What's behind the rash of university data breaches?

Jay Cline

 

March 9, 2009 (Computerworld) Purdue University last month reported its seventh data breach in the past four years. But Purdue is hardly alone. According to my records, over 300 publicized privacy incidents have occurred at U.S. institutions of higher learning since 2001, with at least 53 colleges and universities experiencing multiple breaches (see table at end of article).

 

The regular stream of university data-breach reports has prompted Adam Dodge, assistant director for information security at Eastern Illinois University, to devote a blog — Educational Security Incidents  — to the topic.

 

When I last covered the issue four years ago (see "Security breaches challenge academia's 'open society' "), universities were the leading sector for publicized breaches. The same is true today.

 

What's going on? Why haven't things changed?

 

John Correlli of Los Angeles-based JMC Privacy Consulting Group has some answers. Correlli recently published a detailed analysis of the topic, "Breaches in the Academia Sector." Correlli identifies the top three root causes of university breaches: unauthorized access, usually inside jobs; accidental online exposures; and stolen laptops.

 

"Privacy governance in academia is far too frequently thrown into the laps of the IT folks, who are then told, implicitly or explicitly, that privacy isn't a priority until it's a problem," Correlli told me.

 

Correlli also points to unique threats and vulnerabilities in academia:

 

    *

      The open nature of the university physical and technical environment.

    *

      Department fiefdoms inhibiting central policy enforcement.

    *

      A customer user population that is relatively low paid, lives "on site" and experiences high turnover.

 

There is some debate over whether students perpetrating intentional breaches or staff making unintentional data disclosures are the principal source of data risk within universities. I think both are worth monitoring, but would pay special attention to students. Why? Twice a year, college students are under extreme duress to produce results that their futures depend on. The statistics appear to bear this out.

 

Looking at the months of the reported breaches, peak activity occurs during the traditional finals weeks of fall and spring semesters. In contrast, the fewest breaches are reported during months when students aren't around (see graph).

Elevated data risk during finals week?

A monthly breakdown of university data breaches reported since 2001 shows January and May as the peak months. Allowing for a few weeks to detect and report these incidents, the actual peak in incident activity may be occurring during the final weeks of the fall and spring semesters. Number of reported breaches at universities, by month:

September                   19

October                         29

November                    24

December                    29

January                         42

February                       25

March                            36

April                               39

May                               43

June                             36

July                               24

August                         23

Source: Minnesota Privacy Consultants

 

Susan Blair, chief privacy officer at the University of Florida, generally agrees with Correlli. In a presentation she shared with me, Blair lists these as the top reasons for university breaches:

 

    *

      Data-rich information systems creating a natural target.

    *

      Outdated and nonenforced data-security safeguards.

    *

      Sophisticated intruders, with potential criminal intent.

    *

      Careless or inattentive data systems management.

    *

      Negligent hiring practices or employee misuse of data.

    *

      Demonstrated opportunities for repeat access.

    *

      Business partners or research sponsors who fail to protect information.

 

"The typical academic network is a maelstrom of collaborative activities that generally precludes the kind of restrictions that a corporate network would impose," said Michael Corn, chief privacy and security officer at the University of Illinois at Urbana-Champaign. "We accept this risk as a precondition for academic endeavors.

 

"Universities are uniformly more forthcoming when data breaches occur due to a culture of transparency in these matters," Corn added.

 

Rodney Petersen, government relations officer and security task force coordinator at Washington-based EduCause, also believes there is a reporting bias that overestimates the data risk in academia. "It is not fair to conclude that higher-education environments are any less secure than their government or corporate counterparts," he told me. "Institutions of higher education have been disclosing security breaches long before they were required to do so under individual state laws because institutional officials err on the side of protecting their students, faculty and alumni.

 

"Corporations may be far more circumspect before deciding to report incidents because of concerns about consumer confidence or impact on shareholder value," he added.

 

Rachel Krinsky, assistant director of compliance and privacy at the University of Connecticut, agreed with Peterson. "Many universities are large and made up of multiple colleges, campuses and divisions. As a result, some universities have decentralized networks and systems without a centralized oversight function to monitor them in the same way as may be done in other sectors," she added.

 

"This means that a university may have multiple networks and systems to contend with," Krinsky continued, "and each one is managed differently and separately."

 

What's the outlook for data privacy in academia?

