SSN Scanning

We (the College of Pharmacy) are scanning our file servers for files containing SSNs (Social Security Numbers). This is part of Purdue's ongoing SSN remediation efforts. Currently, we are automatically scanning the Pharmacy file server every weekend, and e-mailing reports to users whose files appear to contain SSNs.

If you have (or appear to have) SSNs in your files on the file server, you will receive an e-mail report each weekend telling you what was found, and asking you to remediate the files. You have several options for files that contain SSNs:

1. Delete the files. This is the easiest option, and the best choice if you don't need the files any more. (While you are there, see if you can get rid on any other files in that same location!)
2. Remediate the files - keep the files, but delete the SSNs. This allows you to keep all of the information in the file, except the SSN itself.
3. Keep the files as they are, if you have a legitimate need to have SSNs. But do drop us a note stating which files you need to keep and why, so that we know that you have looked at them.

Some common questions:

Why are you doing this?

Partly because it is good practice, and partly in response to several new state laws. Be advised that as of July 1, 2006, the State of Indiana provides criminal penalties for the disclosure of SSNs, even by negligence (see http://www.in.gov/legislative/ic/code/title4/ar1/ch10.html).
 
Purdue talks about Social Security Number remediation at https://www.purdue.edu/apps/account/IAMO/Purdue_PUID_SSN_Remediation.jsp, and Purdue's Social Security Number policy is online at http://www.purdue.edu/policies/pages/information_technology/v_5_1.html.

What should I do with the files?

If you have (or appear to have) SSNs in your files on the file server, you will receive an e-mail report each weekend telling you what was found, and asking you to remediate the files. You have several options for files that contain SSNs:

1. Delete the files. This is the easiest option, and the best choice if you don't need the files any more. (While you are there, see if you can get rid on any other files in that same location!)
2. Remediate the files - keep the files, but delete the SSNs. This allows you to keep all of the information in the file, except the SSN itself.
3. Keep the files as they are, if you have a legitimate need to have SSNs. But do drop us a note stating which files you need to keep and why, so that we know that you have looked at them.

What about scanning workstations?

This is an excellent question, and the answer is "we're working on it". There are a number of SSN-scanning tools available, and Purdue (actually, Krannert School of Management) is developing one in-house. When we have one selected, we'll notify everyone and/or start scanning workstations automatically. For those of you who work off-campus, such as PHPR staff in Indianapolis, we will find a way to get the scanning tool to you.

How does this scan work?

First, we generate a list of all users on the file server. We loop over the list of users, and list all of the files in their home directory. We check the type of each file, and scan them for SSNs. Certain files are omitted, mostly picture formats. When we find SSN's, we make a list for each user.
 
After scanning the home directories, we then scan the shared file area. When we find a file there with SSNs, we determine who owns the file and add it to the appropriate list.
 
After scanning the shared file area, we e-mail all of the lists that have been generated to the appropriate users, clean up after ourselves, and wait for the next week.

Is the scan complete?

No. We can't scan files such as encrypted archives, and also can't identify PICTURES of SSN's, such as scanned documents. This system is advisory only; just because we don't find anything does not necessarily mean there is nothing there.

You said you found SSNs in my files, but I can't find them. What should I do?

Look in the files' metadata (File -> Properties). Things are often put there without your knowing it. Also see the instructions under "I thought I removed the SSNs from my files, but the scan says they are still there", below.

Your e-mail said you found a SSN in a picture. What's up with that?

Our automated scanning system is not perfect, and a large binary file (such as a picture) may very well contain data that matches the SSN pattern (###-##-####) without actually being a SSN. We check the file type of each file before scanning it; unfortunately, some files come back with answers such as "data", which is sufficiently vague that we scan it for safety.
 
You have a couple of choices:

1. Delete it, if you don't need it
2. Open it with the latest version of the software you used to create it and save a new copy, which should rewrite the file headers and let us to correctly identify it.
3. Do nothing, and get an email every week. We have written an exceptions system for the file server; tell us and we can exempt your false-report files from the scan.

I thought I removed the SSNs from my files, but the scan says they are still there. I can't see them; what should I do?

Depending on what type of file you have, the information may be stored in one of several places, or it may be kept as part of the change log within the file. Try the following:
 
For Adobe Acrobat (.pdf) files:
Open the file and say "Save as". Save the file over itself ("Save as" with the same filename). This will remove any form-field-change information in the PDF, removing the SSN and often making the file considerably smaller.
 
For Microsoft Word (.doc) and Excel (.xls) files:
For the XLS and DOC files, turn off revision control and/or tracking of changes, then save the file:
Tracking Changes: Tools -> Track Changes
If the word "Shared" appears in square brackets in the title bar when you have the document open, go to Tools -> Shared Workspace and turn off change-tracking there, under the Advanced tab.

I don't keep my files on the file server; what should I do?

Either put them there, or wait for the workstation scanning system.