Shostack + Friends Blog Archive

Colleges and SSNs

For a very long time, colleges have been using social security numbers as identifiers for their prospects, students, and alumni. This is starting to change, driven by liability and brand concerns. No school wants to transform your (hopefully) fond memories of your time there into a firestorm over privacy. From ZDNet:

Dunn said [Boston] college will also purge individuals’ Social Security numbers from all of its records in the future. He said schools have long used the identifiers to keep track of people in a number of ways but noted that increasing concerns over the security of computing systems used to store the information have caused the college and others to review the policy.

or see “Chico State computer system attacked by hackers” in the Chico Enterprise Record (Sacramento, CA):

More than 59,000 people connected to Chico State University will be contacted for what officials are calling the largest computer hacking incident the college has seen.

Notifications to anyone whose personal information was compromised were going out Tuesday, said Joe Wills, director of public affairs at the university.

That list includes current and former Chico State faculty and staff members. But the majority are students, since the server hackers targeted held the names and Social Security numbers of current, former and prospective students.

The easiest way to avoid this sort of story about your business is to not collect such data. Financial aid may cause you to need the SSNs of current students. Why on Earth do you need the SSN of a prospective student? Why do you need to maintain the SSN of an alumni? (If there are legal reasons, now would be a great time to get Congress to change them.)

Originally published by adam on 17 Mar 2005
Last modified on 17 Mar 2005
Categories:   privacy   Uncategorized