How to Secure Personally Identifiable Information

When an external hard drive containing the Social Security numbers of 38,000 Georgetown University students, faculty and staff was stolen during the 2007–2008 winter break, the IT security staff at the university knew there was a lot of work ahead.

The data breach, which took place in the university's Office of Student Affairs, was very serious, says Heidi Wachs, Georgetown's director of IT policy and privacy officer.

Right after the incident, Wachs, along with the University Information Security Office, recognized that they had to get a better handle on how and where the university housed its data, as well as how it managed personally identifiable information.

PII is any information element regulated by law. Examples include a person's Social Security number or medical information regulated by the Health Insurance Portability and Accountability Act.

"We focused on PII because we were especially concerned about how many Social Security numbers were stolen and needed to find a way to protect the identities of the university's students, faculty and staff," Wachs says.

The university formed a data security task force, which asked the IT security team to conduct a complete inventory of the university's data repositories. The security team took what it learned from the inventory and developed a program for more effectively managing PII. These five best practices stem from the PII program developed at Georgetown.

• Find out what data you have and where it is housed. Judith House, associate university information security officer, says the tendency among IT security professionals is to focus on the obvious repositories, such as student grades, financial aid data and more general university financial information. But upon taking a campuswide inventory with a web-based survey, Wachs, House and the security team discovered more than 700 repositories of information. The data ranged from small spreadsheets to extensive databases of student financial records.

  "We found a surprising – and scary – amount of data residing outside of our enterprise systems on individual computers and departmental servers," says House. "Wherever we discovered a large cache of information, we dispensed a security team to assess and remediate the situation."

  The teams were tasked with taking appropriate measures to secure the personal information, says House. For instance, if a department had a repository kept on a single desktop, the team would work with the department to move it to one of the university's approved secure storage solutions. They would then ensure that the original location had been properly cleared of all sensitive data and make sure the department staff had all the necessary information to maintain the new solution.

• Develop a process for managing Social Security numbers. Wachs says one of the most basic steps is getting a handle on Social Security numbers. While the numerous laws that govern PII define it differently, Social Security numbers are the common denominator, she says. Georgetown concluded that the most appropriate response was to eliminate use of SSNs for identification purposes and to store or use them only when there was a legal requirement to do so. For example, students are required to submit their Social Security numbers to obtain financial aid from the federal government, and all university faculty and staff must provide a Social Security number for payroll and tax reporting. The university focused its efforts on eliminating uses that had been accepted in the past, but that no longer met the standard of legal purpose.

  "We decided that we would ask for Social Security numbers only when the student or worker first enrolls with our system," Wachs explains.

  

  Chad Baker/Ryan McVay/Getty Images

  According to Wachs, once individuals are entered into the system at the university, throughout their stay, they now need only a Georgetown University ID (GUID) to identify themselves.

  "Five years ago at Georgetown, if I wanted to look up or create a record, I needed to have a Social Security number," Wachs says. "Today, the only option is the GUID."

  Now, when a student calls finan­cial aid at the university to ask a question about a loan, he or she will be asked for a GUID. It's the same for employees seeking basic information about their business with the university. All that the student or employee needs to provide is a GUID. "This system protects all our stakeholders because it never puts the Social Security number in play," Wachs says.

  This kind of system is now more common at many institutions, says Eric Ouellet, research vice president at Gartner.

  "Ten to 15 years ago, identity theft wasn't really an issue," Ouellet says. "But growing awareness has changed the way organizations are handling credit card and Social Security information."

• If possible, use existing IT infrastructure. The breach at Georgetown was a stolen hard drive, not an infiltration of the university's network. As the security staff reviewed the data repositories, if they found Social Security numbers that were not protected by the university's enterprise network, they would put them in the managed environment. But Wachs says the vast majority of Social Security data was already protected by the university's existing system.

  "All PII was moved to enterprise storage, with encryption required when in transit," ­Wachs explains. "At the time of the breach, Georgetown was upgrading its enterprise network, so the university was well-positioned to handle the additional PII and encrypted traffic."

• Form a task force with your ­major stakeholders. Georgetown University brought together the chief financial officers from each of the three campuses, plus the provost and the vice presidents of the major functional areas. This included human resources, student records and financial affairs.

  Wachs says employees at universities are accustomed to working on committees, so it's good politics to get as many people and departments involved as possible. She says university administrators can make or break a program once the initial round of meetings ends. They help the security team better understand the various business processes and how the functional departments interact with one another. They are especially useful in the beginning when the security team is trying to find out how many data repositories the college is managing. Wachs advises using the committee to set up the initial contacts with the researchers, professors and administrators who manage data.

• Communicate your PII efforts to the university community. Both Wachs and House agree that the breach gave Georgetown the motivation to learn more and become much more aware of how to manage PII.

  "It's really important to communicate your activities to the university's many stakeholders," Wachs says. "We sent out a couple of e-mails from our senior vice president explaining the creation of the data security task force and held two public meetings. The success of your PII effort depends on developing widespread awareness throughout the university."