SSN Scanning Project 2009

From Rick Miranda, Interim Provost:

"As you are aware, CSU is diligent about protecting individuals’ privacy. To protect CSU constituents from possible identity theft and in compliance with numerous laws and directives, in 2007 the University transitioned away from SSNs to new CSUIDs as primary identifiers. Subsequent to that, files containing SSNs were to be removed from systems. Two years ago, in 2007, individuals attested they had removed SSNs from their systems. Last year, in response to discovery on servers of numerous files containing SSNs, IT staff conducted scans/rescans for SSNs of files on servers accessible from the Internet. That exercise uncovered over 900,000 SSNs in tens of thousands of files. Since the second effort revealed so many SSNs, I feel it necessary to rescan servers as our next exercise in this direction..."

For the entire memorandum from Rick Miranda, see the Forms section.

A Note on Paper and other Hardcopy Records Containing SSNs

It is the responsibility of individual departments to secure physical records containing sensitive information. Paper and other hardcopy records containing SSNs are to be protected in the same manner as paper and other hardcopy records containing sensitive data have always been protected, i.e. physically secured consistent with the quality and quantity of sensitive information and need for access. For example, if it has been accepted practice in departments to store student records in spaces behind locked doors that are accessible to faculty, then this process may continue, and nothing in the current SSN purge activity affects this practice. However, individual departments should periodically reassess their policies and procedures for access to sensitive records, and a prudent approach would be to perform such an assessment in conjunction with this SSN purge activity, but there is no such requirement associated with the SSN purge activity.