October 5, 2006

Dear Faculty Members and Graduate Teaching Assistants,

I am writing to enlist your help. A number of recent security breaches make it clear that we need to do more to protect confidential data. By law, in most of these cases, we must notify the individuals that their information may have been acquired by an unauthorized person. Such notices are difficult, costly, and reflect poorly on Cal Poly. The most recent instances were unintentional and resulted from home and auto burglaries of computers containing student records.

The ITS folks have developed the following recommendations meant to minimize the threat of identity theft resulting from loss of data that includes social security numbers. Your help will be greatly appreciated. Thanks.

Although the campus is removing the social security number as the primary identifier for students and in 2004 removed this number from the class lists, historical data (electronic and paper) remains a concern. (Note: Class lists and grade rosters starting with Fall Quarter 1970 included the student social security numbers.) Therefore, we are asking for you to protect students and alumni from identity theft by taking the following actions.

ELECTRONIC DATA
- Review any class lists and grade rosters for social security numbers that may be contained on your computers or computer storage devices (flash drives, CDs, diskettes, etc.).
- If you need to maintain that information on your computer, go through each list and delete the column that has social security number on it. Don't just hide it or encrypt it.
- If you don't have a need to maintain the data, delete all the information from your computer and storage devices.
- Empty the trash/recycle bin if your deleted files go there.
- Be especially careful with notebook computers; and minimize or eliminate confidential information.

PAPER DATA
- Review any class lists and grade rosters for social security numbers that may be contained in your files.
- If you need to maintain that information, assure the security of the information by: "blacking out" the personal information or store in a secure area (e.g., locked file cabinet, restricted room access, etc.).
- If you don't have a need to maintain the paper data, have the material shredded. Do not recycle them.

For those of you who have taught for many years, this may be a large task. However, the time will be well spent if by taking these actions we reduce our exposure for the possibility of another security breach.

REMINDER
- The Office of Academic Records maintains the official copies of grade rosters should you need them.
- All individuals (student, faculty, staff, consultant, contractor or any other individual) with access to confidential information are responsible for immediately reporting a security breach to the campus Information Security Officer.

If you don't have a need for confidential information, don't keep it.
If you have the need for confidential information, protect it.

DATA SECURITY AND STUDENT RECORDS
OCTOBER 2006
All instructional staff, faculty, department heads, and deans are encouraged to attend the Fall Information Security Forum. The forum will answer frequently asked questions regarding student data.

Information Security Forum
"Student Data FAQs"
Where: Philips Hall (Performing Arts Center)
When: Friday, October 27, 2006; 11 to noon

For more information about information security, including campus security breaches visit http://www.security.calpoly.edu

William W. Durgin, Provost and
Vice President for Academic Affairs