1 Overview
This document expands on the Due Care section of the Policy on the Use of Social Security Numbers and provides specific guidance standards on the use of social security numbers (SSNs). These standards are not exhaustive and the Policy on the Use of Social Security Numbers remains the primary document regulating the use of SSNs at Tulane University. Please contact the Information Security Officer (security@tulane.edu) if you require more information.
2 Specific Standards of Care
To ensure compliance with the Policy on the Use of SSNs, the following standards should be adhered to:
2.1 Awareness
Those who are entrusted with SSN information must ensure it is protected from unauthorized disclosure in conformity with relevant regulations. The following federal and state laws/regulations apply:
- Louisiana Security Breach Notification Law
- Family Education Rights and Privacy Act (FERPA)
- Health Insurance Portability and Accountability Act (HIPAA)
- The Gramm-Leach-Bliley Act (GLB)
- The Privacy Act of 1974
2.2 Access
Access to SSNs should be strictly limited to only those who require the SSN information for the performance of their job responsibilities. The following measures should be observed:
- Data stewards who grant access to systems containing SSNs should ensure that users are trained and understand that they are responsible for maintaining the confidentiality of that data.
- Password protected screen savers and/or workstation-locking mechanisms must be employed when a workstation is left unattended.
- Take all appropriate steps to ensure visual and auditory privacy of SSNs.
2.3 Transmission
Sending SSNs via any insecure method (including the internet or by email) is prohibited. Departments should become familiar with methods of secure transmission and are required to use them when sending SSNs. Further, securing SSNs is not limited to electronic methods. Appropriate measures must be taken to ensure the confidentiality of fax and paper transmissions containing SSNs.
- All electronic transactions and transmissions – including emails or email attachments – containing SSNs must be encrypted.
- When SSNs are shared with a third party, there must be a written agreement with the third party to protect the confidentiality of the SSNs.
- SSNs should be removed from paper forms and faxes unless required by law as determined by the appropriate data steward.
- When SSNs are exchanged on paper, steps must be taken to ensure the numbers are not revealed. The SSNs must not appear in an envelope window.
- Fax transmissions over phone lines (fax to fax) are secure if appropriate safeguards exist when faxing SSNs to make sure the recipient's fax number is correct and the recipient does not leave the fax in an unsecured area. Fax transmissions involving computer networks (fax to computer, computer to fax, computer to computer) are not secure and should not include SSNs.
2.4 Storage
Organizational units must actively work to remove SSNs from electronic files, databases, images, and paper documents. Historical files, databases, documents, and images containing SSNs may be maintained provided access to them is limited and secure.
- SSNs should not be stored on a local workstation, laptop, floppy disk, CD/DVD, mobile devices, USB flash drive, or any other portable storage device. If storing SSNs on such a device is necessary, the information must be encrypted and the device must be physically secured.
- Computer applications requiring SSNs must store the SSNs on a secure network server with up-to-date patches. The data should be encrypted to add another layer of security.
- Servers, tape and disk back-ups, and other electronic storage devices containing SSNs must reside in restricted and secure physical locations.
- Documents and forms containing SSNs must be stored in secure drawers/cabinets with appropriate security.
- Anyone working with paper that contains SSNs must take steps to secure that information.
2.5 Disposal
As SSNs are eliminated from the normal course of business, organizational units must follow these standards for secure disposal:
- Before disposal, steps must be taken to destroy portable electronic storage devices such as floppy disks, and CD/DVDs containing SSNs.
- Before recycling or disposal, desktop, laptop, and server disks containing SSNs must be erased (scrubbed) using a degauss device.
- Paper documents containing SSNs should be shredded locally.