ABOUT YOUR SECURITY BRIEFING

Willie Archie University Research Security Officer Laboratory Management Office	Robert Van Ness Assistant Vice President Laboratory Management Office

WHAT IS THE ANNUAL SECURITY REFRESHER BRIEFING?

The University has agreed to conform to all security regulations and requirements of various Federal sponsors.  Individuals who possess UC-sponsored clearances must receive refresher briefings at 12-month intervals.  These briefings reinforce and update awareness of DOE safeguards and security policies and remind individuals of their security responsibilities.
 
Although most of the information in the briefing is aimed at DOE access authorization holders, pertinent information applies to DOD security holders also.
 
Your Responsibility
 
We encourage you to carefully review the material in this briefing to better understand various security policies to be carried out in the performance of your University duties.
 
Due Date
 
Please return your required briefing acknowledgment (see last page) by November 30, 2003.

1. Introduction
2. Counterintelligence and You : Interview with Oleg Kalugin
3. Homeland Security
4. Identity Theft
5. References
6. Actions for You

INTRODUCTION

As an individual holding a University of California-sponsored DOE and/or DOD security clearance, you have been entrusted with responsibilities to yourself, your fellow colleagues, the University, the Federal government, and the nation.
 
DOE Order 470.1, Chapter 4, “Safeguards and Security Awareness Program,” requires that all DOE contractor
personnel with a clearance receive an annual security refresher briefing (ASR). The ASR is designed to highlight significant issues related to your clearance. This year, the ASR is being presented in two formats, electronically and in the familiar booklet format. Although more information is covered in the cross-linked electronic version (found at http://labs.ucop.edu/security/brief03/), the information contained in this booklet covers most of the same material. After reading the booklet, simply print and sign your name and return the last page to the University Research Security Office using the self-addressed form.
 
Topics presented in this refresher briefing include the following: 

• Counterintelligence: Useful Information
• The New Homeland Security Federal Agency
• Identity Theft: What You Can Do About It?

COUNTERINTELLIGENCE AND YOU:

My name is Oleg Kalugin. As a KGB Major General, I was responsible for the Foreign Counterintelligence for the KGB worldwide. In this position, I was responsible for all agent operations directed against the United States. Let me assure you of one thing, as an employee of this facility, you were targeted for recruitment. It did not matter if you were a scientist, a technical staff member or an administrative assistant. It did not matter if you had access to classified information or not, you were a potential target. The fact that you were employed by this organization meant that you had or would have access to sensitive information or to others who had access to sensitive information that would help my country. Make no mistake about it, you were and are a potential target for recruitments. Recruitment can be a long process encompassing several weeks or months. My successors are patient people, they have time and they will wait. For some of you, they will develop that long standing relationship needed to establish a need or dependency on them.  At that point, they will have you and you will feel obligated to help. For others, you will be approached during a conference, seminar or meeting held overseas or right here in the United States. If we are subtle, you may never know of our approach, but it will happen. The bottom line is you don’t need to be paranoid, but you need to be aware at all times that the intelligence services know who you are and are interested in you as a potential recruitment.

CREATION OF DEPARTMENT OF HOMELAND SECURITY

The inception of the Department of Homeland Security (DHS) became a reality January 24, 2003 through the establishment of the Homeland Security Act of 2002 (Public Law 107-296).
 
In order to reflect responsibilities vested in the Secretary of Homeland Security and take other actions in connection with the establishment of the DHS, the National Security Act of 1947 was amended (50 U.S.C. 401 et seq.) in addition to amendment of some 17 Executive Orders.
 
Mission/Purpose of DHS
 
The mission of the DHS is to:
 
¯    Prevent terrorist attacks within the United States
 
¯   Reduce America’s vulnerability to terrorism; and
 
¯    Minimize the damage and recover from attacks that do occur.
 
Principles Underlying Formation of the DHS

To ensure that the new department of Homeland Security has the greatest possible chance for success in the near term, Congress and the White House based the founding legislation on five core principles. Specifically:

1. The new department should improve information-sharing, not contribute to its further compartmentalization.
2. The new department must consolidate federal offices, not add additional bureaucracy.
3. The independent Office of Homeland Security (OHS) must be retained to advise the President and to coordinate the policies of federal agencies with homeland security responsibilities.
4. The authorizing and appropriations committee structure for homeland security must be revised in both houses of Congress to reduce redundancy and simplify the legislative process.
5. The new department must be committed to protecting civil liberties while securing the nation from terrorism.

