Identity Theft Protection

Updated: January 27, 2025
Policy:
REG01.15.17
Title:
Identity Theft Protection
Category:
Governance and Administration
Sub-category:
Governance - General
Authority:
Chancellor
Contact:

ECU Office of Institutional Integrity (OII), 252-744-5200

 
Related Policies:

 
Additional References:

 
History:

Approved January 24, 2025
Previous Versions:

No previous versions available.

1. Purpose

1.1 This regulation applies to the collection, use, security, and disclosure of Social Security Numbers (SSNs) and Personal Identifying Information (PII) by East Carolina University and the regulation of SSNs and PII.

2. Definitions

  • 2.1. Personal Identifiable Information (PII) – Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.
  • 2.2. PII – specific to the State of North Carolina, all “identifying information” as defined by NC Gen. Stat. § 14-113.20(b) and vehicle license plate numbers. “Identifying information” is defined by G.S. §14-113.20(b), as limited by NC Gen. Stat. §132-1.10 to include:
    • 2.2.1. Social security or employer taxpayer identification numbers
    • 2.2.2. Driver’s license, state identification card or passport numbers
    • 2.2.3. Checking account numbers
    • 2.2.4. Savings account numbers
    • 2.2.5. Credit card numbers
    • 2.2.6. Debit card numbers
    • 2.2.7. Personal Identification (PIN) Code as defined in G.S. 14-113.8(6)
    • 2.2.8. Electronic identification numbers, electronic mail names or addresses, Internet account numbers or Internet identification names
    • 2.2.9. Digital signatures
    • 2.2.10. Any other numbers or information that can be used to access a person’s financial resources
    • 2.2.11. Biometric data
    • 2.2.12. Fingerprints
    • 2.2.13. Passwords
    • 2.2.14. Parent’s legal surname prior to marriage
  • 2.3. Protected Health Information (PHI) – individually identifiable health information that is a subset of health information, including demographic information collected from an individual, and is created or received by a health care provider, health plan, employer, or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of a subject, the provision of health care to a subject, or the past, present, or future payment for the provision of health care to a subject and that identifies the subject, or with respect to which there is reasonable basis to believe the information can be used to identify the individual. For specifics regarding PHI, refer to ECU’s HIPAA Permitted Uses and Disclosures of Protected Health Information (PHI) rule.

