What's behind the rash of university data breaches?

1 2 Page 2
Page 2 of 2

"The typical academic network is a maelstrom of collaborative activities that generally precludes the kind of restrictions that a corporate network would impose," said Michael Corn, chief privacy and security officer at the University of Illinois at Urbana-Champaign. "We accept this risk as a precondition for academic endeavors.

"Universities are uniformly more forthcoming when data breaches occur due to a culture of transparency in these matters," Corn added.

Rodney Petersen, government relations officer and security task force coordinator at Washington-based EduCause, also believes there is a reporting bias that overestimates the data risk in academia. "It is not fair to conclude that higher-education environments are any less secure than their government or corporate counterparts," he told me. "Institutions of higher education have been disclosing security breaches long before they were required to do so under individual state laws because institutional officials err on the side of protecting their students, faculty and alumni.

"Corporations may be far more circumspect before deciding to report incidents because of concerns about consumer confidence or impact on shareholder value," he added.

Rachel Krinsky, assistant director of compliance and privacy at the University of Connecticut, agreed with Peterson. "Many universities are large and made up of multiple colleges, campuses and divisions. As a result, some universities have decentralized networks and systems without a centralized oversight function to monitor them in the same way as may be done in other sectors," she added.

"This means that a university may have multiple networks and systems to contend with," Krinsky continued, "and each one is managed differently and separately."

What's the outlook for data privacy in academia?

Several university privacy and security leaders told me off the record that the role of the chief privacy officer needs to be elevated in academia before major progress can be made. Indeed, in a sector regulated by the Health Information Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act (GBLA), Fair and Accurate Credit Transactions Act (FACTA) ID Theft Red Flags Rules, Payment Card Industry Data Security Standard (PCI DSS), and state-level laws on Social Security numbers and breach notification, it's surprising how few CPOs there are in academia. I was able to find just 20 to contact for this article.

More will certainly be found attending the Academic Medical Centers Privacy and Security Conference, International Association of Privacy Professionals Privacy Summit, and EduCause/Internet2 Security Professionals Conference over the next two months.

But until university trustees and boards of regents fund more robust privacy programs and hold university presidents more accountable for their privacy status, don't expect another sector to overtake the lead in the reported-breach column.

Jay Cline is a former chief privacy officer at a Fortune 500 company and is now president of Minnesota Privacy Consultants. You can reach him at cwprivacy@computerworld.com.

Double trouble

Over 50 colleges and universities have experienced multiple reported privacy incidents since 2001. At a state level, California is home to seven doubly breached universities, while Ohio follows at four schools. At least eight universities have experienced four or more publicized privacy incidents.

University Dates of reported incidents
Austin Peay State (Tennessee) December 2008, July 2005
Cal Poly (California) December 2008, August 2006, July 2005
California State – Dominguez Hills (California) March 2006, July 2005
California State – Stanislaus January 2008, May 2006, August 2005
Carnegie Mellon (Pennsylvania) October 2007, April 2005
City University of New York November 2007, September 2005
Duke University (North Carolina) December 2007, May 2005
East Carolina University (North Carolina) February 2007, June 2005
Florida International University May 2006, April 2005
Georgetown University (District of Columbia) January 2008, March 2006
Georgia Tech University June 2007, February 2007, November 2005, March 2003
Harvard University (Massachusetts) November 2008, March 2008
Indiana University November 2005, February 2001
Iowa State University December 2005, July 2005
Kansas State University January 2009, November 2007
Kent State University (Ohio) September 2005, June 2005
Michigan State University July 2005, April 2005
Middle Tennessee State University February 2008, May 2005
Montana State University November 2007, October 2007, December 2006
New Mexico State University January 2008, April 2007
Northwestern University (Illinois) June 2007, May 2007, July 2006
Ohio University December 2008, June 2006, May 2006, May 2006, April 2006
Ohio State University December 2008, May 2008, April 2007
Oklahoma State University April 2005, February 2001
Purdue University (Indiana) February 2009, September 2007, July 2007, April 2007, September 2006, April 2006, May 2005
Stanford University (California) June 2008, May 2005
Tennessee Tech University January 2008, September 2007
Texas A&M University November 2008, February 2008, June 2007
University of Akron (Ohio) January 2008, October 2007
University of Alabama February 2009, June 2006
University of California, Los Angeles December 2006, April 2004
University of California, Berkeley May 2006, March 2005
University of California, Davis June 2007, March 2005
University of California, San Francisco May 2008, April 2007, March 2005
University of Colorado April 2008, May 2007, December 2006, August 2005
University of Delaware May 2006, January 2006, November 2005
University of Florida February 2009, January 2009, November 2008, June 2008, May 2008
University of Georgia January 2008, September 2005, January 2004
University of Idaho March 2007, January 2007
University of Iowa October 2007, June 2007, September 2006, July 2006, May 2005
University of Kansas September 2007, January 2006, April 2004
University of Kentucky August 2006, August 2006, June 2006, June 2006
University of Michigan September 2007, July 2007
University of Nebraska July 2008, February 2007, March 2006
University of New Mexico April 2007, January 2007
University of San Diego (California) December 2005, July 2005, January 2005
University of South Carolina June 2008, September 2007, August 2006
University of Tennessee July 2006, October 2005
University of Texas at Austin November 2004, March 2004, March 2003
University of Toledo (Ohio) April 2008, August 2007
University of Utah June 2008, August 2005
University of Virginia April 2008, June 2007, November 2006, April 2006
Virginia Commonwealth University December 2006, September 2006
Source: Minnesota Privacy Consultants
Related:

Copyright © 2009 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon