Lock Up Your Data

Between 2000 and 2006, educational institutions in the United States lost an estimated 8,121,000 electronic personal records, according to incidents reported in the media alone.

This figure comes from a research paper I co-wrote with Dr. Philip Howard at the University of Washington, “News Accounts of Hacker, Consumer, and Organizational Responsibility for Compromised Digital Records.” We scoured press reports of data breaches of personal records across sectors.

These records included data such as credit card information, Social Security numbers, grades, and even medical and criminal histories. While data lost by higher educational institutions represent a minority of the 1.9 billion records reported lost between 1980 and 2006 (no breaches in education were reported before 2000), higher ed experienced a higher rate of incidents — and thus greater insecurity — than other sectors.

We found that universities and colleges in the United States experienced 166 incidents of data loss between 2000 and 2006. That was as many as all government agencies, medical institutions and military services combined, and only slightly less than the total number of breaches involving private companies.

Higher ed institutions present a unique challenge for data security professionals. They handle a larger volume of information than many firms and medical institutions, and they must communicate effectively between departments and offices that are often in separate locations. Universities must also juggle the competing requirements of providing security for students and staff while also maintaining an open and collegiate learning environment, something that increasingly requires open and ubiquitous computer access on campus.

What lessons can we take from past data breaches, and how can we make higher ed institutions more secure?

Higher ed institutions excel at collecting large, easily manipulable sets of public records. This is the kind of activity that we would expect research institutions to engage in, after all. Most universities in the United States have internal human subjects review boards mandated by the federal government to control the interaction between researchers and members of the public. While the rules for collecting, storing and destroying paper records are clear in most cases, the rules surrounding electronic databases are often less clearly defined. The risk of improperly securing data was highlighted in 2004, when an intruder on one university’s computer systems gained access to a file containing research information on 1.4 million low-income residents.

University personnel need to be careful in their use of the Web to communicate with students and the public. For example, faculty Web sites sometimes provide access to professors’ own data in unpublished form — something that can facilitate information sharing but can also benefit identity thieves. Software should be rigorously tested to ensure that it does not reveal unnecessary information about students online. In one particularly blatant example, an institution reported in 2005 that it had inadvertently exposed student grades, Social Security numbers and addresses on its Web site over a period of three years.

Finally, physical security continues to be important when it comes to protecting electronic information. In nine of the cases that we examined, data were lost as a result of the theft of computer equipment, particularly notebooks. Even USB thumb drives can contain sensitive information. Administrative offices should consider the physical security of their computer systems, as well as the possibility of encrypting sensitive data to make it difficult for a low-tech thief to access it.