Yale University

ITS Section Heading

Yale ITS Home

Gateways for:

Help Desk
203.432.9000

ITS Office
Yale University
25 Science Park
P.O. Box 208276
New Haven, CT
06520-8276
USA

Yale logo.

Data scanning FAQ

Frequently asked questions about the project to protect confidential personal information

In the questions below, Social Security numbers and credit card numbers are referred to as "confidential numbers."

1. Why is this project necessary?

Answer:
In its role as an educational institution, a research institution, and an employer, Yale must collect a variety of personal information about students and members of the faculty and staff. Social Security numbers (SSNs) are one of the most sensitive types of information that Yale holds because they can be the key to obtaining many other types of personal and financial data. Credit card numbers (CCNs) are also highly sensitive for the obvious reason that they can be used to make unauthorized purchases. Moreover, if an unauthorized person gains access to or acquires confidential numbers held by Yale, the University may have a legal obligation to notify the persons affected.

In 2007, two Yale computers were stolen, and after restoring back-up files, the University discovered that the machines contained old and unneeded files with the names and SSNs of about 9,000 students and 200 members of the faculty and staff. These files predated June 2005, when Yale ceased using SSNs as routine student and employee identifiers, and the users of the computers were unaware that SSNs existed on their machines in such large numbers. This incident alerted Yale to the possibility that similar files existed on other computers elsewhere in the University. In order to protect the personal information of its students and employees, Yale is launching this project to identify and remove or encrypt files that contain confidential numbers.

2. How will the process work?

Answer:
You will receive an email from Yale's Information Security Officer, Morrow Long, stating that you have a requirement to complete “Self Data Scan,” and explaining how to do so.

After receiving the email, go to the Software Library and perform the following:
  • Select your Macintosh, UNIX or Windows operating system
  • Select “Data Detection Software” from the list
  • Select "More Information" to download instructions about installing and running the tool.
  • Select "Download Now" to download the tool.
  • Follow the instructions to run the data scanning tool.

If you discover files with confidential numbers, follow these simple guidelines:
  • Delete files that you do not need and that you do not have an obligation to preserve (see questions 10 through 14 below).
  • If you must preserve the files, but the files no longer need to include confidential numbers, delete those numbers from the files. This process is called “de-identification,” and uncouples confidential numbers from other personal identifying information, such as names and addresses. For example, if you have old class and grade lists that include SSNs as the student identifier, you can delete the column of SSNs and preserve the remaining information. If you have any questions about how to do this, you should seek help from your IT support person or contact the Help Desk at 203-432-9000 or email helpdesk@yale.edu.
  • If you believe that you must retain files with the confidential numbers in place, you must obtain permission to do so from your supervisor. Your IT support provider will need to encrypt the files.

Once you have completed reviewing the identified files and have taken any required action, you will need to confirm with TMS that you have completed the “Self Data Scan” requirement.

3. What can I do in advance to prepare?

Answer:
The most helpful thing you could do would be to review your stored data and delete old files you no longer need. Don’t forget to review your email attachments folder and delete attachments you no longer need and are not otherwise obligated to preserve. If you do this preparatory work, particularly if you have many years of older, unnecessary data on your computer, the scan should produce far fewer results and be easier for you to process.

4. Will someone help me with scanning my computer(s)?

Answer:
It is the individual’s responsibility to scan the computers used for Yale-related work.. Of course, your IT support provider can help you download and install the scanning software if you have trouble doing so.

5. My computer was just scanned last fall. Why do I have to scan it again?

Answer:
You are being asked to scan again because our records indicate you have multiple machines that you use or assigned to you and Yale is requiring that all machines be scanned.

6. I received notification from the Training Management System. What do I need to do?

Answer:
You will receive a notification or reminder until you have completed the TMS requirement for the “Self Data Scan Confirmation.” This TMS “course” is simply a confirmation statement, where you can acknowledge that you have scanned your personal computer for the presence of Social Security or credit card numbers, and responded to the results. If you do not have a computer, you must still log in to indicate that status.