3. Regulations

  • 3.1. SSNs and PII may only be collected, used and/or disclosed by ECU and its employees and agents as permitted by applicable law and university policy and only in furtherance of legitimate university business.
  • 3.2. Technology Security Assessment (TSA)
    • 3.2.1. If applicable, requests for the collection, use, and/or disclosure of SSNs and PII may need to be evaluated by Information Technology and Computing Services (ITCS). This evaluation process includes the submission of the University’s TSA document or ITCS’s acceptance of supplemental documentation from the vendor/application owner in lieu of a TSA. Contact ITCS to determine if a TSA will be required.
  • 3.3. Identity Theft Protection Committee (ITPC)
    • 3.3.1. To implement and ensure compliance with legal requirements governing SSNs and PII (including, but not limited to those discussed in sections 3 and 4 of this regulation), ECU has established the Identity Theft Protection Committee (ITPC) to oversee ECU’s compliance with respect to the collection, segregation, disclosure, and security of SSNs and other PII and the development of related policies. The ITPC is also responsible for approving the collection and use of SSNs and other PII in cases where the collection and use is not already directed or permitted by applicable state or federal law or directives. In all cases, including the collection and use of SSNs and other PII are already directed or permitted by such higher authority, the ITPC is responsible for reviewing and approving the manner of collection, storage, and transmittal of SSNs and other PII to ensure that adequate controls are in place to protect the sensitive data. Membership of the ITPC shall include at least one representative from each university division, as well as other personnel who have specific expertise that is directly relevant to the committee (such as legal, FERPA, HIPAA, security, etc.). The divisional representatives shall be appointed by the Vice Chancellor of their respective division, or by the Chief of Staff for the Chancellor’s Division, and have delegated authority to make recommendations and implement approved processes to maintain compliant use of SSNs and PII within their respective division. A list of ITPC members is located on the Office of Institutional Integrity web page.
  • 3.4. State Privacy Act (SPA) Restrictions
    • 3.4.1. Pursuant to the State Privacy Act, no individual shall be denied any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his/her SSN except refusal to disclose after a request pursuant to the requirements of a statute.
    • 3.4.2. All individuals from whom SSNs are solicited shall be informed of:
      • 3.4.2.1. whether or not the requested disclosure is mandatory or voluntary;
      • 3.4.2.2. by what statutory or other authority the SSN is being solicited;
      • 3.4.2.3. what uses will be made of the SSN.
  • 3.5. North Carolina Identity Theft Protection Act of 2005 Restrictions
    • 3.5.1. The North Carolina General Assembly enacted the North Carolina Identity Theft Protection Act in 2005 (NCIDTPA). The NCIDTPA imposed restrictions on the collection and segregation of SSNs and upon the disclosure and security of SSNs and PII as follows:
      • 3.5.1.1. Pursuant to N.C. Gen. Stat. § 132-1.10(b)
        • 3.5.1.1.1. SSNs shall not be collected from an individual unless authorized by law to do so or unless the collection of the SSN is otherwise imperative for the performance of ECU’s duties and responsibilities as prescribed by law. SSNs collected by ECU must be relevant to the purpose for which collected and shall not be collected until and unless the need for SSN has been clearly documented.
        • 3.5.1.1.2. When collecting a SSN from an individual, the SSN must be segregated on a record in an appropriate manner that permits the SSN to be easily redacted in the event of a public records request.
        • 3.5.1.1.3. ECU shall not fail, when collecting a SSN from an individual, to provide, at the time of or prior to the actual collection of the SSN, that individual, upon request, with a statement of the purpose or purposes for which the SSN is being collected and used.
        • 3.5.1.1.4. ECU shall not use an SSN for any purpose other than the purpose stated.
        • 3.5.1.1.5. SSNs and/or PII shall not be intentionally communicated or otherwise made available to the general public. SSNs and PII are confidential except where disclosure is otherwise permitted by law.
        • 3.5.1.1.6. SSNs shall not be intentionally printed or embedded on any card required for an individual to access ECU services.
        • 3.5.1.1.7. Unless the connection is secure or the social security number is encrypted, an individual shall not be required to transmit his/her social security number over the Internet.
        • 3.5.1.1.8. An individual shall not be required to use his/her SSN to access an Internet website, unless a password or unique personal identification number or other authentication device is also required to access the Internet website.
        • 3.5.1.1.9. SSNs shall not be printed on any materials that are mailed to an individual unless state or federal law requires the SSN to be on the document to be mailed. A SSN that is permitted to be mailed may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened.
      • 3.5.1.2. Pursuant to N.C. Gen. Stat. § 132-1.10(c)
        • 3.5.1.2.1. SSNs and PII may be disclosed to another governmental entity or its agents, employees, or contractors if the disclosure is necessary for the receiving entity to perform its duties or responsibilities. The receiving governmental entity and its agents, employees, and contractors shall maintain the confidential and exempt status of such numbers.
        • 3.5.1.2.2. SSNs and PII may be disclosed pursuant to a valid court order, warrant, or subpoena. Please contact the Office of University Counsel if a court order, warrant, or subpoena is served.
        • 3.5.1.2.3. SSNs and PII may be disclosed for public health purposes pursuant to and in compliance with Chapter 130A of the General Statutes.
      • 3.5.1.3. Unauthorized Access or Disclosure of SSNs and PII. Any time it is believed that SSNs and/or PII maintained by ECU have been subject to unauthorized access or disclosure by an unauthorized party, the incident should be reported immediately to the Information Security Officer and OII.
  • 3.6. Family Educational Rights and Privacy Act (FERPA) Restrictions
    • 3.6.1. Student SSNs and PII maintained by ECU are education records pursuant to FERPA. As such, student SSNs and PII may not be disclosed except as permitted by FERPA. Generally, express written permission from the student is required for disclosure of this information to a third party. Please contact the University Registrar with questions.
  • 3.7. Health Insurance Portability and Accountability Act of 1996 (HIPAA) Restrictions
    • 3.7.1. SSNs are also considered “protected health information” (PHI) under the HIPAA Privacy Rules. As such, the use and disclosure of SSNs are subject to other restrictions and the ECU rules that govern the use and disclosure of PHI. Please contact the ECU HIPAA Privacy Officer with any questions related to the proper use and disclosure of SSNs and PII under the HIPAA Privacy Rule. Information can also be found on the ECU HIPAA website at https://hipaa.ecu.edu/.
  • 3.8. Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) Restrictions
    • 3.8.1. The university is governed by the breach notification requirements of the HITECH Act. The Act requires the implementation of additional security controls to minimize the risk of data security breaches of PHI. SSNs, considered PHI under HIPAA Privacy rules, are also subject to those additional security controls and thus use and storage of SSNs are further restricted. Please immediately contact the HIPAA Privacy Officer if you are aware of a possible breach involving PHI. Any questions related to the proper use and storage of SSNs and PII under HIPAA may also be so directed. Information can also be found on the ECU HIPAA website at https://hipaa.ecu.edu/.

