How Cornell Plans To Purge Campus Computers of Personal Data 164
and so forth writes "Cornell lost a laptop last year with SSNs. Now, they've mandated scanning every computer at the University for the following items: social security numbers; credit card numbers; driver's license numbers; bank account numbers; and protected health information, as defined by HIPAA. The main tools are Identityfinder (commercial software for Windows and Mac), spider (Cornell software for Windows from 2008) and Find_SSN (python script from Virginia Tech). The effort raises both technical questions (false positives, anyone?) and practical issues (should I trust closed source software to do this?). Have other Universities succeeded at removing confidential data? Success, here, should probably be gauged in terms of diminished legal liability after the attempted clean up has been completed." Note: this program affects the computers of university employees and offices, rather than students' personal machines.
This is easy (Score:4, Interesting)
After logging off, revert to the last backup. If there's no data on the computer, there's no personal data on the computer. Anything you need saved goes on removable storage.
Actually, storing no data can be a good thing (Score:3, Interesting)
In an age of always-connected, treating computers as "smart terminals" with no long-term local storage save an encrypted self-destructing-on-wrong-password cache can be very useful.
Re:What does "computers of university employees" m (Score:4, Interesting)
http://www.newsobserver.com/2010/10/14/739551/unc-cancer-scientist-appeals-her.html [newsobserver.com].
Re:What does "computers of university employees" m (Score:3, Interesting)
b) Sign this waver that says you are legally responsible if your repository of data were to contain information such as SSN/Credit Card etc.
Unless he then shoves the waiver up the manager of the IT department's nose, that waiver won't do anything, the IT department will refer him to a secretary who will refer him to some policy and the comittee for something or other who will meet once a year and won't discuss it with him. Universities are usually more bureaucratic and inflexible than your local DMV.
Which is why Cornell will try to scan every computer on campus, not just those ones which are likely to have student or employee information on them. Got an apple IIe running a very old but still functional instrument? It may be more convinient to just lie to the IT department. Some are understanding, whereas others would insist you get a new computer. If you would have to spend $10k to replace the equipment, that's not really their department.
Re:What does "computers of university employees" m (Score:5, Interesting)
Then the correct policy is "Don't haphazardly store personal data on machines without considering what you are doing". There is no reason to barge into Dr. Smith's office, who's madly creating his slides for the conference next week while trying to babysit a supercomputer at Berkeley while fending off emails from his students, and insist in a very bureaucratic tone that you have to scan his workstation, the RAID, his other computer, his student's computer, and the two computers used to monitor various instruments (which the other students are taking data on) for SSN's.
Unfortunately, Dr Smith is taking his laptop to the conference. He's much too busy to go on travel without taking all of his data with him on the laptop, such as his students grading info (SSNs) or info on the other proprietary projects he's working on. He he's too important to worry about such trivialities such as data protection policies issued by those idiots on the Board of Directors. After all drive encryption slows things down too much he hears, but in truth he doesn't know how to set it up. Of course his laptop gets stolen and now the University has to report that data was compromised. Suddenly Dr Smith is no longer an asset to the university but rather a liability.
Sorry, but anyone who has worked in IT or even law enforcement knows damn well that users will ignore written policies unless there is some level of monitoring and enforcement. Just scroll up a bit and you'll see examples of those guys posting stuff like "just store the ssn as an integer so they scripts don't find it".
Re:Actually, storing no data can be a good thing (Score:3, Interesting)
That is, until you, as a professor, go to the slopes of Mt. Kilimanjaro for a month to do research. At that point, the assumption of 'always connected' is incorrect, and you must carry data with you. Frequently, you must also carry some forms of student information, too, in order to respond to emails that you get from students when you are in town at the internet cafe once per week.