On January 7 the University discovered that the names and Social Security numbers of 450 current and former students were accessed and copied illegally from a nonacademic student database and copied to an off-campus IP address. Provost Ralph Kuncl says the University quickly notified the individuals whose personal information was involved and alerted the FBI, the New York State Attorney General, the Consumer Protection Board, and the Office of Cyber Security. The University also will pay for credit protection monitoring and insurance for one year for those affected by the hacking incident. Exactly when and how personal information was copied from the database, which has been secured, is under investigation.
“We are dedicated to the integrity of our information systems and to reducing the potential for risks of identity theft for our current and former students as well as our faculty and staff,” says Kuncl. “Our network security staff has taken immediate, concrete steps to minimize the chances of this happening again.”
Rochester is not unique in such reports. Ohio State University last month exposed 18,000 students enrolled in the school’s health insurance program to potential risk when the students’ Social Security numbers, names, addresses, and enrollment dates were accidentally made available online. In September, professional hackers accessed confidential data, including Social Security numbers, of 11,000 students, faculty, and staff at the University of Indianapolis. In recent years, similar attacks have occurred at the universities of Southern California, Texas, Missouri, Michigan, and Nebraska.
Kuncl, who cochairs the Data Security Taskforce with Senior Vice President and University General Counsel Sue Stewart, says such reports illustrate the growing challenges universities nationwide face to protect the personal information of faculty, staff, and students and to reduce the risk of identity theft. Working this past year with University IT, Office of Counsel, and other members of the Data Security Taskforce, Kuncl has overseen the development of a new University policy that places restrictions on the use and distribution of Social Security numbers.
Previously, the University had several policies that prohibited the use or exposure of confidential information. The new policy deals specifically and in detail with Social Security numbers and provisions of a New York State law that took effect last year outlining new rules for employers and businesses possessing Social Security numbers. While the law provided impetus, Kuncl says it was not the only driver of change.
“The new University policy is a response to a larger societal issue around protecting a basic right, the right to privacy, and a recognition of the threat identity fraud poses to that basic right.”
Unlike businesses that often can tightly control access to information, Kuncl says universities face a unique set of challenges.
“We are a place in which information freely flows. That’s the nature of an academic environment,” says Kuncl. “That freedom of flowing information creates vulnerabilities. One type of personal information that is particularly vulnerable is the Social Security number.”
Efforts at Rochester to protect the Social Security numbers of students go back nearly a decade. In 2001 the University introduced new student ID cards as part of a policy to remove all Social Security numbers from public displays and from many of the University's electronic systems.
“Cyber security issues are on the rise world wide, and higher education and health care organizations are regular targets for hackers,” says David Lewis, vice provost and CIO. “The need to continue to invest in information security best practices is a constant in today's digital world. The University takes information security very seriously and it is one of the top IT strategic planning priorities.”
Kuncl says that while the University, like its peer institutions, is constantly on the lookout for ways to improve data security, Rochester does face a high hurdle due to its decentralized nature.
“We are more decentralized than the average university and far more decentralized than the average business corporation. Certainly, we can take assurance from the fact that a very large portion of our major systems are centrally housed and managed in security hardened facilities, but there are far too many other instances where data is decentrally housed, instances that we may not even know about, let alone have had a chance to secure. The challenge is not unique to us but it may be more severe for us,” notes Kuncl.
Stewart agrees. She says the University has firewalls and other security measures in place to protect data stored in its centralized databases, such as those housing patient, student, and employee records.
“The real security unknown and threat comes when data is collected or downloaded from central databases for use by schools, departments, or even by individual supervisors or researchers,” Stewart says. “So the personal information in individual offices or noncentral core databases is very important to those of us who worry about privacy compliance to minimize our vulnerability, not just our personal vulnerability but our vulnerability as a community.
“That’s the underlying reason for the new policy. We know about the security of our central databases, but where else is information being collected and stored? In a filing cabinet in someone’s office where Social Security numbers were collected as part of a research database? Maybe in a student management database used by a department that contains many years of private student information dating back to a time before the use of Social Security numbers as student identifiers was eliminated? We need to identify where such information may exist and make sure the people holding that information either protect it properly or destroy it or delete the sensitive information if keeping private information in this database is not truly necessary. The point of registration is to let the IT security officers know where the sensitive data is being kept so that they can take steps to protect or see it safely discarded.”
Registration is a key part of the ongoing effort. Any person at the University who possesses or is responsible for providing access to Social Security numbers will be required to register with a University privacy officer by June 30 and agree in writing to follow the guidelines of the new policy.
“Our privacy officers will analyze the situation to determine if the information is being kept securely. That may mean hardcopies are kept in a locked cabinet or office, and electronic records are encrypted or stored on a secure database. The privacy officers also can suggest alternatives to collecting Social Security numbers in the first place.
“Individuals within the University who have SSN information in a database, however, do not have to wait for registration or the advice of a privacy officer. Everyone can and should take steps right now to figure out if any of the information on their computers or in their files contains Social Security numbers. If it does, they should make sure that the data is either adequately secured or if it is not truly needed, deleted or destroyed in a safe manner.”
Stewart says that she believes there is not a functional unit at the University that will not be affected by this new policy. While the concept of securing personally sensitive data that can be used for identity theft is actually quite simple, she says, addressing it will require a sustained effort to raise awareness and to educate the community.
“When I meet with my peers around the country, I can tell you that this is a big concern for them, too. It’s a big issue for everybody. Having your personal identity stolen is an awful experience,” says Stewart. “From the University’s point of view, on top of all our concern for individuals, it is our responsibility to comply with the regulations established by New York State and to create a safe and secure environment.”