| |
Comment on this article
It’s 2007. Do You Know Where Your Social Security Number is?
After a data security breach this summer, Yale is beefing up its
protections. But this kind of problem is all too frequent at universities.
September/October 2007
by Nadya Labi '02MSL
Nadya Labi '02MSL, a former Knight Journalism Fellow at Yale, is a
writer based in New York City.
In early August, Dan Feder '04 received a letter from the Office of the
Dean at Yale College that he initially thought was, like so many other missives
from his alma mater, a routine request for money. When he opened it, however,
it read as follows: “I am writing to inform you that a computer containing a file
that included your name and Social Security number was stolen from the Yale
College Dean’s Office on July 17.”
The computer was one of two laptops taken from the office that day, a
theft that compromised the personal data of another 8,900 students and alumni
and 200 faculty and staff members. In the letter, Dean Peter Salovey '86PhD
assured Feder that the stolen machine, which did not contain his financial
account information, had been protected by multiple password levels “which
could be penetrated only by a thief with considerable computer knowledge.”
| |
“They’re so
good at finding us when they need money.” |
In the wrong hands, a stolen Social Security number can enable a thief
to take out fraudulent credit cards and run up charges under the victim’s name.
The letter told Feder, however, that the risk of identity theft was slim. “Yale
has very strong reason to believe that the computer was stolen for the purpose
of selling the hardware and that the thief had no interest in using the data
contained in the computer files.” In cases like this, the letter continued, “the purchaser of the stolen equipment usually moves quickly to erase the hard
drive in order to hide its origin before reselling it.” Still, for Feder's
further protection, the letter included the numbers of the three major credit
bureaus in the United States, advising him that he might want to flag his
account with a fraud alert. It also provided a number and e-mail address at
Yale if he had any additional concerns. (As of mid-August, about 70 people had
called the Yale number.)
Feder put the fraud alert on his credit bureau account, as he'd done
once before when his wallet was stolen. He was more exasperated than worried,
however. “Yale has all kinds of ways of identifying and tracking us. They’re so
good at finding us when they need money,” he says. “But it’s hard to believe
they don’t have a more secure system.”
Yale’s lapse is far from isolated. Institutions routinely lose
data—both directly, when their servers are hacked, and indirectly, when
laptops and other devices go missing. Since January 2005, the nonprofit Privacy
Rights Clearinghouse reports, there have been more than 600 security breaches
at institutions such as corporations, government entities, hospitals, and
universities—exposing about 159 million records. The Ponemon Institute, a
research group specializing in privacy issues, estimates that in 2006, the
average cost to an institution of losing a single record was $182. This
includes legal, administrative, and other costs and represents a 30 percent
increase over the previous year.
| |
Universities prize a culture
of openness that is very different from a security mindset. |
Colleges and universities account for about a fifth of the security
breaches listed by the Clearinghouse in 2006 and to date in 2007. At the
University of Colorado–Boulder last May, for example, a worm attack
compromised a server that contained the information, including SSNs, of 45,000
current and former students. In February, Johns Hopkins University and Johns
Hopkins Hospital reported the disappearance of backup tapes containing the
personal data of 52,000 past and present employees and 83,000 hospital patients.
Higher education institutions have done a particularly bad job of
warding off hackers, in part, perhaps, because they tend to be less cohesive
than corporations and often comprise an array of departments and entities that
may have competing security protocols. Moreover, universities prize a culture
of openness that is very different from a security mindset. Corporations have
traditionally sought to guard their trade secrets; universities have focused on
disseminating information. An IT group might fix the mechanism by which
intruders gain access, “but they can’t imbue an organization with a culture of
information security,” says Lisa Sotto, head of the privacy practice of the law
firm Hunton & Williams. “Universities are focused on making their systems
open and available to all users.”
How dangerous is a theft like the one that took place at Yale? Experts
disagree. Beth Givens, director of the Privacy Rights Clearinghouse, says
administrators invariably emphasize that hardware, not data, was the thief's
target—which she says is beside the point. “Administrators have no way of
knowing the path that the data or the computer will take,” Givens maintains.
“The thieves could get a twofer out of this one—extract the data and sell
it on the black market and sell the laptop itself on the street.” (Other
privacy experts say that institutions often tend to overestimate the protective
value of passwords for files on laptops.) A single individual’s profile, Givens
says, can fetch anywhere from $5 to $50. She argues that Yale should have
recommended that the exposed individuals ask the credit bureaus to freeze their
accounts, not just flag them.
| |
“People
steal equipment for equipment.” |
Fred Cate, a law professor at the Indiana University Center for
Applied Cybersecurity Research, believes some of Givens’s concerns are
overwrought. He points out that identity theft has declined 18 percent in the
past four years, according to Javelin Strategy and Research, an independent
group that studies financial institutions. In addition, Cate thinks there’s an
important distinction to be made between laptop thefts and crimes like hacking,
which explicitly target data. He knows of no documented instances of identity
theft resulting from a reported laptop theft in industry or academia. “People
steal equipment for equipment. Individuals have statistically zero to fear from
this breach.” The majority of identity thefts, he adds, ensue after a personal
theft like Feder’s stolen wallet or targeted thefts by dishonest employees or
outsiders.
The biggest risk from Yale’s security breach, Cate says, is to its own good repute. That’s an important consideration for a university that relies on
the goodwill and donations of alumni. “The danger is reputational and
institutional,” he says. He believes that the individuals whose data have been
lost have a right to be concerned. “Even if they don’t think they’ll be victims
of identity theft, it would be reasonable for a student to say, ‘You possess a
lot of information—can’t you protect it? I don’t want my data leaking on
the street.’”
