Chances are you’ve heard that Massachusetts passed data protection regulations earlier this year. Enacted to safeguard residents from identity theft and fraud, these regulations went into effect on March 1. Among other things, they define how businesses and other entities should handle selected types of personal information.
To protect the personal information MIT collects and to comply with the new requirements, a campus-wide Written Information Security Program (WISP) has been developed. It includes administrative, technical, and physical safeguards for this type of data.
PIRN: It’s personal
PIRN (Personal Information Requiring Notification) is an MIT acronym and refers to the data covered by the Massachusetts regulations. It includes a person’s name combined with a Social Security (SSN), a driver’s license or Massachusetts-issued ID number, or a financial account number, including credit and debit card numbers. If PIRN is exposed, MIT must notify the affected individual(s).
Knowing where it is
We should all pay special attention any time PIRN crosses our desks — either in paper or electronically — and we should note when it shows up in areas where it may not be needed for business purposes. The WISP broadly describes roles and responsibilities for managing PIRN. For instance, it requires reviews of business processes and systems to understand when PIRN is required, who needs to see it, and how long it needs to be retained. If you have a question about why you are seeing PIRN, or whether you need to keep it, talk with your manager or send email to firstname.lastname@example.org.
You can’t lose what you don’t have
There are three easy ways to reduce risk with respect to personal data:
- Avoid asking for and collecting PIRN unless you know it is required, and provide feedback to those who give you unsolicited PIRN.
- Redact (obscure or cut out) PIRN from paper or electronic files that you need to keep.
- Securely destroy any files you no longer need.
If you have to keep PIRN, the Massachusetts regulations — and MIT’s WISP — require additional protections, including installing whole disk encryption on laptops or other portable devices containing PIRN and encrypting data files containing PIRN when transmitted across a public network.
Resources and support
To increase awareness of information security practices and to find resources that can prevent you and others from becoming victims of identity theft and financial fraud, see the Protecting Sensitive Information web site. If you have questions about the new Massachusetts regulations or are concerned that paper or electronic files with PIRN may have been compromised, send email to email@example.com.