Educational Institutions: It Is Time To Get Smart About Security Breaches

We are only a little more than one month into 2008, and already this year is shaping up to be rife with data security incidents for educational institutions. There is no doubt that data maintained at universities contains private and sensitive information. Accordingly, universities should develop and follow best practices to protect this information.

A recent report by Campus Technology highlights a number of recent data security breaches at United States campuses. Citing to The Lariat, the school newspaper for Baylor University, a Baylor student employee accessed personal information relating to more than 500 users of the university's communication network. While neither financial data nor Social Security numbers were compromised, the student did gain access to the email and Blackboard accounts of the users.

Furthermore, police recently arrested and charged a student employee from Central Piedmont Community College in North Carolina with embezzlement with respect to alleged identity theft relating to Social Security numbers and birth dates from records of employees, as reported by Campus Technology, citing to Educational Security Incidents (a campus security watchdog) and NBC affiliate WCNC.

In addition, Social Security numbers of about 260 Murray State University College of Education students were posted online in Excel format and remained accessible for over a year; four files were posted on the Warner College of Natural Resources website that contained housing information, including passwords and more than 200 Social Security numbers for approximately 300 students; personal information relating to about 89 Brigham Young University medical students was posted online in Excel format; employment and other information about faculty and administrators of Southwest Texas State University was posted online, also in Excel format; and names, Social Security numbers and additional private data on 42 employees were posted on the Montana State University Web site as an Excel file, all according to Campus Technology, citing SSNBreach.org.

And the list goes on. Tennessee Tech lost track of a flash drive housing the names and Social Security numbers of almost 1,000 students; personal information, including Social Security numbers, of more than 200 former students of the University of Iowa's College of Engineering were posted online; a hard drive containing the names and Social Security numbers of certain employees was stolen from New Mexico State University; and a hard drive housing the Social Security numbers and other personal information of about 800 affected persons at the University of Akron was lost, according to Campus Technology.

Yes, there is more. A security breach at the University of Georgia may have exposed more than 4,000 Social Security numbers; and a hacking event at California State University, Stanislaus, is suspected of having revealed credit card numbers and names, as reported by Campus Technology.

Plainly, an educational institution cannot guarantee the absolute safety of personal data. On the other hand, the sheer number of recent breaches would seem to indicate that universities could perhaps do more.

In terms of private data posted on university websites, schools could take at least three steps.

First, institutions should educate those persons with access to private data as to how to and how not to handle the data. Education from an educational institution in this area would be well advised.

Second, employees and other persons within the control of the school should agree in writing to safeguard private data and schools should inform them of the negative consequences of any failure to comply.

Third, schools routinely should police their own sites to ensure that no one has posted private data online improperly; and naturally, when there is such a discovery, the institutions should remove the data immediately.

With respect to lost hard drives, flash drives and the like, here again universities should educate their employees and others within their ambit on how to safeguard devices containing private data. Perhaps only certain persons should have permission to take private data offsite in portable devices.

Institutions should also consider restricting the types of locations that employees could carry stored private data to, with rules put in place dictating that the devices could not leave the possession of the person using the device.

And, of course, schools can employ methods for encryption and utilization of routinely changing ID's and passwords for such devices.

As far as hack attacks, universities should utilize technology that makes their systems as impenetrable as possible - recognizing that this is not bullet-proof. Here, too, utilization of frequently changing ID's and passwords could be beneficial.

Even when best practices are adopted, there is still the possibility of a breach. In such an instance, universities should provide immediate notification to affected persons. Additionally, schools could offer fraud protection services to these persons.

Meanwhile, because there is no one perfect answer that necessarily prevents the possibility of a data breach, educational institutions should seek out insurance coverage for potential breaches, and they also should engage legal counsel skilled in this area to provide proactive advice to help head off trouble before it happens and to deal with trouble as soon as it arises.

Eric Sinrod is a partner in the San Francisco office of Duane Morris LLP where he focuses on litigation matters of various types, including information technology and intellectual property disputes. His website is http://www.sinrodlaw.com and he can be reached at ejsinrod@duanemorris.com. To receive a weekly email link to Mr. Sinrod's columns, please send an email to him with Subscribe in the Subject line.

This column is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author's law firm or its individual partners.