Date: Mon, 30 Aug 2010 10:32:06 -0500
Conversation: Update on Information Privacy Leak
Subject: Update on Information Privacy Leak
As you are aware from our email on August 27, 2010, a file containing private information (social security number) of individuals authorized to drive university vehicles was inadvertently sent to 144 faculty and staff on August 26, 2010.
The university is in the process of assessing the extent of the exposure, the risk associated with that exposure, and short/long-term action items which need to be implemented.
Information we have to this point is that the file contained a total of 2484 individual records. Of those individual records, 2410 had valid social security numbers, and 1752 of those records belonged to individuals who have active records in the human resources system. The source of those records was a local database in the Travel Office that was being maintained to report authorized drivers to the state.
Social Security numbers were collected on paper during the registration process to register drivers with the Arkansas Department of Finance and Administration. The reason for collecting social security numbers is rooted in the fact that up until the year 2000, the State of Arkansas used the social security number as the driver’s license number.
The database containing this information has been removed from the file server and social security numbers are being deleted. The Arkansas Department of Finance and Administration has concurred that it no longer needs social security numbers to validate driving records. Any future reports will not include social security numbers.
The file has been manually removed from the original 144 recipients plus those to whom it was forwarded.
Network controls to prohibit further distribution of the file in question have been established.
In order to assist affected individuals during this period, an incident response site is being established to provide updated information to the university community and also to provide access to tools and services in for protecting one’s identity. The location of the site will be announced via email during the afternoon of August 30, 2010.
In addition to the response website, the university is also determining what appropriate protective measures should be provided for affected individuals. The availability of the services will be communicated on the incident response site and directly with affected individuals.
Thank you for your patience during this period. Please feel free to contact our office should you need additional information.
Information Technology Services