- Related Stories
A call for rational discourse on identity theftDecember 6, 2007
Uncle Sam's newest security challenge to businessesNovember 5, 2007
How we went wrong on identityNovember 1, 2007
Why we still invite data breachesOctober 29, 2007
- Related Blogs
TJX agrees to settlement in class action suits
September 25, 2007
Hardware-based encryption will win in the laptop market
October 23, 2007
Data breaches: Very little good news in 2007
January 11, 2008
Industry giants lobby to kill pro-consumer data-breach legislation
February 5, 2008
Data maintained at universities contains private and sensitive information. But a recent report by Campus Technology magazine suggests that best practices are not being followed to protect this information. Consider the following:
A student employee accessed personal information relating to more than 500 users of Baylor University's communication network.
A student employee from Central Piedmont Community College in North Carolina was arrested and charged with alleged identity theft relating to Social Security numbers and birthdates from records of employees.
Social Security numbers of some 260 students at Murray State University's College of Education, in Kentucky, got posted online and remained accessible for well more than a year.
Passwords and more than 200 Social Security numbers for approximately 300 students at the Warner College of Natural Resources, a branch of Colorado State University, wound up being posted online.
Personal information relating to about 89 Brigham Young University medical students was posted online.
Employment and other information about faculty and administrators of Southwest Texas State University was posted online.
Names, Social Security numbers, and additional private data on 42 employees were posted on the Montana State University Web site.
Tennessee Tech lost track of a flash drive housing the names and Social Security numbers of almost 1,000 students.
A hard drive containing employee names and Social Security numbers was stolen from New Mexico State University.
The University of Akron lost a hard drive with the Social Security numbers and other personal information of about 800 people.
A security breach at the University of Georgia may have exposed more than 4,000 Social Security numbers.
A hacking incident at California State University, Stanislaus, is suspected of having revealed credit card numbers and names.
Plainly, an educational institution cannot guarantee that private data will not be compromised. On the other hand, the sheer number of recent breaches would seem to indicate that perhaps more could be done. In terms of private data posted on university Web sites, at least three steps could be taken.
First, those persons with access to private data should be educated as to how to and how not to handle the data. Instruction from an academic institution with expertise in the subject would be well advised.
Second, employees and other persons within the control of the school should agree in writing to safeguard private data and they should be advised of the consequences for failing to comply.
Third, schools routinely should police their own sites to ensure that private data has not been posted online improperly; and naturally, when there is such a discovery, the data must be removed immediately.
With respect to lost hard drives, flash drives, and the like, here again universities should educate their employees and others within their ambit on how to safeguard devices containing private data.
Perhaps only certain persons should be allowed to take offsite private data contained in portable devices. Consideration also could be given to identifying the types of offsite locations that are suitable and unsuitable for devices containing private data, and rules could be established to require authorized persons to keep the devices in their possession when offsite.
And, of course, methods can be employed for encryption and for routinely changing IDs and passwords for such devices.
As far as hack attacks, universities should utilize technology that makes their systems as impenetrable as possible--recognizing that these technologies are not bulletproof. Here, too, frequently changing IDs and passwords could be beneficial.
But even the adoption of best practices won't eliminate the possibility of a breach, so when security is compromised, the schools should immediately notify anyone who might be affected. They might also extend fraud protection services.
There is no one perfect answer to security threats, so educational institutions should seek out insurance coverage for potential breaches. They also should engage legal counsel skilled in this area to provide proactive advice to help head off potential problems, and then deal with trouble as soon as it arises.
is a partner in the San Francisco office of . His focus includes information technology and intellectual-property disputes. To receive his weekly columns, send an e-mail to firstname.lastname@example.org with "Subscribe" in the subject line. This column is prepared and published for informational purposes only, and it should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author's law firm or its individual partners.
3 commentsJoin the conversation! Add your comment