 

Several university privacy and security leaders told me off the record that the role of the chief privacy officer needs to be elevated in academia before major progress can be made. Indeed, in a sector regulated by the Health Information Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act (GBLA), Fair and Accurate Credit Transactions Act (FACTA) ID Theft Red Flags Rules, Payment Card Industry Data Security Standard (PCI DSS), and state-level laws on Social Security numbers and breach notification, it's surprising how few CPOs there are in academia. I was able to find just 20 to contact for this article.

Related Links

Other Columns by Jay Cline

 

"Top 5 mistakes of privacy awareness programs"

 

"It's Time for a Global Privacy Agreement"

 

"530M records exposed, and counting"

 

More will certainly be found attending the Academic Medical Centers Privacy and Security Conference, International Association of Privacy Professionals Privacy Summit, and EduCause/Internet2 Security Professionals Conference over the next two months.

 

But until university trustees and boards of regents fund more robust privacy programs and hold university presidents more accountable for their privacy status, don't expect another sector to overtake the lead in the reported-breach column.

 

Jay Cline is a former chief privacy officer at a Fortune 500 company and is now president of Minnesota Privacy Consultants. You can reach him at cwprivacy@computerworld.com.

Double trouble

Over 50 colleges and universities have experienced multiple reported privacy incidents since 2001. At a state level, California is home to seven doubly breached universities, while Ohio follows at four schools. At least eight universities have experienced four or more publicized privacy incidents.

University          Dates of reported incidents

Austin Peay State (Tennessee)   December 2008, July 2005

Cal Poly (California)        December 2008, August 2006, July 2005

California State – Dominguez Hills (California)       March 2006, July 2005

California State – Stanislaus       January 2008, May 2006, August 2005

Carnegie Mellon (Pennsylvania)   October 2007, April 2005

City University of New York         November 2007, September 2005

Duke University (North Carolina) December 2007, May 2005

East Carolina University (North Carolina) February 2007, June 2005

Florida International University     May 2006, April 2005

Georgetown University (District of Columbia)         January 2008, March 2006

Georgia Tech University June 2007, February 2007, November 2005, March 2003

Harvard University (Massachusetts)         November 2008, March 2008

Indiana University           November 2005, February 2001

Iowa State University      December 2005, July 2005

Kansas State University             January 2009, November 2007

Kent State University (Ohio)        September 2005, June 2005

Michigan State University           July 2005, April 2005

Middle Tennessee State University          February 2008, May 2005

Montana State University            November 2007, October 2007, December 2006

New Mexico State University       January 2008, April 2007

Northwestern University (Illinois) June 2007, May 2007, July 2006

Ohio University December 2008, June 2006, May 2006, May 2006, April 2006

Ohio State University      December 2008, May 2008, April 2007

Oklahoma State University          April 2005, February 2001

Purdue University (Indiana)          February 2009, September 2007, July 2007, April 2007, September 2006, April 2006, May 2005

Stanford University (California)     June 2008, May 2005

Tennessee Tech University         January 2008, September 2007

Texas A&M University    November 2008, February 2008, June 2007

University of Akron (Ohio)           January 2008, October 2007

University of Alabama     February 2009, June 2006

University of California, Los Angeles        December 2006, April 2004

University of California, Berkeley May 2006, March 2005

University of California, Davis       June 2007, March 2005

University of California, San Francisco     May 2008, April 2007, March 2005

University of Colorado     April 2008, May 2007, December 2006, August 2005

University of Delaware    May 2006, January 2006, November 2005

University of Florida        February 2009, January 2009, November 2008, June 2008, May 2008

University of Georgia      January 2008, September 2005, January 2004

University of Idaho          March 2007, January 2007

University of Iowa           October 2007, June 2007, September 2006, July 2006, May 2005

University of Kansas       September 2007, January 2006, April 2004

University of Kentucky    August 2006, August 2006, June 2006, June 2006

University of Michigan     September 2007, July 2007

University of Nebraska    July 2008, February 2007, March 2006

University of New Mexico            April 2007, January 2007

University of San Diego (California)          December 2005, July 2005, January 2005

University of South Carolina        June 2008, September 2007, August 2006

University of Tennessee July 2006, October 2005

University of Texas at Austin       November 2004, March 2004, March 2003

University of Toledo (Ohio)          April 2008, August 2007

University of Utah           June 2008, August 2005

University of Virginia       April 2008, June 2007, November 2006, April 2006

Virginia Commonwealth University           December 2006, September 2006

Source: Minnesota Privacy Consultants