Instructions for Faculty & Staff

As members of the university community, you have been asked to remove files containing Social Security numbers (SSNs) and credit card numbers from your computer. We recommend the following procedures in order to accomplish this as completely as possible. You may feel it is unlikely you have SSNs or credit card numbers on your workstation, but remember that prior to the implementation of Banner, most documents involving students (grades, reports, etc.) used the student's SSN as an identifier. Research data or grant proposals often contain SSNs of subjects or the principals. Also, many faculty have hosted small conferences where credit card numbers may have been collected. Sensitive data has been much more widely distributed than is generally recognized, and removing this risky and unneeded information is the goal of the SSN Elimination program.

The three basic steps in cleaning your computer are:

1. Search your computer for files containing SSNs or credit card numbers.
2. Examine these files to determine if they can be destroyed or need to be retained.
3. Delete the files you do not need and securely archive those that must be retained.

A list of frequently asked questions has been created that may address questions you have. We recognize that completing this program will be time consuming and possibly frustrating. Please note that removing these files is a significant step in preventing the unintended disclosure of personal data. Data breaches are felt very deeply and personally by those affected. See,

Email Exposes Confidential File
Comments on the above article

Searching for Files That Contain SSNs or Credit Card Numbers

You are obligated to search for any and all files or programs that store SSNs. To assist in this process we have created two programs: Firefly for Microsoft Windows and Firefly4Mac for Apple OS X. Please run the appropriate programs on all of your University-related computing equipment (laptops, desktop workstations, lab machines). Please be aware that no program can read every file type--both Firefly and Firefly4Mac can miss files that might contain SSNs. These programs were created to assist, but not replace, your own thoughtful examination. The obligation to search your electronic records is yours and yours alone.

• Firefly for Microsoft Windows: Firefly should install on most versions of MS Windows and will scan all your local drives for files containing SSNs and credit card numbers, providing you with a report on its findings. Firefly has been highly tuned to minimize false positives. It will also send a summary of its findings to the Security Office once it has finished scanning. Firefly usually takes between 20 minutes to several hours to scan the typical computer.
• Apple OS X: Our approach to finding SSNs on Macs relies on the OS X Spotlight feature. Here we provide a script that searches for variations on the phrase "Social Security Number" to try to identify files containing SSNs. While not as sophisticated as Firefly, our testing shows it to be almost as effective and reasonably fast.
• Other systems: No specific scripts have been created for other operating systems (or older versions of Windows and Apple machines), however we do have a number of recommendations available for searching these systems using GREP and similar utilities.

Examining Files

All programs that scan for Social Security numbers will generate false positives. For example, files containing other 9-digit numbers might be misidentified as SSNs and listed as a suspect file. The only way to tell if a suspect file actually contains SSNs or credit card numbers is to open the file and review the contents. We strongly encourage you to examine most or all of the files found by the above programs before deleting or securely archiving them. Depending on the number of suspect files found, this review process can be time-consuming and tedious. Unfortunately, the need to personally review these files cannot be avoided. A potential time-saving tip is to think about where you might have stored old grade information (rosters, for example), particularly if you used non-MS-Office programs for word processing, spreadsheets, or databases. You can then address those files first.

We suggest you print off the report of suspect files and use the printout as a checklist. The Firefly report will provide a link to each suspect file that you can click to open the file. Unfortunately, Firefly will not help you determine where in the match is located within the file. In practice, however, most of our testers were able to quickly determine whether a file contains real SSNs or if it is a false positive.

Delete or Manage Securely

In general, files containing SSNs or credit card numbers should be deleted or, at a minimum, have the SSNs removed. There are two exceptions:

• if the file is an official University Record, then it may need to be retained for a period of time mandated by the State or Federal Government
• individuals who have been authorized to work with SSNs may have a legitimate reason to store them. No one is authorized to store credit card numbers outside of OBFS

The vast majority of files with SSNs may be working copies of files that are held as record items by the responsible unit and, if so, may be safely destroyed. If you are unsure or suspect a file may be an official record, contact your unit's business manager or the Electronic Records Archivist, Joanne Kaczmarek, at (217) 333-6834 or jkaczmar@uiuc.edu. For an overview of what a record is and why you should care, see What is a Record?

If you believe you have a legitimate reason to store SSNs as part of your job function, you must get approval from your unit head and take the appropriate steps to ensure these data are safely and completely secured. Please see Secure Archiving for information on how to do this. The obligation to securely maintain this information is yours!

Special Note: In some cases this information has permanent (enduring) value and should be securely managed and maintained by your department or transferred to the University Archives. In other cases, the records may be eligible for destruction according to an approved records retention schedule. If you do not have such a schedule, or if you have questions, contact your records liaison and/or Joanne Kaczmarek at the University Archives at (217) 333-6834 or jkaczmar@uiuc.edu.

Getting Help

If you need further assistance or have questions not answered here or in the FAQ, please

• Talk to your unit IT Professional staff. They are familiar with this program and can help with the scanning tools listed above.
• Talk to your unit's business manager or the person that your unit designated as the contact for the SSN Remediation Program.
• Call or email the CITES Help Desk. The staff at the Help Desk are prepared to answer commonly asked questions.
• For questions about electronic records, contact Joanne Kaczmarek at (217) 333-6834 or jkaczmar@uiuc.edu.