Focusing on these core principles not only will help reduce redundancy in how the federal agencies and Congress now address homeland security, but also will help to avoid the sorts of turf battles that too often undermine policy implementation. Thus, the specific details of the final legislation to establish the DHS will prove crucial to its success.  Congress should avoid any provisions that increase the size of the federal bureaucracy or compartmentalization of intelligence, and instead find ways to promote intelligence-sharing within the President’s budget request for fiscal year 2003.
 
 

DHS Organization
 
Department Components
 
DHS has Five Major Divisions, or “Directorates”:

1. Border and Transportation Security (BTS):  BTS is led by Under Secretary Asa Hutchison, and is responsible for maintaining the security of our nation’s borders and transportation systems.  The largest of the Directorates, it is home to agencies such as the Transportation Security Administration, U.S. Customs Service, the border security functions of the Immigration and Naturalization Service, Animal and Plant Health Inspection Service, and the Federal Law Enforcement Training Center.
2. Emergency Preparedness and Response (EPR):  This Directorate, which is headed up by Under Secretary Mike Brown, ensures that our nation is prepared for, and able to recover from, terrorist attacks and natural disasters.
3. Science and Technology (S & T):  Under the direction of Under Secretary Dr. Charles McQueary, this Directorate coordinates the Department’s efforts in research and development, including preparing for and responding to the full range of terrorist threats involving weapons of mass destruction
4. Information Analysis and Infrastructure Protection (IAIP): IAIP merges the capability to identify and assess a broad range of intelligence information concerning threats to the homeland under one roof, issue timely warnings, and take appropriate preventive and protective action.
5. Management:  The Under Secretary of Management, Janet Hale, will be responsible for budget, management and personnel issues in DHS.

Besides the five Directorates of DHS, several other critical agencies are folding into the new department or being newly created:

• United States Coast Guard:  The Commandant of the Coast Guard reports directly to the Secretary of Homeland Security.  However, the USCG also works closely with the  Under Secretary of Border and Transportation Security as well as maintain its existing independent identity as a military service. Upon declaration of war or when the  President directs, the Coast Guard would operate as an element of the Department of Defense, consistent with existing law.
• United States Secret Service:  The primary mission of the Secret Service is the protection of the President and other government leaders, as well as security for designated national events. The Secret Service is also the primary agency responsible for protecting U.S. currency from counterfeiters and safeguarding Americans from credit card fraud.
• Bureau of Citizenship and Immigration Services:  White BTS is responsible for enforcement of our nation’s immigration laws, the Bureau of Citizenship and Immigration Services dedicates its full energies to providing efficient immigration services and easing the transition to American citizenship. The Director of Citizenship and Immigration Services will report directly to the Deputy Secretary of Homeland Security.
• Office of State and Local Government Coordination:  A truly secure homeland requires close coordination between local, state and federal governments. This office ensures that close coordination takes place with state and local first responders, emergency services and governments.
• Office of Private Sector Liaison:  The Office of Private Sector Liaison provides America’s business community a direct line of communication to the Department of Homeland Security. The office works directly with individual businesses and through trade associations and other non-governmental organizations to foster dialogue between the Private Sector and the Department of Homeland Security on the full range of issues and challenges faced by America’s business sector in the post 9-11 world.
• Office of Inspector General:  The Office of Inspector General serves as an independent and objective inspection, audit and investigative body to promote effectiveness, efficiency, and economy in the Department of Homeland Security’s programs and operations, and to prevent an detect fraud, abuse, mismanagement, and waste in such programs and operations. To contact Acting Inspector General Clark Kent Ervin, or his staff, call 202-927-5240. To report waste, fraud or abuse, call the Hotline at 1-800-323-8603.
  

