Late last week one of my alma maters, the University of Central Missouri, reported that two printed computer reports containing 7000 students’ names, social security numbers, phone numbers, addresses, and birthdates were stolen from somewhere on the campus.
The two documents contained the personally identifiable information (PII) about 7,000 students enrolled for the summer of 2005 and the summer of 2006.
What really bothers me about this is that UCM didn’t even know the reports were stolen until police found the print reports in the possession of a person they had arrested! If the police had not stopped this crook for doing other crimes it is likely no one would ever have even known the reports were stolen. The crook could have been doing all sorts of nastiness with that information; and if he gave copies to his buddies, it’s very possible nastiness is yet to come.
In fact, the information on the reports had already been used to do bad things at the time the crook was arrested.
“It appears that at least seven individuals listed in the reports (and who have been contacted separately by UCM) have had their personal information used for fraudulent purposes. The theft is currently being investigated by UCM Police as well as the Warrensburg Police Department and the Federal Bureau of Investigation.”
Think about all the PII that is getting into malicious hands simply because no one even knew where that PII was at to begin with! Just think, if the crook had not been arrested, it is possible that the information of all 7000 people could have been used fraudulently. And it’s possible copies are still out there, putting all 7000 still at risk. Not just risk of identity fraud, but of real physical harm as well, considering the addresses were also on the reports.
UCM responded by putting some fairly good information on their website about the incident along with providing an FAQ about the incident, usually a good idea for any organization experiencing a privacy breach to do.
Most business leaders, especially in business units, and in the legal office, just assume that all storage locations for PII are known and that there is a 100% complete inventory for it somewhere. Infosec, IT and most privacy practitioners know the real deal; it is rare that PII is formally defined, and even rarer to have an inventory of all PII. Considering the ease with which PII can be copied and distributed literally thousands of times with just one press of a button, and stored in any number of mobile devices and outside storage locations, it is very hard to have a complete PII inventory. But, it must be done. And doing so will help to determine the controls and other safeguards that need to be placed around PII to keep from having it stolen, leaked or lost.
Organizations cannot forget about knowing where their print documents containing PII are located. Keeping track would also lead to making a lot less hard copies, a plus for cutting down on paper as a bonuse!
I’ve had meetings with lawyers, information security leaders, business leaders and IT leaders in the room discussing PII data flows during privacy impact assessments (PIAs), and there are always more than one in the room who are surprised to hear not only where PII is being stored, but the very real possibilities for where it CAN and likely IS being stored, such as in email attachments, mobile computers, storage devices, business partner systems, and out back on printed papers in the dumpster.
Tags: awareness and training, identity fraud, identity theft, Information Security, IT compliance, IT training, personally identifiable information, PII, policies and procedures, privacy breach, privacy training, risk management, security training