7. If I do not confirm that I have reviewed the documents and taken required action what will happen?

Answer:
If you have not confirmed your actions via TMS within a week of notification, you will receive a weekly reminder email. Further delay will result in a notification to your supervisor.

8. Should I back up my computer before scanning?

Answer:
Yes, it is important to perform a back-up of your computer prior to scanning. Why? The scan itself won’t do anything to your data, but if you accidentally remove or shred a file as you process the results of the scan, the only way to retrieve will be through the back-up.

9. What types of files are scanned?

Answer:
The tool in use for Windows will examine all files on your system for Social Security, credit card, and bank account numbers. The tool will examine email messages and attachments. The tool in use for Macintosh and Linux attempts to inspect the following types of files for Social Security and credit card numbers:

  • Brio Query files (bqy)
  • Office 2003 formats (.doc, .ppt, .xls)
  • Text files (.txt)
  • Archives (.zip)
  • Access databases (.mdb)
  • Filemaker Pro databases (.fp3)

Other file types are not being examined at this time. In particular, email messages are not being examined, though attachments will be scanned.

10. I am a Macintosh user. Where can I find the log file?

Answer:
To find the log file, do the following:
  • Go to your hard drive
  • At the top level, you’ll find Scan_Results
  • Open folder
  • Clicking on any link opens the file in the appropriate program

11. I am a Macintosh user and my operating system is below 10.4. What do I need to do?

Answer:
You need to upgrade your Operating System to a minimum of 10.4. If you have questions contact your local support person.

12. I am a Linux user and I am not sure of my operating system or I do not run SUSE OS what should I do?

Answer:
Request assistance from your local support provider.

13. I am a Eudora 6.2 user and I receive an error running tool. What should I do?

Answer:
Follow these instructions:

Go into the Tools menu
Options at the bottom. In the Options dialog box, there is a MAPI category near the bottom of the list.
Change From Always to either Never (preferred) or Only When Eudora Is Running.

14. I am a Thunderbird or Eudora user and my mailbox shows as needing remediation. What should I do?

Answer:
You should not shred the file types below, as you will lose your mail access:
*.mfs at any location
*.toc at any location
*.mbx at any location

16. Who should scan for bank account numbers?

Answer:
Anyone involved in the recording and/or transmission of financial transactions to financial institutions most commonly found in the Controller’s Office, Procurement, Investments/Investment Accounting, Tax Offices, University Audit, etc.

17. What are some common files that are identified as containing information, but can be ignored?

Answer:
The following files do not require remediation:
  • spacesys.xls at any location
  • c:\program files\common files\java\Update\Base Images\
  • c:\program files\Qualcomm\Eudora\plugins\StaticJunkDB.txt
  • c:\program files\spybot – search & destroy\updates\startup.zip

Any AdAware Log files can be safely ignored.

18. How can I shred or ignore multiple files?

Answer:
See “Selecting multiple locations” and “Filtering results” in the Identity Finder Guide.

19. If I accidentally shred a file can I retrieve it?

Answer:
The shredding of a file is permanent. The only way to retrieve it would be through a back-up.

20. What if I can’t identify the file type of a file in my results?

Answer:
If you use Thunderbird, your local mailbox (without a file extension) may show up as a result of the scan. If it does -- or you’re uncertain whether it is your mailbox -- select “Ignore” and complete the remainder of your remediation; then save the scan results file. Request assistance from your Support Provider to identify whether it’s your mailbox.
Follow the procedure above for any file types for which you are uncertain.

21. Some files identified in the results contain no Social Security or credit card information. Have I completed my requirement if none of the files contain this information? Do I have to delete them to complete my training requirement?

Answer:
If none of the files contain Social Security or credit card information, you are finished and can complete your TMS “Self Data Scan” requirement. You do not need to delete such files.

22. Are there other types of documents that I have to preserve, even if they contain confidential numbers?

Answer:
Yes, Yale remains subject to other document retention requirements, such as requirements governing research, medical, tax, and certain personnel records. If you have any questions about document retention requirements in relation to this project, you should email your questions to information.security@yale.edu, and you will receive advice on how to proceed.