4. Procedure

  • 4.1. Collecting Social Security Numbers
    • 4.1.1. Unless specifically authorized by the ITPC, no university entity or employee shall create a form or electronic template that requires or contains an SSN for any purpose. This prohibition includes the creation of databases, reports, internal spreadsheets, or other documents that contain SSNs. SSNs will no longer be used as the university identifier. Requests for ITPC review and approval must be submitted using the SSN and PII Use Request form within TeamDymanix. Any forms or templates for which approval is sought can be attached to the request.
    • 4.1.2. For approved forms and electronic templates used for the collection of SSNs, a disclosure statement compliant with the provisions of the State Privacy Act and UNC Policy 1300.5[G] must be used. Compliant template disclosure statements may be copied and pasted electronically by accessing the document entitled, Disclosure Statements for Collecting SSNs, located under ITPA on the OII website.
  • 4.2. Segregating/Separating Social Security Numbers
    • 4.2.1. Pursuant to law, each university entity that properly collects SSNs must segregate/separate SSNs from the rest of the record in some manner that permits SSNs to be easily redacted/removed in the event of a public records request. For example, if a department appropriately collects SSNs in a document or form, the SSN should be on a line by itself so that it can be easily redacted/removed without affecting public information on the document or form. SSNs shall not be included in header or footer information or as part of the document file name.
  • 4.3. Disclosing SSNs and PII
    • 4.3.1. Pursuant to law, university entities may not intentionally communicate or otherwise make available to the general public a person’s SSN or PII. SSN and PII are confidential.
    • 4.3.2. Disclosures of SSN or PII to university vendors, contractors or other external entities must be reviewed and approved in advance by the ITPC. The vendor, contractor or external entity must complete a form certifying its compliance with applicable law. This form is available from the ITPC and may be accessed online located under ITPA on the OII website. Upon execution, departments must maintain a copy of this form in their files. The collection of SSNs or PII on behalf of or as requested by another state or federal government entity must be reviewed and approved in advance by the OII and the Office of University Counsel.
    • 4.3.3. If a court order, warrant, or subpoena demanding the disclosure of SSNs or PII is served upon an ECU employee, that employee should immediately contact the Office of University Counsel. Requests for ITPC review, approval, and disclosure of SSN or PII must be submitted using the SSN and PII Use Request form within TeamDymanix.
  • 4.4. Securing Social Security Numbers and Personal Identifying Information
    • 4.4.1. University entities authorized by the ITPC to maintain SSNs or other PII must utilize security measures to protect this information. Proper security measures include but are not limited to locked filing cabinets and offices, password-protected electronic files, and electronic encryption measures. Guidelines for protecting SSNs can be found on the ITCS website.
    • 4.4.2. University entities and individuals not authorized by the ITPC to maintain SSNs or PII, or which are not seeking ITPC approval, should immediately and properly delete and/or destroy SSNs and PII from every source, wherever located and in whatever form. Guidelines for deletion can be found on the ITCS website.
    • 4.4.3. Guidance for the storage of SSNs or PII on local computers, laptops, portable devices, or home/personal computers and/or electronic devices is provided in the Mobile Computing Regulation.
    • 4.4.4. SSNs or PII may not be sent electronically (by e-mail or otherwise) unless such data is encrypted and only if SSN use is authorized by the ITPC. Guidelines on encryption may be found on the ITCS email encryption web page.