SSN

Social Security Remediation

Why is SSN Remediation important, and why should I care?

Any retention of Social Security numbers puts an organization at increased risk of identity theft. While there are some legitimate business reasons that our University deals with SSNs, there are also things we can do to minimize our risk of security breaches involving SSNs. SSN Remediation is about mitigating the potential for exposure and protecting the identity of all of us who work or attend school here at Notre Dame.

What is involved with the remediation process?

For individual remediation, we use software called Identity Finder to scan your computer for SSNs as well as other potentially sensitive information (credit card numbers, bank account numbers, or stored passwords). The software will produce a list of results and our SSN Remediation Technicians will help you deal with those results by either electronically 'shredding' (ie: securely deleting) unneeded files, 'scrubbing' just the sensitive portion of the files, or securing files with software encryption.

What laws cover Social Security numbers?

State laws that involve the confidentiality of SSNs can be reviewed on the FTC website: State Laws: Social Security Numbers. Federal laws on this topic are discussed in an article from the GAO (Government Accountability Office). Read page 24/25 for Federal laws, and page 22 for Federal Statutes that require SSN collection by the government. Note that this report is around 6 years old, and does not include things like the Social Security Protection Act of 2010.

My department deals with SSNs - what are my options for securing and storing them?

There are several options available to us for securing sensitive documents such as data encryption and using secure network drives in our CORPFS file system.

Are there any options for our department to retain partial SSNs as identifiers?

Possibly – please consult with the SSN Team analysts as they review your business processes. The retention of partial (also called ‘redacted’) SSNs may be appropriate in specific cases around the University.

Am I in trouble if SSNs are found on my computer?

The purpose of SSN Remediation is NOT to single people out or get folks into trouble for having sensitive information on their machines. Most users we work with are going to find some amount of sensitive data on their computers or network drives and many times they don't even realize it is there! Our goal is to empower ND users to discover what they are dealing with and give them the tools to manage their sensitive data effectively.

Can I keep my own SSN on my computer?

Although SSN retention laws do not preclude an individual from storing their own SSN, we encourage you to NOT to keep that information on your Notre Dame computer.

I have SSNs on paper - what should I do with them?

Active records (records that are currently in use and regularly consulted) should be discussed with the SSN Remediation Team to analyze business processes and to develop a remediation plan. Contact the SSN Team at ssnteam@nd.edu.

Inactive records (records that are no longer regularly used) are to be either transferred to the University Archives or destroyed via the University’s shredding program. Visit http://archives.nd.edu/records/index.htm to view records retention schedules that will help you identify what records can be destroyed and what records should be transferred to the Archives. The site also provides information on the University’s shredding program and instructions on how to transfer records to the Archives.

It may not be necessary to perform SSN remediation on records that are to be destroyed in the near term, provided they have appropriate security and storage. Records containing SSNs that are to be transferred to the Archives for long term or permanent storage may require remediation prior to transfer, however SSNs might be essential information on other records so consult with the Archives prior to taking any irreversible action. If SSNs need to be redacted, it is the responsibility of the office of origin to take this action prior to transfer. All records containing SSNs that have not been redacted should be clearly identified at the time of transfer to the Archives. Email records@nd.edu for assistance with inactive records.

See also the SSN Remediation Quick Reference Guide, which provides guidance on handling records that are most likely to contain SSNs and includes instructions on how to redact SSNs.

Should I be concerned about copiers that save document images?

Notre Dame has selected Xerox to supply our copy machines throughout campus. Part of the reason we chose Xerox was their commitment to document security. Xerox copiers that use an internal hard drive are equipped with data encryption as a standard feature, plus several optional security features for keeping your data secure (ie: Image overwrite and Secure Print). Please refer to the Xerox Security Fact Sheet for more information.

If your department still uses a non-Xerox copy machine, please check with your vendor to verify its level of data security and consult with your Notre Dame Procurement Specialist to learn more about Xerox options to meet your image processing needs.