on PDAs, USB drives, iPods, phones or similar portable devices unless they are encrypted
iv. Access to SSNs must be restricted to individuals with a need to know for University functions to proceed.
v. Any paper containing SSNs must be shredded or held in a locked file cabinet.
D. Remediation–Use by Third Parties
i. Social Security Numbers will be released by the University to entities outside the University only when:
1. permission is granted by the individual, or
2. the external entity is acting as a University’s contractor or agent and adequate security measures are in place to prevent unauthorized dissemination to third parties, or
3. as approved by the Office of Audit, Compliance and Privacy.
E. Remediation–Restrictions on Transmission
i. SSNs may not be sent over the network in plaintext, including e-mail.
A. Inventory tools—Automated tools are recommended as a best practice for locating files with Social Security Numbers. Information about what tools are available can be found at www.upenn.edu/computing/security/advisories/sensitive_data.html.
B. Reports from Central Systems—Notify data stewards of central or other systems that continue to issue reports containing full SSNs.
C. Local Security Compliance Efforts—This policy requires that Local Security Officers develop a program to promote compliance. Such programs may include: raising awareness, designating a day or week for SSN clean-up programs, annual reports of progress from divisions/departments within the School or Center.
A. Verification–The Local Security Officers are required to develop programs to promote compliance with this policy.
B. Notification–Violations of this policy will be reported by ISC Information Security and the Office of Audit, Compliance and Privacy to the Senior Management of the Business Unit affected.
C. Remedy–Violations will be recorded by the Office of Audit, Compliance and Privacy and any required action to mitigate harmful effects will be initiated in cooperation with the Senior Management of the Business Unit affected.
D. Financial Implications–The business units shall bear the costs associated with compliance with this policy.
E. Responsibility–Responsibility for compliance with the policy lies with all faculty, staff, contractors, and agents of the above in connection with Penn-oriented functions and activities involving Social Security Numbers.
F. Time Frame–This policy shall be effective within 90 days of its publication.
G. Enforcement –Individuals not adhering to the policy may be subject to sanctions as appropriate under Penn policies.
H. Appeals–Appeals are decided by the Vice President of Information Systems and Computing and the Associate Vice President of Audit, Compliance and Privacy.
A. Shredding–For assistance in obtaining shredding bins or related records destruction services, contact the Penn Records Center at (215) 898-9432.
B. Secure deletion of electronic files–For resources regarding securely deleting electronic information, see www.upenn.edu/computing/provider/recycle.html.
C. SSN to PennID Conversion Tool–Penn’s Office of Information Systems and Computing must be consulted to employ the SSN-to-Penn ID conversion utility. Any remaining files with SSNs, once converted, must be securely destroyed. Call (215) 573-4492 to use the free SSN-PennID conversion tool.
D. Records Retention Schedules–Penn’s Records Retention Schedules may be found at www.archives.upenn.edu/urc/recrdret/entry.html.
1Schools and Centers considering an encryption solution independently should consult with ISC Information Security.