1. Update on SSN Remediation and 1-Card December 8, 2005

2. Identity Theft Concerns In 2002, Identity theft became the #1 complaint to the FTC. It has remained the #1 complaint since then. The public is very scared they will be a victim of identity theft. 2003, Congress passed the Graham, Leech, Bliley Act (GLB). This mandates electronic protection be put in place for financial data, including financial aid. April 2005, VISA began requiring larger merchants certify their procedures.

3. The Crisis in Confidential Data Disclosure on Campus To see how bad the situation is visit: http://www.privacyrights.org/ar/ChronDataBreaches.htm Some Facts - –Last 18 months 44 schools, 3.1 million records –Since January 2005 38 schools, 1.5 million records I believe this represents only the tip of the iceberg and the problem is much worse than this data indicates

4. Why is this Happening? States Require Notification Eighteen states now have legislation requiring disclosure when data is potentially released, regardless of whether it is likely to have been accessed. There are four bills in committee in Congress that deal with protecting consumers confidential information and requiring automatic notification.

5. States With Data Disclosure Laws

6. Why is this Happening? Cultural Use of SSN in Education Higher education must collect and report on students by SSN to outside agencies (e.g. MHEC, DOE, and IRS). Historically colleges just used what they already had that was unique -- SSN. As technology systems spread throughout campus the one sure way of linking systems was -- SSN. As a result, to me higher education is desensitized to the concern people have over giving out their SSN.

7. Looking Beyond Systems - Managing Risks Because SSN is the primary key in use at UMBC we have this in a multitude of places: –Electronic documents in Excel or PDF with SSN –Paper reports listing SSN with name –File cabinets. –Backup media like diskettes, CDROM, or DVD –Saved email messages –Campus ID cards We have to manage the risk appropriately over the next few years.

8. What Are We Doing About This? SSN remediation of SIS - create a new primary id! 1-Card upgrade Campus procedures for handling sensitive material are being drafted. In addition, mandatory risk assessments will be required for areas using sensitive data, such as SSN. We must develop a communication strategy to inform staff and faculty of the importance in protecting this data. At the same time we need to explain to students that we have to continue collecting this information.

9. Next Steps How should we communicate? To whom? How often do groups like this need to be involved. Are there issues we need to address that you don’t believe we are aware of? How do we best protect UMBC?