Protecting Student Information
What is PII? PII, as in “easy as pie” or is it the number for Õ (3.14159)?
Actually, for today’s purpose, PII is Personally Identifiable Information (PII) about a person maintained by an agency, including (1) any information that can be used to trace that person’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to and individual, such as medical, educational, financial and employment. (NIST SP 800-122)
Personally Identifiable Information is abundant on college campuses making them a target of hackers. February 18, 2014, the University of Maryland reported a breach of data systems by a computer security attach. The breached database included 287,580 records of students, staff, faculty and affiliated persons. The data accessed included names, date of birth, college ID and social security number. In March 2013, hackers accessed a database of student admissions records at Kirkwood Community College in Cedar Rapids, Iowa. Again, accessing name students personally identifiable information. (JCUL) This information is a hackers dream as they use it to establish false identities.
As Title IV participating institutions, our college president signs the Student Aid Internet Gateway Enrollment Agreement stating we “must ensure that all Federal Student Aid applicant information is protected from access by or disclosure to unauthorized personnel.” Institutions are reminded that under various federal and state laws and other authorities, including the HEA; the Family Educational Rights and Privacy Act (FERPA); the Gramm-Leach-Bliley Act; and other state and privacy laws, they may be responsible for losses, fines and penalties caused by data breaches.
How can an financial aid offices help to minimize the risk of hacker getting access to student information? Below are a few things we can do:
- Keep your desk clean
- Shred documents containing PII
- Eliminate PII from local and shared drives
- Protect data
- Encrypt USB drives
- Encrypt hard drives on laptops and systems that store PII
- Store paper documents in a locked cabinet
- Do not leave document with PII unattended at printers
- Destroy your data securely
- Do not keep records forever – follow the retention policy
- Limit access to only those with a need to know
- Practice breach prevention
- Analyze breaches from other organizations
- Learn from their mistakes
- Adjust policies and procedures
- THINK before you post/send/tweet!
Use Strong Passwords
A password’s strength is related to (1) the number of different characters/numbers available (Variety); (2) How many of those characters/numbers you use (length); and (3) Whether or not you use dictionary words or common patterns.
For example: A password consisting of 7 characters (only letters) only takes a hacker 9 minutes to crack. A password 12 characters long (containing special characters, letters and numbers) will take a hack 7,545,667 years to crack. If you use actual words in your password that can be found in a dictionary or use very common patterns, regardless of the length of your password, it can be cracked in a few seconds to a few minutes. This is called Dictionary Attack. Do these dictionary passwords look familiar? Iloveyou password we1come 123456
Protecting students’ personally identifiable information is a huge responsibility for institutions. However, in the event of an actual or suspected breach of FSA applicant PII, the institution must immediately notify FSA at CPSSAIG@ed.gov.
Federal Student Aid: Protecting Student Information, IT Security Best business Practices Webinar; Keith Wilson, CIO, Federal Student Aid, U.S. Department of Education
GEN-15-18: Protecting Student Information
NIST National Vulnerability Database & National Checklist Program
Journal of College and University Law (Vol.41, No.2); College and University Data Breaches: Regulating Higher Education Cybersecurity Under State and Federal Law; Katie Beaudin
This Tip of the Month was provided by your RMASFAA Training Committee