1. Treat it like it’s yours: best practices for handling student transcript data Bob Hughes Application Support Manager North Orange County CCD CCCTran Steering Committee Chair

2. Recent Data Breaches Privacy Rights Clearinghouse: www.privacyrights.org Privacy Rights Clearinghouse: www.privacyrights.org www.privacyrights.org 252,907,901 records containing sensitive personal information were involved in security breaches in the U.S. since January 2005 252,907,901 records containing sensitive personal information were involved in security breaches in the U.S. since January 2005

3. Recent Data Breaches (cont.) 4/9/09 Behrend College, Erie PA 10,868 SSN’s (compromised server) 4/8/09 Metro Nashville School 18,000 SSN’s (on public server) 3/18/09 U of West Georgia 1,300 SSN’s (stolen laptop) 3/17/09 Penn State University 1,000 SSN’s (compromised server) 3/16/09 University of Toledo (OH) 24,450 records, 250 SSN’s (stolen computer) 3/4/09 Elk Grove School Dist (CA) 520 SSN’s (on a lost document) 8/2/08 Countrywide Financial 2,000,000 SSN’s

4. California SB 1386 This bill, operative July 1, 2003, would require a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. This bill, operative July 1, 2003, would require a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

5. What is Personal Information? e) For purposes of this section, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number. (2) Driver's license number or California Identification Card number. (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

6. Recommended Practices http://www.oispp.ca.gov/consumer_privacy/p df/ssnrecommendations.pdf http://www.oispp.ca.gov/consumer_privacy/p df/ssnrecommendations.pdf Reduce the collection of SSN’s Reduce the collection of SSN’s Eliminate the public display of SSN’s Eliminate the public display of SSN’s Do not send SSNs by email unless the connection is secure or the SSN is encrypted Do not send SSNs by email unless the connection is secure or the SSN is encrypted

7. Option 1: Securing the Connection Encrypted Email Encrypted Email Requires that you have security certificate installed Requires that you have security certificate installed You must install the security certificate from the recipient You must install the security certificate from the recipient Complicated and time consuming; may require support from your IT staff Complicated and time consuming; may require support from your IT staff

8. Option 2: Encrypting the SSN Save attachment as PDF Save attachment as PDF Secure the document with a password Secure the document with a password Choose the option to Encrypt all document content Choose the option to Encrypt all document content Share the document password with the recipient Share the document password with the recipient Easy and compliant! Easy and compliant!

9. Questions?