In Europe, where the Nazis and the Communist regime of the Soviet Union
mined data as a tool of persecution, privacy is viewed as a fundamental human
right. Coming out of a tradition in which data have historically been used for
marketing, Americans traditionally have been less protective of their privacy.
“In Europe, data was used to kill you,” Sotto says. “In the U.S., data is used
to market you to death.”
| |
The US does not have an omnibus national law on privacy. |
Unlike many other countries, including all the European Union nations,
the United States does not have an omnibus national law on privacy. Instead, it
has a raft of state and federal laws that govern different industry sectors.
Hospitals protect patient data as directed by the Health Insurance Portability
and Accountability Act (HIPAA); financial institutions protect customer
information according to the Gramm-Leach-Bliley Financial Modernization Act;
and universities protect student records under the Federal Education Right to
Privacy Act (FERPA), which dates to the 1970s. FERPA covers institutional records
like transcripts and medical records; it does not, however, apply to student
information that a professor might have lying around an office or on a laptop.
It also doesn’t include a private right of action, which means that only the
government is able to take steps when a university is lax about complying.
The recurrence of data breaches nationwide has led to more than 35
state laws requiring notification of individuals whose personal information
(such as Social Security numbers, other forms of identification, and financial
account information) has been compromised. The letter Yale sent to Dan Feder
appears to fulfill its legal obligation under Connecticut law.
The theft makes clear that Yale could be doing more to secure the
sensitive data it collects on students and employees. William Sledge, medical
director of Yale–New Haven Psychiatric Hospital and a former master of
Calhoun College, learned of the burglary at a business event with Dean Salovey.
(Salovey was “dismayed,” Sledge says.) But it was only on receiving his own
letter from the dean’s office that Sledge realized his personal information had
been stolen along with the computers.
Like Feder, Sledge was familiar with the credit bureau procedure: he is
a military veteran whose Social Security number was compromised in the
high-profile theft of a laptop belonging to the U.S. Department of Veterans
Affairs in 2005. (That laptop held files containing the identities of 26.5
million veterans.) Just what, Sledge wondered, was his information doing on a
computer at the dean’s office?
It’s a good question, particularly because in 2005, as a security
measure, Yale stopped using Social Security numbers for student and staff
identification purposes. And the alumni address database, used for mailings and
research by departments throughout the university, does not include any Social
Security or financial account numbers.
| |
The theft has spurred Yale to clean up its hard drives. |
It turns out that the files stolen from the dean’s office were
“residual,” according to Tom Conroy, deputy director of public affairs at Yale.
“The files had been overlooked,” he elaborates. “They were not in any use and
would have been deleted if it had been known they were on the computers."
Yale’s oversight is commonplace. A surprising number of security breaches
involve old data like the files on the stolen laptops.
Conroy would not discuss what additional security measures, if any, are
being instituted to guard the dean’s office or the offices of other high-level
officials. But the theft has spurred Yale to clean up its hard drives. In an e-mail
to the alumni magazine, President Richard Levin offered alumni “our sincere
apology for this incident,” and said that, in response to the theft, “We have
expanded and accelerated our ongoing program to secure all sensitive data and
to eliminate all copies of such data that cannot be adequately protected."
Conroy adds that some sensitive computers have been scanned to determine
whether their data should be protected through encryption or deleted. (Prior to
the theft, access to financial systems and student information systems on
campus was encrypted, as well as any information about benefits or health or
banking transactions when they were transmitted off campus.)
Conroy didn’t offer specifics about which departments have been
targeted for improvement. Of course, a complete scrub of all old data would
probably be impossible. For instance, the use of Social Security numbers for
identification purposes at Yale was once so widespread that, until 1999, alumni
who volunteered to interview applicants to Yale College received the
applicants' Social Security numbers on the interview forms. And as recently as
2004, faculty and staff who served as freshman advisers were routinely given
the Social Security numbers of their advisees.
There are additional precautions Yale could take to make its data
safer. The university has a chief information security officer, and it has
individuals in charge of enforcing the privacy requirements of FERPA and HIPAA.
But Fred Cate suggests that Yale should also have a privacy officer—“whose
job it is to wake up every day thinking about how to protect data.” Every
Fortune 500 company has a privacy officer, he says, but less than 2 percent of
universities do. In 2002, the University of Pennsylvania became one of the
first institutions of higher education to hire such an officer.
A privacy officer might recommend a comprehensive privacy assessment to
track how data flow through Yale—from collection to storage and
transmission, and ultimately to disposal. That kind of analysis, experts say,
can help an institution identify vulnerabilities and determine which data or
laptops to encrypt. Encryption offers a much higher level of protection than a
password, but often it is expensive and has some technological drawbacks. An
assessment can also help to identify which employees or departments need
additional training about how to protect privacy.
The good news is that Yale has had no indications that anyone is trying
to exploit the data on the laptops. And, Conroy says, the Yale police have a
significant lead. They have made an arrest for burglaries that they believe are
connected with the laptop thefts. The case remains under investigation.
Feder, for his part, is willing to give Yale the benefit of the doubt,
as long as this breach is an isolated mistake. He’ll continue giving online the
small amount he’s been sending to Yale since he graduated, trusting that his
financial account information won’t end up tomorrow on a forgotten file.  |
|