Threats & Protection

Advisory System
 
Homeland Security Advisory System
 
Understanding the Homeland Security Advisory System
 
The world has changed since September 11, 2001. We remain a nation at risk to terrorist attacks and will remain at risk for the foreseeable future. At all Threat Conditions, we remain vigilant, prepared, and ready to deter terrorist attacks. The following Threat Conditions each represent an increasingly risk of terrorist attacks. Beneath each Threat Condition are some suggested Protective Measures, recognizing that the heads of Federal departments and agencies are responsible for developing and implementing appropriate agency-specific Protective Measures:

1.     Low Condition (Green).  This condition is declared when there is low risk of terrorist attacks. Federal departments and agencies should consider the following measures in addition to the agency-specific Protective Measures they develop and implement:

• Refining and exercising as appropriate preplanned Protective Measures;
• Ensuring personnel receive proper training on the Homeland Security Advisory System and specific preplanned department or agency Protective Measures; and
• Institutionalizing a process to assure that all facilities and regulated sectors are regularly assessed for vulnerabilities to terrorist attacks, and all reasonable measures are taken to mitigate these vulnerabilities.
  

2.     Guarded Condition (Blue).   This condition is declared when there is a general risk of terrorist attacks. In addition to the Protective Measures taken in the previous Threat Condition, Federal departments and agencies should consider the following general measures in addition to the agency-specific Protective Measures that they will develop and implement:

• Checking communications with designated emergency response or command locations;
• Reviewing and updating emergency response procedures; and
• Providing the public with any information that would strengthen its ability to act appropriately.

3.     Elevated Condition (Yellow).  An elevated Condition is declared when there is significant risk of terrorist attacks. In addition to the Protective Measures taken in the previous Threat Conditions, Federal departments and agencies should consider the following general measures in addition to the Protective Measures that they will develop and implement:

• Increasing surveillance of critical locations;
• Coordinating emergency plans as appropriate with nearby jurisdictions;
• Assessing whether the precise characteristics of the threat require the further refinement of preplanned Protective Measures; and
• Implementing, as appropriate, contingency and emergency response plans.

4.     High Condition (Orange).  A High Condition is declared when there is a high risk of terrorist attacks. In addition, to the Protective Measures taken in the previous Threat Conditions, Federal departments and agencies should consider the following general measures in addition to the agency-specific Protective Measures that they will develop and implement:

• Coordinating necessary security efforts with Federal, State, and local law enforcement agencies or any National Guard or other appropriate armed forces organizations;
• Taking additional precautions and public events and possibly considering alternative venues or even cancellation;
• Preparing to execute contingency procedures, such as moving to an alternate site or dispersing their workforce; and
• Restricting threatened facility access to essential personnel only.

5.     Severe Condition (Red). A severe condition reflects a severe risk of terrorist attacks. Under most circumstances, the Protective Measures of a Severe Condition are not intended to be sustained for substantial periods of time.  In addition to the Protective Measures in the previous Threat Conditions, Federal departments and agencies also should consider the following general measures in addition to the agency-specific Protective Measures that they will develop and implement:

• Increasing or redirecting personnel to address critical emergency needs;
• Assigning emergency response personnel and pre-positioning and mobilizing specially trained teams or resources;
• Monitoring, redirecting, or constraining transportation systems; and
• Closing public and government facilities.

University of California’s Statement on Terrorism

September 11, 2003


MEMBERS OF THE UNIVERSITY OF CALIFORNIA COMMUNITY

Today marks the two-year anniversary of the tragic September 11, 2001 attacks on New York and Washington, D.C., and the losses suffered not only by the nation but also our own University community.

I invite you to take a moment to reflect on those events, and to honor and remember those who were lost.

The University of California, including the national laboratories UC manages for the federal government, continues to make a major contribution to national security and global understanding in the wake of the September 11th attacks. University researchers are playing a central role in the investigation of such topics as the prevention and detection of terrorist activity; the political, social, and psychological aspects of terrorism; and infrastructure recovery following a terrorist attack. We can all be proud to be part of a University community that is so deeply engaged in these important issues.

Lastly, let us remain ever mindful that the University stands as a place of reasoned inquiry and civil discourse -- principles that have become even more important in the last two years.

