Protecting the Confidentiality of Social Security Numbers Business Procedures Memorandum 66

Protecting the Confidentiality of Social Security Numbers

Business Procedures Memorandum 66

Revised November 1, 2006

The University of Texas System

Protecting the Confidentiality of SSNs2

Purpose

The purpose of this training is to:

• Provide general information, as required by BPM 66, about the confidentiality of social security numbers (SSNs) and the provisions of Business Procedures Memorandum 66 (BPM 66), and

• Highlight concerns regarding the use and protection of SSNs in light of recent events.

http://www.utsystem.edu/bpm/66.htm


Learning Objectives

• Key requirements of BPM 66

• Actions you must take to comply with BPM 66

• What this all means to you in your daily work

• Review provisions of the Security Plan for Safeguarding SSNs

• Introduce resources to go to for more information


Key Requirements of BPM 66

• Increase awareness of the confidential nature of SSNs.

• Reduce reliance on SSNs for identification purposes.

• Establish a consistent approach toward SSNs throughout UT System.

• Ensure that SSNs are handled in a confidential manner.


Why all the concern?

• Numerous federal and state laws govern disclosure and use of SSNs. Key provisions of the laws are summarized on the SSN web site.

• Increased reliance on the Internet and computers has greatly increased the risk of identity theft involving SSNs.

• Recent increases in stolen computer equipment, computer hackers, and scams, all involving personal data that include SSNs.

• Media scrutiny of governmental agencies and public demands for assurance that safeguards are in place.


Here’s why…

Identity Theft Concerns - Data Breaches in 2006

University of Washington

Veterans’ Affairs

Federal Aviation Administration

City of San Diego

University of Northern Iowa

State of Rhode Island

Department of Transportation

University of Texas at Austin

U.S. Department of Education

State of Georgia

Georgetown University

Ohio University

Texas Guaranteed Student Loan University of Minnesota


Here’s why…

“Possession of someone else's Social Security Number is key to laying the groundwork to take over someone's identity and obtain a driver's license, loans, credit cards, cars, and merchandise. It is also key to taking over an individual's existing account and wiring money from the account, charging expenses to an existing credit line, writing checks on the account or simply withdrawing money.”

Testimony of Grant D. Ashley, Assistant Director, Criminal Investigation Division, FBI, before the House Ways and Means Committee, Subcommittee on Social Security, September 19, 2002


What does BPM 66 require?

BPM 66 contains procedures to:

• reduce the use and collection of SSNs,

• inform individuals when SSNs are collected,

• reduce the public display of SSNs,

• control access to SSNs,

• protect SSNs, and

• establish accountability.


What must I do to comply?

• Except when a UT institution is legally required to collect an SSN, an individual cannot be required to disclose his or her SSN or be denied service for refusing to disclose the SSN.

• The notice required by the Federal Privacy Act must be given each time a UT institution requests disclosure of an SSN, except when the institution is already in possession of an individual’s SSN and requests it for identification purposes (amendment to BPM 66, Section 3.1.3, approved January 2006).



• Samples of approved notices are in Appendix 3 to the BPM.

• The SSN Coordinator can also assist you in preparing a notice for your particular needs.

• In addition to the Federal Privacy Act notice, State law requires an additional notice whenever we collect SSNs or other personal information by means of a paper or an electronic form. Your supervisor or the SSN Coordinator can help with formulating this notice, too.

http://www.utsystem.edu/bpm/66Apx3Disclosures.doc



• SSNs are not to be displayed on documents, computer screens, PDAs, etc., that can be seen by the general public (e.g., time cards, rosters, etc.) unless required by law.

• Mailed materials containing SSNs should be designed so that SSNs do not show in the envelope window.

• SSNs are not to be sent over the Internet or via email unless encrypted or otherwise secured.



• Limit access to records containing SSNs to those employees who need access for the performance of job duties.

• Records with SSNs should not be stored on computers or other electronic devices that are not secured against unauthorized access.

• SSNs should be shared only with authorized third parties. A written confidentiality agreement should be used that requires the third party to use adequate safeguards to protect records containing SSNs.



