Purdue University last month reported its seventh data breach in the past four years. But Purdue is hardly alone. According to my records, over 300 publicized privacy incidents have occurred at U.S. institutions of higher learning since 2001, with at least 53 colleges and universities experiencing multiple breaches.
The regular stream of university data-breach reports has prompted Adam Dodge, assistant director for information security at Eastern Illinois University, to devote a blog - Educational Security Incidents - to the topic.
When I last covered the issue four years ago (see "Security breaches challenge academia's 'open society' "), universities were the leading sector for publicized breaches. The same is true today.
What's going on? Why haven't things changed?
John Correlli of Los Angeles-based JMC Privacy Consulting Group has some answers. Correlli recently published a detailed analysis of the topic, "Breaches in the Academia Sector." Correlli identifies the top three root causes of university breaches: unauthorized access, usually inside jobs; accidental online exposures; and stolen laptops.
"Privacy governance in academia is far too frequently thrown into the laps of the IT folks, who are then told, implicitly or explicitly, that privacy isn't a priority until it's a problem," Correlli told me.
Correlli also points to unique threats and vulnerabilities in academia:
- The open nature of the university physical and technical environment.
- Department fiefdoms inhibiting central policy enforcement.
- A customer user population that is relatively low paid, lives "on site" and experiences high turnover.
There is some debate over whether students perpetrating intentional breaches or staff making unintentional data disclosures are the principal source of data risk within universities. I think both are worth monitoring, but would pay special attention to students. Why? Twice a year, college students are under extreme duress to produce results that their futures depend on. The statistics appear to bear this out.
Looking at the months of the reported breaches, peak activity occurs during the traditional finals weeks of fall and spring semesters. In contrast, the fewest breaches are reported during months when students aren't around (see graph).
Susan Blair, chief privacy officer at the University of Florida, generally agrees with Correlli. In a presentation she shared with me, Blair lists these as the top reasons for university breaches:
- Data-rich information systems creating a natural target.
- Outdated and nonenforced data-security safeguards.
- Sophisticated intruders, with potential criminal intent.
- Careless or inattentive data systems management.
- Negligent hiring practices or employee misuse of data.
- Demonstrated opportunities for repeat access.
- Business partners or research sponsors who fail to protect information.
"The typical academic network is a maelstrom of collaborative activities that generally precludes the kind of restrictions that a corporate network would impose," said Michael Corn, chief privacy and security officer at the University of Illinois at Urbana-Champaign. "We accept this risk as a precondition for academic endeavors.
"Universities are uniformly more forthcoming when data breaches occur due to a culture of transparency in these matters," Corn added.
Rodney Petersen, government relations officer and security task force coordinator at Washington-based EduCause, also believes there is a reporting bias that overestimates the data risk in academia. "It is not fair to conclude that higher-education environments are any less secure than their government or corporate counterparts," he told me. "Institutions of higher education have been disclosing security breaches long before they were required to do so under individual state laws because institutional officials err on the side of protecting their students, faculty and alumni.
"Corporations may be far more circumspect before deciding to report incidents because of concerns about consumer confidence or impact on shareholder value," he added.
Rachel Krinsky, assistant director of compliance and privacy at the University of Connecticut, agreed with Peterson. "Many universities are large and made up of multiple colleges, campuses and divisions. As a result, some universities have decentralized networks and systems without a centralized oversight function to monitor them in the same way as may be done in other sectors," she added.
"This means that a university may have multiple networks and systems to contend with," Krinsky continued, "and each one is managed differently and separately."
What's the outlook for data privacy in academia?
Several university privacy and security leaders told me off the record that the role of the chief privacy officer needs to be elevated in academia before major progress can be made. Indeed, in a sector regulated by the Health Information Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act (GBLA), Fair and Accurate Credit Transactions Act (FACTA) ID Theft Red Flags Rules, Payment Card Industry Data Security Standard (PCI DSS), and state-level laws on Social Security numbers and breach notification, it's surprising how few CPOs there are in academia. I was able to find just 20 to contact for this article.
More will certainly be found attending the Academic Medical Centers Privacy and Security Conference, International Association of Privacy Professionals Privacy Summit, and EduCause/Internet2 Security Professionals Conference over the next two months.
But until university trustees and boards of regents fund more robust privacy programs and hold university presidents more accountable for their privacy status, don't expect another sector to overtake the lead in the reported-breach column.
Jay Cline is a former chief privacy officer at a Fortune 500 company and is now president of Minnesota Privacy Consultants. You can reach him at cwprivacy@computerworld.com.