Fiat Lux,

Richard C. Atkinson
President

IDENTITY THEFT

Introduction
 
Identity Theft is becoming more and more common these days. From running up stolen credit card purchases to creating false identification cards or passports, identity thieves have a myriad of reasons for stealing your identity. Thieves can find out information about you from simply rummaging through your garbage cans and pilfering your mailbox to involving you in telephone and internet scams. What can you do to protect yourself? This briefing gives a comprehensive understanding of:

• How identities are stolen.
• How the stolen identity might be used.
• What to do if your identity is stolen.
• How to protect yourself from becoming a victim.
  

Identity Theft Prevention Tips
 
An identity thief takes some piece of your personal information and uses it without your knowledge.  The thief may run up debts or even commit crimes in your name. It may not be possible to completely prevent identity theft. But you can lower your risk of becoming a victim.

• Protect Yourself.  
   
  Manage your personal information wisely. Protect your home address, home telephone number, Social Security number, bank and credit card account numbers, and PIN numbers.
  
  
• Don’t carry your Social Security card in your wallet. 
   
  It is an open invitation for an identity thief.  Check your health plan and other cards.  They may have your Social Security number on them.  Carry only the identifying information that you need.
   
  
• Tear up or shred papers.
  
   Tear up or shred papers with personal information before you throw them away.  Tear up credit card offers and “convenience checks” that you don’t use.
   
  
• Don’t give out personal information on the phone. 
  
  Don’t give out your personal information on the phone – unless you made the call or know the caller. The same goes for e-mail. Any personal information you put on the Internet may be especially vulnerable.
   
  
• Ask how your information will be used. 
  
  Before you give any personal information to a business, ask how it will be used. Ask if the business will share your information with others. Ask if you can have your personal information kept confidential.
   
  
• Control your financial information. 
  
  If you want to limit the sharing of your financial information, write to your bank,  and your credit card, insurance, and securities companies. Tell them that you want to “opt-out” of sharing your personal financial information with outside companies.  You are permitted to do this under federal law![1] See “Your Financial Privacy (CIS3)” on our Financial Privacy web page.
   
  
• Check your bills. 
   
  Check your credit card bills carefully each month. Look for unauthorized charges and report any to your card issuer immediately. Call if bills don’t arrive on time. It may mean that someone has changed the address or other information so that you would not learn about fraudulent charges.
   
  
• Get your name off marketing lists. 
  
  Stop pre-approved credit card offers. Have your name removed from credit bureau marketing lists. Call toll-free 888-5OPTOUT (888-567-8688).
   
  Have your name, address, and phone number removed from many other marketing lists by contacting the Direct Marketing Association.
  

  DMA Mail Preference Service P.O. Box 643  Carmel, NY 10512 Or online (for a $5 charge) at www.the-dma.org

  DMA Telephone Preference Service P.O. Box 1559 Carmel, NY 10512 Or online (for a $5 charge) at www.the-dma.org

   
  Tell telemarketers who call you to put you on their “do not call” list. Federal law requires then to do this.[2]
• Check your credit reports. 
   
  Get copies of your credit reports from the three major credit bureaus at least once a year. Check for changed addresses or fraudulent account information.  Copies cost about $8. To order your reports, contact:
   
  

  Equifax  800-685-1111 www.equifax.com

  Experian 888-397-3742  www.experian.com

  TransUnion 800-888-4213 www.transunion.com

   
  This fact sheet is for informational purposes and should not be construed as legal advice or as policy of the State of California. Readers desiring advice in particular cases should consult an attorney or other expert.  The fact sheet may be copied, if (1) the meaning of the copied text is not changed or misrepresented, (2) credit is given to the Office of Privacy Protection, and (3) all copies are distributed free of charge.
  

  Identity Theft Victim Checklist
   
  This checklist can help identify theft victims to clear up their records. It lists the actions most identity theft victims should take to limit the damage done by the thief.  Use the contact logs at the end of the checklist to keep a record of all your contacts with credit bureaus, creditors and others.  Keep copies of all the letters you send and receive.
   
  For more information, see the web sites of the Federal Trade Commission (www.consumer.gov/idtheft), the Identity Theft Resource Center (www.idtheftcenter.org) the Privacy Rights Clearinghouse (www.privacyrights.org), and the Department of Consumer Affairs (www.dca.ca.gov).
  

