New software to help keep personal information secure
By Sharita Forrest, Assistant Editor 217-244-1072; slforres@illinois.edu
Campus Information Technologies and Educational Services, in conjunction with the Office of the Chancellor and the Office of the Provost, is asking faculty and staff members to do some electronic housekeeping this fall, by eliminating old computer files containing Social Security numbers and credit-card numbers.
According to CITES, there are hundreds of such files sitting unused on computers all over campus.
In October, a campuswide initiative to eliminate these files will begin. All faculty and staff members will be required to search through their electronic files and records and delete or securely archive those containing Social Security numbers and credit-card numbers.
“As members of the university community, we each have an obligation to protect the private data that is entrusted to us,” said Chancellor Richard Herman. “Our fellow faculty, staff and students depend on us, and at a world-class institution, we should expect nothing less of ourselves.”
The University of California at Los Angeles made headlines in December 2006 when it was discovered that hackers had illegally accessed a restricted database between October 2005 and November 2006. The database contained personal information for about 800,000 people, including student applicants, current and former students, faculty and staff members and some parents of students and applicants who had applied for financial aid.
Despite incidents such as the security breach at UCLA, the greatest threat to information security is posed by historical “work-a-day” files such as spreadsheets with research data or old word-processing files containing SSNs or grades that may be lurking on personal computers, according to Mike Corn, the director of security services and information privacy in the Office of the Chief Information Officer. Faculty and staff members using the computers may have forgotten that the files exist or be unaware that they contain sensitive data.
To help identify sensitive files, CITES security office has developed a software package, called Firefly, that scans employee workstations for files containing SSNs and credit-card numbers and presents the user with a summary of these files so the employee can delete them. The scanning tool was available to information technology professionals on campus in August so they could begin scanning mass storage and servers; the tools will be available to other campus employees about Oct. 15.
Campus units also will be required to inventory existing systems that contain SSNs and either eliminate them or, in conjunction with CITES security office, implement controls to protect the systems, while planning to eliminate unnecessary personal data. By Jan. 1, unit heads will have to certify that they have completed the SSN removal program for all systems for which they are responsible. During February, the security office will provide the Office of the Provost and the university’s auditors with the status of each unit.
The security office became aware of the potential threat these files pose while working with units to mitigate the consequences of compromised or “hacked” workstations.
“How do we know data hasn’t been released? We don’t,” Corn said. “But even if no harm is done, a security breach still induces fear of identity theft into people’s lives and could put the university’s reputation at risk. Eliminate the sensitive data and you largely eliminate the risk.”
The cost to the university of a data breach is estimated at about $70 per SSN, Corn said. In the UCLA case, where 800,000 individuals were affected, the potential cost could be millions of dollars.
“Cleaning out those files with Social Security information on them will require cooperation across campus,” said Provost Linda Katehi, “but I am confident that our people will recognize the unacceptable dangers of having these files on their workstations and work together with the CITES security office to eliminate them.”
Files with sensitive data can be inadvertently released in a few seconds just by attaching the wrong file to an e-mail. In August, the College of Engineering found that out when a spreadsheet file containing thousands of students’ grades and addresses was erroneously included in a mass e-mail to 700 students.
“We want people to understand the obligation they have” relative to data security, Corn said. “You personally are accountable for the data you control. If you eliminate these files from your computers, you should be able to sleep better at night.”
The Personal Information Privacy Act (www.cio.uiuc.edu/pipa/), which took effect in Illinois on Jan. 1, 2006, established several stipulations surrounding collection of nonpublic personal data – defined as SSNs, driver’s license or state I.D. numbers, account numbers, and credit/debit card numbers – by state universities and other organizations and the notification process they must go through to advise affected people of data breaches.
SSNs were widely used on campus as personal identifiers for students and faculty and staff members until January 2000, when the university adopted a policy that called for reducing or eliminating their use in campus and university systems and business processes. As part of that policy, the UI began creating unique University Identification Numbers as personal identifiers.
As part of the project, the Urbana campus is adopting standards that require all faculty and staff members with access to SSNs to annually deploy the SSN scanning software. Laptops containing sensitive data will have to be identified as such. Unit heads will have to sign off every year certifying that their unit has fulfilled the data security requirements.
Additionally, the Security Office is developing an application, to be deployed this fall, for registering laptop computers used by faculty and staff members that will aid in recovery of the laptops if they are stolen. Individuals who would like early access to a pre-release version of the software may contact securitysupport@illinois.edu. In return CITES security office would request feedback on the product before the general release to the campus community.
Back to Index