identity theft
Social Security Numbers and Identity Theft
February 23, 2008 Filed in: Data
protection
The horse is out of the barn: SSNs are everywhere,
used by so many for identity matching it's
staggering. How on earth will it be possible to
protect folks from identity theft involving SSNs when
so many organizations and processes depend on its
more-or-less ubiquitous availability?
That question was front and center at the Federal Trade Commission's workshop on SSNs and ID Theft in November 2007, where it convened panels on the key aspects of the problem. It was fascinating. A really good summary of the issues and of the comments received prior to the workshop was put together by FTC staffers.
Jim Davis, UCLA's CIO, was asked to participate on the panel relating to organizations who have already moved to an alternate identifier (the campus's University ID, UID, or the equivalent Student ID): what it took to get there and what the ongoing issues are. Understanding these issues for UCLA is in itself interesting.
First, it's not straightforward to ensure that we only ever assign one U/SID to an individual. Someone could start as an undergraduate, then years later return as an employee with a different name and address (or vice versa). Another could be both employee and student simultaneously. The first factor used to confirm identity is ... the SSN! If SSN is not available, then a variety of other factors are used to do so with a complicated and potentially time-consuming algorithm; and the result, which may not confirm identity 100%, must then be interpreted in a specific context.
Jim used two scenarios to illustrate this. In the case of transcript ordering, an SSN is not necessary - we know a lot about a student who spent four years with us and can use these other data to confirm identity ("knowledge-based authentication"). On the other hand, during admissions, we have essentially no a priori knowledge about the applicants; and SSN is used not only to authenticate but is our basis for the credentialing process. That ~60,000 applications have to be processed in about 5 weeks also means that if SSN weren't available, the task would simply be impossible.
Coincidentally, on another front, one of the provisions of California bill AB1168, which went into effect January 1, 2008, mandates the California Office of Privacy Protection to pull together a task force to examine all aspects of use and protection of SSNs in higher ed in the state, with a final report due July 2010.
That question was front and center at the Federal Trade Commission's workshop on SSNs and ID Theft in November 2007, where it convened panels on the key aspects of the problem. It was fascinating. A really good summary of the issues and of the comments received prior to the workshop was put together by FTC staffers.
Jim Davis, UCLA's CIO, was asked to participate on the panel relating to organizations who have already moved to an alternate identifier (the campus's University ID, UID, or the equivalent Student ID): what it took to get there and what the ongoing issues are. Understanding these issues for UCLA is in itself interesting.
First, it's not straightforward to ensure that we only ever assign one U/SID to an individual. Someone could start as an undergraduate, then years later return as an employee with a different name and address (or vice versa). Another could be both employee and student simultaneously. The first factor used to confirm identity is ... the SSN! If SSN is not available, then a variety of other factors are used to do so with a complicated and potentially time-consuming algorithm; and the result, which may not confirm identity 100%, must then be interpreted in a specific context.
Jim used two scenarios to illustrate this. In the case of transcript ordering, an SSN is not necessary - we know a lot about a student who spent four years with us and can use these other data to confirm identity ("knowledge-based authentication"). On the other hand, during admissions, we have essentially no a priori knowledge about the applicants; and SSN is used not only to authenticate but is our basis for the credentialing process. That ~60,000 applications have to be processed in about 5 weeks also means that if SSN weren't available, the task would simply be impossible.
Coincidentally, on another front, one of the provisions of California bill AB1168, which went into effect January 1, 2008, mandates the California Office of Privacy Protection to pull together a task force to examine all aspects of use and protection of SSNs in higher ed in the state, with a final report due July 2010.
Lessons learned in notification of a large breach
March 25, 2007 Filed in: Data
protection
On March 21, 2007, Jim Davis, UCLA’s AVC-IT and CIO
testified at a hearing chaired by Senator Dianne
Feinstein entitled Identity Theft: Innovative
Solutions for an Evolving Problem. Senator
Feinstein is proposing S.239, similar in
principle to SB1386 enacted in California in
2003 - the first notification law in the
country. Jim’s testimony, Lessons Learned from Notification
of a Large Breach, talked about lessons
learned by UCLA during its 2006 breach of SSN.
Other witnesses spoke to other facets of
notification.