23. Can I start deleting files or confidential numbers before the scan?

Answer:
There is no need to wait for the scan if you know you have files with confidential numbers. However, you should not delete any files that Yale is legally obligated to preserve.

24. Who will know the results of the scan?

Answer:
Your supervisor will be aware of your obligation to perform the scan of your computer and if the task has been completed. However, unless you request the assistance of your IT service provider, only you will be able to review and respond to the data scan results. If you have any concerns about personal files on your computer, you should remove them before the scan takes place.

25. Will I be disciplined for having confidential numbers on my computer?

Answer:
The purpose of this project is to protect the personal information of students and employees, not to invade privacy or uncover wrongdoing. You will not be disciplined for failing to delete files that you received or created in the scope of your work at Yale. However, if a scan reveals that an employee has used his or her computer in violation of the law or in violation of Yale’s Information Technology Appropriate Use Policy, the University cannot ignore that information, and it will take the same action that it would have taken had the information come to light in any other circumstances.

26. How soon will I be able to scan my computer?

Answer:
The University has made this project a high priority, and we intend to have self scanning of computers complete by the middle of June, 2008.

27. Am I able to perform the scan myself?

Answer:
Yes; you can perform scan yourself by following the instructions above.

28. When should I do my scanning?

Answer:
You can perform your scanning at any time before June 15, 2008, our target date for completing data scanning and remediation. The program works in the background and will not impact you while you do your regular work. If you have an older computer, you might notice the scanning tool slows down the performance of your computer; in that case, we advise you to consider running the scan overnight.

Depending on how many files the scan identifies, reviewing and deleting confidential information may be time-consuming, so we recommended that you review the results at a time convenient for you.

29. How many times can I scan my computer?

Answer:
You may rerun the scanning software for Windows as frequently as you wish. At this time, the goals of the project do not require a rescan of any device but you can run the scanning software yourself. To do a rescan for Windows devices follow the following steps:
  1. Start
  2. Select All Programs
  3. Select Identity Finder
  4. Select Identity Finder Enterprise Edition
  5. Double click on start

30. What if I use a laptop that I take home in the evening?

Answer:
You don’t need to be connected to the network to run the scan, only to download the scanning software. So you should connect to the Yale network and follow the instructions for downloading the software appropriate for your computer’s operating system. You can then run the software either when you’re connected to the network or when you’re at home.

31. What if I have Yale files on my home computer or on portable media?

Answer:
You can use the scanning software on those devices, too. Just follow the same steps outlined above.

32. How do I recover a file that I accidentally deleted?

Answer:
  • Go to the Start menu
  • -- Programs -- Tivoli Storage Manager –
  • Backup-Archive GUI
  • Then browse to your file and click restore.

33. Do I have to do the scan? If I already know where my confidential information is, can’t I just remove it? Or if I already know I have no confidential information, can’t I just go to the TMS website and indicate that I’ve remediated my data?

Answer:
You might be surprised to learn that most people are unaware of at least some of the confidential data on their computers, as many as 80% of people whose computers we scanned in Fall 2007. We encourage you to remove confidential data any time – you don’t need to wait to scan to do so. But you really should take the time to scan your computer, especially if you’ve got years’ worth of data on it or inherited it from a previous user.

34. I am an emeritus professor. Do I need to complete this requirement?

Answer:
If you are an emeritus professor and any of the following apply, you will have to complete the data self-scan requirement:

  • If you use your computing device to access the Yale network (this includes via VPN)
  • If you have Yale data on your computing device
  • If you have been issued a computer by Yale and continue to use it
  • If you have retained any teaching, research and/or administrative role at the University

If none of these apply, you can request for the Information Security Office to waive your data self-scan requirement by emailing security@yale.edu.

Jump to top.

Last modified: Friday, 10-Jul-2009 15:20:28 EDT. (ms)