• Records and media (disks, hard drives, etc.) containing SSNs must be discarded in a way that protects the confidentiality of the SSN. For example, paper records should be shredded and hard drives should be reformatted.

• All new systems must comply with the standards contained in § 3.5.4 of BPM 66 (SSNs may not be primary key to a database, SSNs not to be displayed). Before acquiring or developing new systems, contact your Information Technology Department and the SSN Coordinator.



• Each employee must comply with the Rules of Conduct that implement BPM 66. Failure to do so may result in disciplinary action, including discharge or dismissal.

• Each employee must promptly report inappropriate or suspected disclosures of SSNs to his or her supervisor, who is to report such disclosures to the SSN Coordinator.

• If you have any questions about whether a specific use of SSNs is necessary or appropriate, ask the SSN Coordinator.


Beginning on September 1, 2007

• The use of the SSN as a primary identifier must be discontinued unless required or permitted by law.

• A unique identifier must be assigned to each individual.


What does all of this mean to you in your daily work?

• If you need access to SSNs to do your job, you will have that access.

• If you use SSNs in your work, ask yourself: “Why do I need the SSN?”



If you request that an individual disclose his or her SSN, remember that you must provide the Federal Privacy Act notice. You must give that notice regardless of whether you are assisting someone in person or over the phone or whether the person is completing a paper or electronic form.

NOTE: A subsequent request for production of a social security number for identification purposes does not require the provision of another notice.



• If an individual refuses to give you his or her SSN, remember that you cannot refuse to provide the requested services unless the SSN is required by law.

• Protect SSNs on paper documents and computer systems.

• Take care to be sure that such records are properly secured and/or discarded.

• Be sure to report non-compliance to your supervisor or the SSN Coordinator immediately.



Follow these rules:

• Do not request an SSN unless it is necessary and relevant to your job duties.

• Do not disclose SSNs to unauthorized persons or entities.

• Do not use another person’s SSN to your own personal advantage.

• Observe all administrative, physical, and technical safeguards.


Security Plan for Safeguarding SSNs

• The Institutional Security Plan for Safeguarding Social Security Numbers was established and implemented pursuant to § 3.5.1 of BPM 66.

• The Security Plan was intended to provide guidance to all employees to protect against reasonably anticipated threats to the security and integrity of SSNs and anticipated uses or disclosures that are not required or permitted by law.


Security Plan for Safeguarding SSNs

• The safeguards in the Security Plan refer to the UT institution’s policies and procedures currently in place to comply with federal and state regulations governing the protection of sensitive and confidential information in electronic form.


Security Plan Provisions

Each institutional office shall control its employees’ access to SSNs by:

• Limiting access to records containing SSNs to those employees who need access to such information for the performance of their job responsibilities; and

• Working with the Human Resources Department and the Information Technology Department to make sure access to records containing SSNs is terminated when employment ends or when an employee’s responsibilities no longer require access to SSNs.



Safeguards for any SSNs stored in a business information system include:

• Restrictions on access to workstations and portable devices containing SSNs to authorized employees; and

• SSNs displayed on computer monitors or other forms of output shall not be visible or accessible to individuals who are not authorized to view SSNs.



For any SSNs contained in paper documents, the following requirements must be met:

• Printers and fax machines shall be located in secured locations so unauthorized individuals can not readily access or read the SSNs; and

• Paper records containing SSNs shall not be discarded in trash bins or recycle bins, but shall be shredded or placed in a secure bin for disposal.


Relevant Laws

A summary of the key provisions of some of the relevant laws appears on the SSN web site.

More detailed information about these laws and other privacy laws will be provided at the departmental level as needed for the employee’s job duties.


How can you find out more?

• Review BPM 66

• Read the related Rules of Conduct

• Read the Security Plan for Safeguarding Social Security Numbers

• Review the relevant laws governing SSN confidentiality

• Ask your supervisor

• Contact the SSN Coordinator

Thank you for completing this training.

The University of Texas System

Documents

Protecting the Confidentiality of Social Security Numbers Business Procedures Memorandum 66