Private Information Management FAQ
WHAT IS THE PRIVATE INFORMATION MANAGEMENT INITIATIVE?
The Private Information Management Initiative (PIMI) is a program where RIT Information Technology Services helps RIT faculty and staff scan their computers and attached drives to determine if they contain Private Information (PI). When PI is found, each RIT faculty and staff member is responsible for remediating the Private Information by scrubbing or shredding the files.
The program also includes destruction of paper files containing nonessential PI.
The goals of the program are to identify and reduce the amount of Private Information at RIT. This reduction will help safeguard the RIT community against identity theft and will help RIT comply with relevant state and federal laws.
WHAT IS PRIVATE INFORMATION?
New York State defines Private Information (PI) as:
any personal information concerning a natural person combined with one or more of the following data elements: Social Security number (SSN), driver's license number, account number, or credit or debit card number in combination with any required security code. These combinations of information are often used in identity theft.
The New York State Information Security Breach and Notification Act requires that RIT notify affected consumers if their Private Information is compromised.
WHY IS RIT SCANNING MY COMPUTER OR DRIVE FOR PRIVATE INFORMATION?
RIT is scanning your computer or drive because we've found that scans have revealed the presence of Private Information on many computers; even when the computer owners do not believe there is any Private Information present. We want to reduce the potential for identity theft occurring as a result of information obtained from RIT computers.
HOW IS RIT AUTHORIZED TO SCAN MY COMPUTER?
It is important to note that ITS may inspect the results of the scan only to aid in remediation efforts.
ARE OTHER UNIVERSITIES DOING ANYTHING SIMILAR?
Many universities scan for Private Information on computers connected to their networks and have begun remediation of paper files and other media containing Private Information.
WHAT ARE MY RESPONSIBILITIES IN THE PRIVATE INFORMATION MANAGEMENT INITIATIVE?
Your responsibilities as faculty or staff may be found here.
SCANNING AND RESULTS
HOW WILL RIT SCAN MY SYSTEM?
Your computer is scanned by Spirion (Formerly Identity Finder) software installed on your computer. The scans will be initiated from a central scanning server administered by ITS. Spirion also allows you to initiate an on-demand scan. You do not have to be connected to the network to initiate an on-demand scan.
WHAT DO I DO IF THE SCAN IS SLOWING DOWN MY COMPUTER OR I WOULD LIKE TO PAUSE IT TEMPORARILY?
It's easy to Pause Spirion so that it doesn't impact your productivity significantly. Go to your system tray, right click on the Spirion icon (Ctrl-click for Mac) and choose Maximize. Then click on the Pause button. When you're ready to resume the scan, click on Resume.
WHAT HAPPENS WHEN SPIRION FINDS PRIVATE INFORMATION?
Spirion will generate an interactive report of suspected Private Information matches and provide user-friendly tools to erase the information securely or remove the Private Information (e.g., Social Security Number, Bank Account Number, Credit Card Number or Drivers License) from the files directly from the interactive report. You may also identify "false positives" by choosing "Ignore" within IDF. ITS may verify that the ignored files do not contain Private Information.
I'VE COMPLETED A SEARCH AND SPIRION IS ASKING ME HOW TO PROCEED. WHAT SHOULD I DO?
When Spirion completes its search, review the list of results to begin Shredding or Scrubbing Private Information and Ignoring "false positives."
HOW DO I SHRED, SCRUB, OR IGNORE A MATCH?
You can choose shred, scrub, or ignore by right-clicking on the check box next to the entry and choosing from the options available. NOTE: not all options are available for all file types. Process the entire list before closing Spirion.
WHAT DO I DO IF SPIRION DOESN'T FIND PRIVATE INFORMATION?
If Spirion completes its search and no Private Information is found, close Spirion.
I AM UNABLE TO "SHRED" A FILE IN SPIRION. WHAT SHOULD I DO?
If you are unable to "shred" a file containing Private Information, you may not have permissions in Windows that allows Spirion to "shred" it. Contact the ITS Service Desk and ask them to login to Spirion as admin and securely "shred" the file.
I AM UNABLE TO "SCRUB" A FILE IN SPIRION. WHAT SHOULD I DO?
Spirion provides a scrub option for specific file types that may not work with all file types. If you need to retain an Office file on your computer but need to redact the Private Information in the file you’ll need to follow a three-step process.
- Save a copy of the file in Office 2007 or 2010 format (.docx, xlsx, etc.)
- Use Spirion to scrub (redact) the Private Information from the new file
- Use Spirion to shred the old file.
WHAT DO I DO WITH PRIVATE INFORMATION FOUND ON MY SYSTEM?
We've created a Private Information Handling Quick Reference Table to assist you in determining how to handle Private Information found on your computer or drives.
If you find Private Information (e.g. Social Security Number, Bank Account Number, Credit Card Number or Drivers License) on your computer and are not sure whether it should be there, ask your Information Steward/Management Representative.
New York State law does not allow the retention of Social Security Numbers unless there is a clear business need for the information. In general, an RIT employee has a legitimate purpose for having access to the Social Security Numbers of another individual when such number is required for tax or billing purposes, credit authorizations, background checks, or in furtherance of submitting a federal or state governmental application that requires the transmission of an individual's Social Security Number. In addition, social security numbers shall be maintained when required by either court order, subpoena, or by direction of the Office of Legal Affairs.
WHAT IS REDACTION?
Unless required by RIT business processes, files must not contain Private Information. Unnecessary information must be sanitized by redacting (removing) the Private Information. It is not sufficient to simply obscure or hide the information. Although "redaction" has a broader meaning in editing, in the context of information handling it refers to the removal of information from a document.
WHAT IF THE ONLY PRIVATE INFORMATION THE SCAN FINDS IS MINE?
Private Information should not be stored on an RIT computer unless expressly permitted. (This information is typically found in copies of tax returns and filled-in forms.)
I HAVE A NON-WINDOWS COMPUTER, WILL IT BE SCANNED?
Currently, only computers with the Microsoft Windows and macOS will be scanned by Spirion. We encourage you to examine the files on your computer and attached drives to identify Private Information and handle it accordingly. For Linux, we recommend using Cornell's Spider. You may also work with your systems administrator to scan the Linux drive from Windows.
QUESTIONS AND ISSUES
Please direct any questions regarding information handling or the Private Information Management Initiative to your Information Steward/Management Representative.
- Data Loss Prevention Overview
- Faculty and Staff Responsibilities
- Private Information Handling Quick Reference
- Private Information Decision Tree
- Private Information Management FAQ
- Spirion (Formerly Identity Finder) End User Documentation
- Technical and Management Representatives