Names and Social Security numbers ' two of the most important pieces of information for identity theft ' have been left unencrypted on the magnetic strip of university ID cards this year. In the fall, that will change.
Ping Center and Alden Library systems currently use SSNs as unique identifiers, which require university ID cards to contain that information. This fall, authentication methods at both buildings will change to allow use of the less sensitive personal identification number ' or PID.
All current university ID cards will be replaced and the new cards will use PID numbers instead of SSNs. How the new cards will be phased in' and the cost of reissuing every card ' hasn't been determined, said Brice Bible, chief information officer. He speculated the new cards might be mailed to students or issued when they return to campus in the fall with the option of taking a new picture for their card but stressed no decision has been made.
These changes, along with the purchase of a new student information system, will allow the university to re-examine how personal information is managed on campus, Bible said. SSNs can never be fully eliminated from the system, but they can be minimized and protected from unauthorized access, he said.
An SSN is the most important piece of information for identity theft, said Paul Stephens, a policy analyst for the Privacy Rights Clearinghouse. Almost 250,000 Americans reported identity theft last year, according to data collected by the Federal Trade Commission. The most likely age group to report identity theft is that of 18- to 29-year-olds.
Once the information is out there
it's out there Stephens said. There's no getting it back.
Stephens called the routine use of SSNs at Ping Center and Alden Library outrageous.
That's a disaster waiting to happen he said.
While the university is eliminating as many unnecessary uses of SSNs as possible, they can't be removed entirely, Bible said.
There's a very limited need for (SSNs)
Bible said, adding that SSNs will be encrypted when they can't be replaced by a less sensitive unique identifier.
The university is still developing an information classification policy that would rank information by sensitivity and determine who should have access to what personal information, Bible said, adding that while some guidelines exist in other policies, this policy would be comprehensive.
Last year, it was discovered five university servers ' containing hundreds of thousands of records and SSNs ' had been hacked. Databases containing the information were not encrypted and the university did not have an information classification policy.
The university is hiring a new director of information technology security to lead its four-member information security team, Bible said. The search closes at the end of the month.
17
Archives
Dave Hendricks
