Navigate to next or previous posts:

« Chris Allen and Socializing | Emergent Chaos Main page | Choicepoint, March 18 »

Colleges and SSNs

(Posted by adam)

For a very long time, colleges have been using social security numbers as identifiers for their prospects, students, and alumni. This is starting to change, driven by liability and brand concerns. No school wants to transform your (hopefully) fond memories of your time there into a firestorm over privacy. From ZDNet:

Dunn said [Boston] college will also purge individuals' Social Security numbers from all of its records in the future. He said schools have long used the identifiers to keep track of people in a number of ways but noted that increasing concerns over the security of computing systems used to store the information have caused the college and others to review the policy.
or see "Chico State computer system attacked by hackers" in the Chico Enterprise Record (Sacramento, CA):
More than 59,000 people connected to Chico State University will be contacted for what officials are calling the largest computer hacking incident the college has seen.

Notifications to anyone whose personal information was compromised were going out Tuesday, said Joe Wills, director of public affairs at the university.

That list includes current and former Chico State faculty and staff members. But the majority are students, since the server hackers targeted held the names and Social Security numbers of current, former and prospective students.

The easiest way to avoid this sort of story about your business is to not collect such data. Financial aid may cause you to need the SSNs of current students. Why on Earth do you need the SSN of a prospective student? Why do you need to maintain the SSN of an alumni? (If there are legal reasons, now would be a great time to get Congress to change them.)

Posted by adam on March 17, 2005 at 4:38 PM in Privacy . You can: comment, view comments (1), see trackbacks (3) or search Technorati.

Bookmark this post:

TrackBacks

Trackbacks are links generated by other blogs which have commented on this entry.

Listed below are links to weblogs that reference Colleges and SSNs:

» Colleges And SSNs from Cutting Edge Of Ecstasy
Adam at Emergent Chaos has more on the recent story of data theft at Boston College. About colleges using SSNs... [Read More]

Tracked on March 18, 2005 4:44 AM

» ID theft writ large from The Q Speaks
Emergent Chaos points out there's no reason for colleges to use SSN as ID numbers, a point all the more illustrated by... [Read More]

Tracked on March 24, 2005 1:31 AM

» How about "stop using social security numbers as passwords" from Thinking WiKID Thoughts
Today I read on Martin McKay's blog that you should change your default passwords and Adam Shostack has pointed out that colleges should usen't use SSNs to track students. But apparently, no one told Jackson Community College not to use SSNs as the dwe... [Read More]

Tracked on May 23, 2005 2:44 PM

Comments

There's a SB1386 disclosure archive run by Strongauth.com. (A Google search will get you the URL, which I cannot put here since it'd be stripped from this comment).

A third of the disclosures it lists are from educational institutions. Whether this overrepresentation is due to greater vigilance, greater compliance with the law, or poorer protection of data by such institutions is an unanswered question, unfortunately.

[Adam adds: http://www.strongauth.com/regulations/sb1386/sb1386Disclosures.html]

Posted by: Chris Walsh | March 18, 2005 11:08 AM