• Report the fraud to the three major credit bureaus. 
   
  Ask each of the credit bureaus to flag your file with a “fraud alert.” Also, ask them to add a victim’s statement to your credit report. The victim’s statement tells creditors to call you to get your approval if they receive requests to open new accounts.  Give them a phone number to use to contact you. Ask each credit bureau for a free copy of your credit report. As a victim of identity theft, you have the right to a free report from each credit bureau. For more on what to tell the credit bureaus, see “Identity Theft: What to Do When It Happens to You” at www.privacyrights.org/fs/fs17a.htm.
   
• Report the crime to the police. 
   
  Under California law, you can report identity theft to your local police department. Ask the police to issue a police report to identity theft. You may have to show copies of the laws to the police. The laws are on the last pages of this information sheet. Give the police as much information on the theft as possible.  Give them any new evidence you collect to add to your report. Be sure to get a copy of your police report. You will need to give copies to creditors and the credit bureaus.  For more information, see “Organizing Your Identity Theft Case” by the Identity Theft Resource Center, available at www.privacyrights.org/fs/fs17b-org.htm.
   
• Request information on fraudulent accounts. 
   
  When you file your police report of identity theft, the officer may give you forms to use to request account information from credit grantors. If the officer does not do this, you can use the forms available from the Office of Privacy Protection at www.privacyprotection.ca.gov/howto530.8.htm.  Send copies of the forms to all creditors where the thief opened or applied for accounts, along with copies of the police report as described below. Give the information you receive from creditors to the officer investigating your case.
   
  400R Street, Suite 3080 . Sacramento, CA 95814 . 1 866 785-9663
  www.privacy.ca.gov . email: privacy@dca.gov
   
• Call creditors.
   
  Call all creditors for any accounts that the thief opened or used. When you call, ask for the security of fraud department. Creditors can be credit card companies, other leaders, phone companies, other utility companies, and department stores. Tell them you are an identity theft victim. Ask them not to hold you responsible for charges the thief made. Ask them to close those accounts and to report them to credit bureaus as “closed at consumer’s request.” If you open new accounts, you have them set up to require a password or PIN to approve use.  Don’t use your mother’s maiden name or the last four numbers of your Social Security number as your password. For more information on what to tell creditors, see the “Identity Theft: What to Do When It Happens to You,” available at  www.privacyrights.org/fs/fs17a.htm and the Federal Trade Commission’s “When Bad Things Happen to Your Good Name,” available at www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm.

• Review your credit reports carefully.
   
  Look for accounts opened in your name that you did not open. Also, look for charges to your accounts that you did not make. And look for late payments or non-payments that are not yours. Check your name, address and Social Security number. Look at the Inquiries section of the report. Ask the credit bureaus to remove any inquiries from companies holding fraudulent accounts in your name. Ask each credit bureau to remove all information in your credit report that results from the theft.  Order new credit reports every three months until your situation has cleared up. You may have to pay $8 for each report after the first free one.

• Use the ID Theft Affidavit.
   
  The Federal Trade Commission’s ID Theft Affidavit is a form that can help you clear up your records.  The Affidavit is accepted by the credit bureaus and by many major creditors. Send copies of the completed form to creditors where the thief opened accounts in your name. Also send copies to creditors where the thief made charges on your account, to the credit bureaus, and to the police. The form is available on the FTC web site at www.consumer.gov/idtheft/affidavit.htm.

• Write to the credit bureaus.
   
  Write a letter to each credit bureau. Repeat what you said in your telephone call (see above). Send copies of your police report and completed ID Theft Affidavit. Remind the credit bureaus that they must remove any information that you, an identity theft victim, say is the result of the theft. Send your letters by certified mail, return receipt requested. Keep a copy of each letter.
   
• Write to creditors.
   
  Write a letter to each creditor.  Repeat what you said in your telephone call (see above). Send copies of your police report and the completed ID Theft Affidavit. Send your letters by certified mail, return receipt requested. Keep copies of your letters. Continue to review your bills carefully and report any new fraudulent charges to the creditor.
   
