The Importance of Protecting SSNs and Other Personal Non-Public Information

Contents
 
Introduction: University departments must act
 
Importance of protecting SSNs and other PNPI
 
Guidelines for protecting PNPI
 
PNPI software tools
 
For more information
 
 

Questions or comments
 
Copyright © 2005, University of Delaware
Last updated: 9/26/05

Because a person's SSN is so widely used as an identifier, identity thieves are always trolling for SSNs. The recent growth in identity theft underscores the importance of making sure that we reduce our reliance on SSNs and that we guard with vigilance those that we must, by law, collect.

The root of the problem is that SSNs have been traditionally used by public and private institutions in ways never intended when Congress passed the Social Security Act in 1935. Institutions use SSNs

  • To help verify identity ("You forgot your account number? What's your SSN?").
  • To authenticate ("Your password is the last four digits of your SSN.").
  • To link data from several sources about any one person (Credit reports, bank accounts, credit cards, medical records, etc.).

The amount of information collected and retained about each person and the number of connections between databases filled with personal information make it more important than ever that SSNs be used properly and stored wisely. Because an SSN is used to link so much data about a person, its use for verifying identity or authenticating an account needs to be eliminated. SSNs should not be collected or used except in cases where their use is mandated by law.

Many University departments may be using SSNs to identify people because "that's what we've always done." For example, does a department really need its student employees to list their SSNs on their bi-weekly time cards? Or do the faculty in your department know that posting grades with even partial SSN information is a violation of FERPA?

It is in the interest of the entire University community that we eliminate uses of people's SSNs as identifiers and that we do not collect and store SSNs except as required by law.