Data Types (High Risk, Moderate Risk, Low Risk)
This article applies to: Security & Policy
Cornell is like a small city. People work, study, live, and play here. We have our own transportation, dining, administration, residence halls, and offices. As a result, there is a wide variety of university data, which you may access or use for your work or in your day-to-day life at Cornell. Some examples include:
- Employment records
- Background checks for employees
- Budget information
- Cornell ID card numbers and info that’s associated with parking, buying food, or bus access
- Credit card, departmental account, or procurement card numbers
- Emergency planning information
- Financial aid data
- Financial records
- Grant information
- Health insurance
- Human resources records
- Infrastructure data: building plans, control systems, utilities, networks, etc.
- Investment information
- Letters of recommendation
- Library circulation records
- Loan records
- Name, home address, phone
- Non-public directory biographical data
- Research data
- Salary data
- Tax records of the university, its employees, parents, and students
- Travel arrangements
- Vehicle registration
- Video surveillance
- Voice mail
High-Risk and Restricted Data
All information at Cornell should be protected, even data that you may not consider sensitive.
Cornell Policy 5.10, Information Security, divides data into three types:
High-Risk - Data that should never be shared publicly, because it poses identity theft risks when found in conjunction with an individual's name or other identifier (see more about high-risk data types below):
- Social Security numbers
- Driver's license numbers
- Credit card numbers
- Bank account numbers
Moderate-risk - Any information used in the conduct of university business, unless categorized as high-risk or low-risk university data.
Low-Risk - Data that the university has made available or published for the explicit use of the general public
State and Federally Regulated Data
Some data at Cornell is also subject to the following:
State Security Breach Notification laws
- Social Security numbers
- Credit card data
- Driver’s license numbers
- Bank account information
Health Insurance Portability and Accountability Act (HIPAA)
- Health insurance
- Health records/patient treatment information
Gramm-Leach-Bliley Act for Disclosure of Nonpublic Personal Information (GLBA)
- Loan records
Family Education Rights and Privacy Act (FERPA)
- Tax records of parents and students
- Cornell tax records
More About High-Risk Data Types
Social Security Numbers
These 9-digit numbers are issued by the US Social Security Administration to US citizens and permanent residents. The primary use is as a taxpayer identification number. With the advent of computers and the need for a unique way to separate individuals with identical names, they have become something of a national identification number.
The standard format of a Social Security Number is xxx-yy-zzzz, for example 999-88-7777. Computers often store SSN values without the hyphens or with alternative delimiters, according to some sense of programming efficiency. Stored SSNs may not be human readable.
- The first block (the 999 portion of the example above) is called the area. It is loosely associated with the state of issuance (not necessarily state of birth). Certain areas, such as 000, 666, and values over 900 are reserved or permanently unissued. Currently, the highest valid area is 773.
- The second block of digits (88 in the example) is the group. This is incremented according to a historical practice, starting at 01 and rising as needed to 99. Group 00 is reserved and invalid.
- The final block of digits is called the serial. It is issued randomly from 0001 to 9999 until all values are exhausted after which the next group is placed in service. As with the other values, 0000 is reserved an not issued.
Credit Card Numbers
Credit card numbers are issued by their respective banks and tend to follow a few simple rules (described by ISO 7812 for those interested in a little light reading). Typically, credit card numbers are 15 or 16 digits, though older cards may use 13 digits and some non-US bank cards use 18 or 19.
Standard Format for 16-Digit Cards
The most common form for Visa, Mastercard, Discover, Diner’s Club, and other 16-digit bank card numbers is: aaaa-bbbb-cccc-dddd, for example 4222-1111-2222-3333. Like SSNs, computers may store credit card numbers in some other, more efficient form that is not human readable.
- The first one to six digits of the card number are reserved for use by the issuing bank. As a general rule, Visa owns bank card numbers starting with 4, Mastercard owns those starting with 5, and Discover owns some that begin with 6.
- The remaining digits are issued by the bank according to their own practices and the need for numerical validation of card numbers.
Standard Format for 15-Digit Cards
A typical 15-digit card, such as an American Express card is typically written as aaaa-bbbbbb-ccccc, for example 3434-123456-12345. The only difference between these values and 16-digit bank card numbers is the written format. American Express reserves the 34 and 37 first two digits for its own use.
Validating Credit Card Numbers with the Luhn Algorithm
Almost all credit card numbers can be numerically validated according to the Luhn algorithm. This is a simple mathematical check was developed by IBM in the early 1960s to detect and correct simply operator entry errors. The majority of data discovery tools use this method to separate invalid credit card numbers from plausible ones. This can result in considerable accuracy gains.
Many other high-risk data types, both in the US and abroad, use the Luhn algorithm for error detection. Some US drivers licenses use it, as do many foreign identifiers such as Canadian Social Insurance Numbers.
US Driver’s License Numbers
Driver’s license numbers are issued by each state and the District of Columbia. A similar number is the non-driver identification number, issued to people who do not drive. These numbers function as individual identifiers for age verification, operating a motor vehicle, and as a de facto national identification where needed. Many states used the Social Security Number as a driver’s license number until the practice was prohibited by recent federal law.
Numerical formats vary from state to state, ranging from single digits (very old Delaware licenses) to 13-digit combinations of letters and numbers (New Jersey). Most commonly, driver’s license numbers are seven to nine digits, occasionally preceded by a letter to distinguish from other numerical identifiers like SSN.
Bank Account Numbers
Issued by each bank, bank account numbers are typically 10 digits in length.