  
• If your checks or bank account information were stolen…
   
  Close your bank account. Open a new one with a new account number. Tell the bank you want to use a new password for access to your new account.  Do not use your mother’s maiden name or the last four digits of your Social Security number. Report the stolen checks to the check verification companies that stores use. For more information on stolen checks, see “Identity Theft: What To Do When It Happens To You,” at www.privacyrights.org/fs/fs17a.htm.
   
  
• If your driver’s license or DMV-issued ID card was stolen…
   
  Immediately contact your local DMV office to report the theft.  Ask them to put a fraud alert on your license. Then call the toll-free DMV Fraud Hotline at 866-658-5758. If the thief is using your license as ID, you may want to change your license number. Ask DMV for an appointment. Take a copy of the police report and copies of bills or other items supporting your claim of fraud.  You will also need to prove your identity. Take current documents such as a passport, a certification of citizenship or naturalization, or a U.S. military photo ID. DMV will issue a new driver’s license or ID card number when you meet all the requirements.  For more information, see “Identity Theft: Have You Been A Victim of Identity Theft? DMV Can Help,” available at www.dmv.ca.gov/pubs/brochures/fast facts/ffdl24.htm.
   
  
• If your mail was stolen or your address changed by the identity thief…
   
  Notify the Postal Inspector if you think the identity thief has stolen your mail or filed a change of address request in your name. To find your nearest Postal Inspector, look in the white pages of the telephone book for the Post Office listing under United States Government. Or go to the Postal Inspection Service’s web site at http://www.usps.com/ncsc/locators/find-is.html.
   
  
• If you are wrongly accused of a crime committed by the identity thief…
   
  In the case of a false civil judgment, contact the court where the judgment was entered. Report that you are a victim of identity theft. In the case of a false criminal judgment, contact the California Department of Justice at 888-880-0240 and the FBI. Ask them for information on how to clear your name. To find the local field office of the FBI, look in the white pages of the telephone book for the FBI under United States Government. Or go to the FBI’s web site at http://www.fbi.gov/contact/fo/fo.htm.
   
  
• If you are contacted by a debt collector…
   
  Tell the debt collector that you are the victim of identity theft. Say that you dispute the validity of the debt. Say that you did not create the debt and are not responsible for it. Send the collector a follow-up letter saying the same things. Include a copy of your police report and of any documents you’ve received from the creditor. Write that your letter gives notice to a claimant under California Civil Code section 1798.93(c)(5) that a situation of identity theft exists. Send the letter by certified mail, return receipt requested.
   
  If the debt collector is not the original creditor, send your letter within 30 days of receiving the collector’s first written demand for payment.
   
  
• A word about your Social Security number…
   
  Sometimes, an identity thief will use the victim’s Social Security number to be able to work.  It’s a good idea to check your Social Security earnings record to see if the thief is using your Social Security number. You can get a copy of your earnings record by calling 1-800-772-1213. Or get a Request for Social Security Statement (Form 7004) at www.ssa.gov/online/ssa-7004.pdf. If the thief is using your Social Security number, call the Social Security Fraud Hotline at 1-800-269-0271. You can also read “When Someone Misuses Your Number” at www.ssa.gov/pubs/10064.html.
  

  This fact sheet is for informational purposes and should not be construed as legal advice or as policy of the State of California. Readers desiring advice in particular cases should consult an attorney or other expert. The fact sheet may be copied, if (1) the meaning of the copies text is not changed or misrepresented, (2) credit is given to the Office of Privacy Protection, and (3) all copies are distributed free of charge.

Your Social Security Number: Controlling the Key to Identity Theft

• Your Social Security number is the key.
  
  Originally, your Social Security number (SSN) was a way for the government to track your earnings and pay you retirement benefits. But over the years, it has become much more than that.  It is the key to muchof your personal information.
   
  With your SSN, an identity thief can get your credit history, your bank account, your charge accounts, and your utilities accounts.  A thief can also use the number to open new credit and bank accounts or to get a driver’s license – all using your identity.
   
• Don’t  carry your Social Security card in your wallet.
  
  You don’t need to have your Social Security card with you at all times.  Keep it at home in a safe place.  Check for other cards that may have your SSN on them.
   
• Ask questions when they ask for your Social Security number.
  
