James Hilton, U.Va.'s Vice President and Chief Information Officer, Issues Message About Security

Jan. 17, 2007 -- Last month U.Va. experienced two incidents in which student social security numbers stored on computers were inadvertently exposed. Such occurrences can lead to identity theft, although there is no evidence this was the case for these two incidents. I write today to ask for your assistance in addressing this very important and urgent issue.

Due to the University's long-standing reliance on Social Security Number (SSN) as the ID number for individual students and employees, our most likely risk for exposure of sensitive information comes from lost, stolen, or hacked desktop and laptop computers that contain ID numbers. You can play a crucial role in addressing this problem by confirming that SSNs stored in files you have created are essential to your work. If you and your supervisor agree they are not essential, you should immediately delete the files, or at least the portions of those files that contain SSNs, wherever these files reside: your office laptop, desktop, or home computers; storage space allocated to you on central or departmental servers; or your electronic media (such as CDs). Paper copies should also be destroyed.

Although identity theft is not a new problem, the grand scale on which identities are stolen today is a relatively recent phenomenon. The popularity of the Web and electronic commerce has created online repositories of personal information which can be exposed through failures of computer software, hardware, and security systems. Often a SSN and name are all that is required for a criminal to secure large amounts of credit under false pretenses, ruining the victim's personal finances and reputation. More information on this serious and damaging crime is available at sites such as the FTC's Identity Theft site (http://www.ftc.gov/bcp/edu/microsites/idtheft).

The University takes the threat of unauthorized data exposure very seriously and is working on multiple fronts to ensure appropriate preventive measures are taken. The Oracle Human Resources System uses a six-digit number, in place of the previous system's use of SSN, to identify employees. These six-digit employee IDs are included on timesheets, as well as pay slips and other information available to employees via the online "Integrated System Self-Service" capability. (See http://www.virginia.edu/integratedsystem or your supervisor for details.) Where feasible, forms that request SSNs are being changed to request the six-digit ID number. Similarly, the use of SSN as student ID number is slated for elimination with implementation of the new student information system. In the interim, we are actively seeking ways to accelerate the process. For example, the Instructional Toolkit was modified last May to eliminate the display of student ID numbers. Individual students are now i
 dentified in the Toolkit primarily by means of their U.Va. computing IDs.

All faculty and staff are required to comply with University computing policies and procedures (available at http://www.itc.virginia.edu/policy), as well as applicable state and federal laws and regulations, governing the security and privacy of University data. I urge you to review these requirements periodically, as they may change with the changing environment. If you have not already done so, you should also take the time to complete the online security awareness training at https://whois.virginia.edu/security. Typical completion time is 15 to 20 minutes.

Information on how to secure your computer is available from the IT professionals from whom you normally obtain support (typically, your departmental computer systems administrator). Information is also available at http://www.itc.virginia.edu/security.

Suspected breaches of computer security, whether such a breach results from theft or other inappropriate access, should be reported immediately to your departmental system administrator and to ITC (http://www.itc.virginia.edu/security/reporting.html).

Each of us has an obligation to protect the sensitive information entrusted to us by our fellow community members. If we all play our roles diligently and responsibly, we will all be more secure. I thank you for doing your part.

Best regards,

James L. Hilton
Vice President and Chief Information Officer