THE EDUCATIONAL COMMUNITY MUST CLAMP DOWN ON PERSONAL DATA BREACHES OR PREPARE TO BECOME A HAVEN FOR ID THIEVES
There have been 44 personal data breaches since the first of the year, and more than half of them, 23, have occurred in the educational community. Most are on college campuses, and include such prestigious schools as University of Minnesota, Georgetown, Penn State, Baylor, U. of Wisconsin, Iowa, and Georgia, and New Mexico State. On a long term basis, higher education has accounted for just over 25 percent of all breaches, but 2008 is starting with a bang. There is a 184 page report on “Educational Security Incidents-2007” you can see here, and I am going to highlight some of its major points in this post. 2007 breaches in education rose 67.5 percent to 139, affecting 112 institutions that number a 72.3 percent jump over 2006, according to Inside Higher ED. Security incidents involving social networking sites like Facebook are increasing on 13.2 percent of campuses. More computer hardware is being stolen, and it was revealed that, overall, in 47 percent of the incidents, employees were “in some way” responsible. The larger the university, the more likely they are to be targeted. This makes sense since the bigger schools will yield the most data, which includes name/address, birthday, and Social Security number. Inside Higher ED reports that the education community lost, had stolen or somehow disclosed 1,085,708 Social Security numbers in 2007 in 103 separate incidents. It is no secret that data security at these institutions is some of the worst in the country, and apparently is not improving. There is a good article on News.com titled, “Going back to school on security,” which speaks for itself. It also documents recent data breaches by school, with specifics relating to each. The author recommends three steps for improvement: 1) educate the ones handling the data about the importance of security; 2) the school should have a written contract with data handlers; 3) police the site regularly to insure there is no personal data revealed. Maybe this is obvious to many, but I have not heard the question raised yet. It is: don’t these larger schools teach courses in data security in their computer science departments? If not, they should, even the smaller colleges. If they do, has anyone thought to form a task force putting the professor of this curriculum in charge of determining what the school’s problem is, and recommending steps to fix it? Or is this just too simple a solution?