  There is no law that prevents businesses from asking for your SSN. And you may be denied service if you don’t give the number.  If giving your SSN to a business doesn’t seem reasonable to you, ask if you can show another form of identification. Or ask if the business can use another number as your customer number.
   
  Remember that some government agencies can require your SSN. These agencies include DMV, welfare offices, and tax agencies. Look for the required “disclosure” form. The form should state if giving the number is required or optional, how it will be used, and the agency’s legal authority for asking for it.1
   
• California law limits the public display of Social Security numbers.
   
  A new California law bars many organizations from publicly displaying SSNs.2
   
  The law prohibits:
  • Printing SSNs on ID cards or badges.
  • Printing SSNs on documents mailed to customers, unless the law requires it or the document is a form or application.
  • Requiring people to send SSNs over the Internet, unless  the connection is secure or the number is encrypted, and
  • Requiring people to use an SSN to log onto a web site, unless a password is also used.
    
    The law applies to businesses and other non-governmental entities – for all accounts opened since July 1, 2002. 
    
    
• Ask your companies to change now.
   
  Businesses can continue their current practices for using SSNs for existing customers, unless a customer requests otherwise in writing.  You can ask a company or other non-government organization to treat your SSN as the law requires now. Send a letter that says something like the following: “As a current customer of [name or organization], I am hereby requesting that you comply with the requirements of California Civil Code section 1798.85 related to your use of my Social Security number. I understand that you have 30 days from the receipt of this letter to comply.”
   
  IMPORTANT NOTE: Health care and insurance are exceptions.  This law does not apply to them until January 2003, for all requirements except the ban on SSNs on ID cards. By July 2005, they must comply with all requirements.
   
• Getting a new Social Security number is probably not a good idea.
  
  The Social Security Administration very rarely changes someone’s SSN.  In fact, there are drawbacks to changing the number. It could result in losing your credit history, your academic records, and your professional degrees.  The absence of any credit history under the new SSN would make it difficult for you to get credit, rent an apartment, or open a bank account.
  
  
• Here’s where to get more information on Social Security numbers.
  
  Identity Theft: If you think an identity thief is using your SSN, call the Social Security Fraud Hotline at 1-800-269-0271. If you think someone may be using your SSN to work, check your Social Security Personal Earnings and Benefit Statement. You can get a copy by calling 1-800-772-1213, or online at www.ssa.gov/online/ssa-7004.pdf. Also see the Social Security Administration’s booklet “When Someone Misuses Your Number,” available at www.ssa.gov/pubs/10064.html.
   
  Also see.
   
  What the Numbers Mean:  For an explanation of the numbers in SSNs, see “Structure of Social Security Numbers,” by Computer Professionals for Social Responsibility,  available at www.cpsr.org/cpsr/privacy/ssn/ssn.structure.html.
   
  More on Protecting Your SSN: “Fact Sheet 10: My Social Security Number: How Secure Is It? By the Privacy Rights Clearinghouse, available at www.privacyrights.org/fs/fs10-ssn.htm
   
  Recommended Practices:  For recommendations on how organizations can protect privacy in their handling of SSNs, see the Office of Privacy Protection’s “Recommended Practices for Protecting the Confidentiality of Social Security Numbers,” available at: www.privacy.ca.gov/recommendations/ssnrecommendations.pdf.  See also “Alternatives to Using Social Security Numbers in Large Organizations.” From Privacy Journal, at www.epic.org/privacy/ssn/alternatives_ssn.html.

  ---

  [1] The Financial Services Modernization Act (or Gramm-Leach-Bliley Act), 15 U.S. Code 6801-6810.
  
  [2] The Telephone Consumer Protection Act, 47 CFR 64.1200. The Telemarketing and Consumer Fraud Abuse Prevention Act, 16 CFR 310.
  

REFERENCES

ACTION FOR YOU

Please email Willie Archie to acknowledge that you have read this version of the University of California 2003 Security Refresher Briefing. Include the following statement in the body of your message:


I acknowledge receipt of the University of California 2003 Security Refresher Briefing in compliance with U.S. Department of Energy and U.S. Department of Defense security requirements.

 
It is important to include your name after the above statement.
 
We will be contacting you if your email statement is not received by November 30, 2003.
 
Thank you.


willie.archie@ucop.edu