Instead of focusing on protection methods, one organization set out to limit the amount of sensitive data it collected.
A few months ago, Massachusetts enacted a data breach law that many consider the strictest of the 45 breach statutes passed thus far by U.S. states. The law emphasizes the importance of examining the processes by which a customer’s personally identifiable information (PII) is collected by a company, looking not only at the security but also at the necessity of collecting the sensitive data.
The law has generated increased interest in data security tools, such as laptop encryption and data loss prevention technology. But there may be a simpler approach: securely deleting PII that isn’t strictly necessary in the organization.
The Massachusetts Institute of Technology (MIT) is taking this low-tech path after becoming frustrated with technology’s inability to reliably protect PII—perhaps an ironic outcome for a technology institute. “Trying to protect PII is like plugging up holes in a dyke,” says Allison Dolan, head of PII security at MIT.
When MIT began examining its data files, the school discovered that it had collected far more PII over the years than it needed and also a lot it did not know it had. The university decided that it would focus on one kind of common PII: Social Security numbers (SSNs). Using a tool called IdentityFinder, from New York City-based Velosecure, the university scanned its main servers containing student data and found it had retained student SSNs that it didn’t need.
Next, the school sought to assess how it collected data. From the initial scan, it was apparent that one policy—giving applicants the option of including an SSN on applications and then storing the documents for years—collected far more PII than needed. The policy was changed soon thereafter.
Finding less obvious collection methods involved a considerable amount of outreach. Dolan and her staff spoke with hundreds of employees throughout the university, meeting with them individually and in small groups to discuss what information was collected and how it was used. Dolan and her staff also expressed to employees that unless they saw a strong need for the information, it did not make sense to collect or retain it.
The goal was not to tell personnel that they could not have such data but rather to make sure that they understood they had to protect it if they chose to ask for it, says Dolan. Out of 300 people interviewed, only two wanted to keep the data.
During the interview process, Dolan also found that it was the front-line staff, rather than managers, who really could describe the data-collection processes. Some of the most valuable information came from staff in accounts payable, Dolan says. The interviews also gave Dolan a chance to suggest ways to change or discontinue data-collection processes.
Dolan also encouraged departments to use IdentityFinder, which did not at the time have an enterprise version. The enterprise version now out can scan through multiple systems and then produce a report showing where the tool was run, what data it found, and what data the tool had securely deleted or encrypted. The scanner also recently became available for use on the Macintosh OS.
The MIT project, though time-consuming, considerably lightened the university’s PII protection load. It could make sense for other organizations who want to avoid PII liability concerns.
CORRECTION: The original and print version of this article misidentified the head of PII security at MIT. Her name is Allison Dolan. It has been corrected in the text.