Perspective: Going back to school on security

Little more than one month into 2008, and already this is shaping up to be a year rife with data security incidents at sundry educational institutions.

Data maintained at universities contains private and sensitive information. But a recent report by Campus Technology magazine suggests that best practices are not being followed to protect this information. Consider the following:

• A student employee accessed personal information relating to more than 500 users of Baylor University's communication network.

• A student employee from Central Piedmont Community College in North Carolina was arrested and charged with alleged identity theft relating to Social Security numbers and birthdates from records of employees.

• Social Security numbers of some 260 students at Murray State University's College of Education, in Kentucky, got posted online and remained accessible for well more than a year.

• Passwords and more than 200 Social Security numbers for approximately 300 students at the Warner College of Natural Resources, a branch of Colorado State University, wound up being posted online.

• Personal information relating to about 89 Brigham Young University medical students was posted online.

• Employment and other information about faculty and administrators of Southwest Texas State University was posted online.

• Names, Social Security numbers, and additional private data on 42 employees were posted on the Montana State University Web site.

• Tennessee Tech lost track of a flash drive housing the names and Social Security numbers of almost 1,000 students.

• A hard drive containing employee names and Social Security numbers was stolen from New Mexico State University.

• The University of Akron lost a hard drive with the Social Security numbers and other personal information of about 800 people.

• A security breach at the University of Georgia may have exposed more than 4,000 Social Security numbers.

• A hacking incident at California State University, Stanislaus, is suspected of having revealed credit card numbers and names.

Plainly, an educational institution cannot guarantee that private data will not be compromised. On the other hand, the sheer number of recent breaches would seem to indicate that perhaps more could be done. In terms of private data posted on university Web sites, at least three steps could be taken.

First, those persons with access to private data should be educated as to how to and how not to handle the data. Instruction from an academic institution with expertise in the subject would be well advised.

Second, employees and other persons within the control of the school should agree in writing to safeguard private data and they should be advised of the consequences for failing to comply.

Third, schools routinely should police their own sites to ensure that private data has not been posted online improperly; and naturally, when there is such a discovery, the data must be removed immediately.

With respect to lost hard drives, flash drives, and the like, here again universities should educate their employees and others within their ambit on how to safeguard devices containing private data.

Perhaps only certain persons should be allowed to take offsite private data contained in portable devices. Consideration also could be given to identifying the types of offsite locations that are suitable and unsuitable for devices containing private data, and rules could be established to require authorized persons to keep the devices in their possession when offsite.

And, of course, methods can be employed for encryption and for routinely changing IDs and passwords for such devices.

As far as hack attacks, universities should utilize technology that makes their systems as impenetrable as possible--recognizing that these technologies are not bulletproof. Here, too, frequently changing IDs and passwords could be beneficial.

But even the adoption of best practices won't eliminate the possibility of a breach, so when security is compromised, the schools should immediately notify anyone who might be affected. They might also extend fraud protection services.

There is no one perfect answer to security threats, so educational institutions should seek out insurance coverage for potential breaches. They also should engage legal counsel skilled in this area to provide proactive advice to help head off potential problems, and then deal with trouble as soon as it arises.

Biography
Eric J. Sinrod is a partner in the San Francisco office of Duane Morris. His focus includes information technology and intellectual-property disputes. To receive his weekly columns, send an e-mail to ejsinrod@duanemorris.com with "Subscribe" in the subject line. This column is prepared and published for informational purposes only, and it should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author's law firm or its individual partners.

More Perspectives

[tgrenier]

don't collect it

I've worked a bit higher education IT and although everyone whines that they need it, there is no reason what so ever to store social sec #'s or credit card info.

[sanenazok]

High Education

Having worked in several higher education institutions I can tell you that weak security is but one of many, many, problems. To put it simply, even bad businesses don't make idiotic decisions at the rate most universities do. Bad data retention policies are but one, small example.

[wbenton]

Need to teach Educators how to read!

With all the coverage given security thefts left and right all over the US and publicized by most major news agencies, only one conclusion can be drawn from this:

Educators DON'T know how to read!

That said, somebody should teach the educators how to read... or better yet... replace them with educators whom can read!!!

Stupidity... total and sheer stupidity.

Walt