Duke IT Security Logo just a line

Avoiding Identity Theft

The NC Identity Theft Protection Act of 2005 requires that individuals are notified if their identifying information is exposed by unauthorized access. This applies to records in paper or electronic format. "Personal information" is a person's first name (or first initial) and last name in combination with one or more of the following:
  1. Social security or employer taxpayer identification numbers.
  2. Drivers license, State identification card, or passport numbers.
  3. Checking account numbers.
  4. Savings account numbers.
  5. Credit card numbers.
  6. Debit card numbers.
  7. Personal Identification (PIN) Code as defined in G.S. 14-113.8(6).
  8. Electronic identification numbers, electronic mail names or addresses, Internet account numbers, or Internet identification names.
  9. Digital signatures.
  10. Any other numbers or information that can be used to access a person's financial resources.
  11. Biometric data.
  12. Fingerprints.
  13. Passwords.
  14. Parent's legal surname prior to marriage.


If you discover that a system for which you are responsible may have been compromised, the Duke IT Security Office recommends the following steps:
  1. Step away from the keyboard and unplug the network cable from the server.
  2. Verify (without accessing the file system?) whether the server stores personal information as defined above - check the server documentation and ask the data owner(s).
  3. If your server does or may contain personal information, inform ITSO via email (security@duke.edu) or phone that you have a compromised server.
  4. Get as much as possible information from parties that may have been tangentially involved with the security breach - network provider logs, system logs, firewall logs, intrusion detection system logs, etc.
  5. If your server does not store personal information, you do not need to contact the IT Security Office unless you would like assistance determining the sequence of events. If the compromised server is running a Linux or Apple operating system, you can refer to our incident response steps if you'd like additional information (http://www.security.duke.edu/incident_response.html).


The IT Security Office will assist you in determining whether to notify law enforcement of the security breach.