yalealumnimagazine.com  
  feature  
spacer spacer spacer
 
rule
yalealumnimagazine.com   about the Yale Alumni Magazine   classified & display advertising   back issues 1992-present   our blogs   The Yale Classifieds   yam@yale.edu   support us

spacer
 

The Yale Alumni Magazine is owned and operated by Yale Alumni Publications, Inc., a nonprofit corporation independent of Yale University.

The content of the magazine and its website is the responsibility of the editors and does not necessarily reflect the views of Yale or its officers.

 

Comment on this article

It’s 2007. Do You Know Where Your Social Security Number is?
After a data security breach this summer, Yale is beefing up its protections. But this kind of problem is all too frequent at universities.

In early August, Dan Feder '04 received a letter from the Office of the Dean at Yale College that he initially thought was, like so many other missives from his alma mater, a routine request for money. When he opened it, however, it read as follows: “I am writing to inform you that a computer containing a file that included your name and Social Security number was stolen from the Yale College Dean’s Office on July 17.”

The computer was one of two laptops taken from the office that day, a theft that compromised the personal data of another 8,900 students and alumni and 200 faculty and staff members. In the letter, Dean Peter Salovey '86PhD assured Feder that the stolen machine, which did not contain his financial account information, had been protected by multiple password levels “which could be penetrated only by a thief with considerable computer knowledge.”

 
“They’re so good at finding us when they need money.”

In the wrong hands, a stolen Social Security number can enable a thief to take out fraudulent credit cards and run up charges under the victim’s name. The letter told Feder, however, that the risk of identity theft was slim. “Yale has very strong reason to believe that the computer was stolen for the purpose of selling the hardware and that the thief had no interest in using the data contained in the computer files.” In cases like this, the letter continued, “the purchaser of the stolen equipment usually moves quickly to erase the hard drive in order to hide its origin before reselling it.” Still, for Feder's further protection, the letter included the numbers of the three major credit bureaus in the United States, advising him that he might want to flag his account with a fraud alert. It also provided a number and e-mail address at Yale if he had any additional concerns. (As of mid-August, about 70 people had called the Yale number.)

Feder put the fraud alert on his credit bureau account, as he'd done once before when his wallet was stolen. He was more exasperated than worried, however. “Yale has all kinds of ways of identifying and tracking us. They’re so good at finding us when they need money,” he says. “But it’s hard to believe they don’t have a more secure system.”

Yale’s lapse is far from isolated. Institutions routinely lose data—both directly, when their servers are hacked, and indirectly, when laptops and other devices go missing. Since January 2005, the nonprofit Privacy Rights Clearinghouse reports, there have been more than 600 security breaches at institutions such as corporations, government entities, hospitals, and universities—exposing about 159 million records. The Ponemon Institute, a research group specializing in privacy issues, estimates that in 2006, the average cost to an institution of losing a single record was $182. This includes legal, administrative, and other costs and represents a 30 percent increase over the previous year.

 
Universities prize a culture of openness that is very different from a security mindset.

Colleges and universities account for about a fifth of the security breaches listed by the Clearinghouse in 2006 and to date in 2007. At the University of Colorado–Boulder last May, for example, a worm attack compromised a server that contained the information, including SSNs, of 45,000 current and former students. In February, Johns Hopkins University and Johns Hopkins Hospital reported the disappearance of backup tapes containing the personal data of 52,000 past and present employees and 83,000 hospital patients.

Higher education institutions have done a particularly bad job of warding off hackers, in part, perhaps, because they tend to be less cohesive than corporations and often comprise an array of departments and entities that may have competing security protocols. Moreover, universities prize a culture of openness that is very different from a security mindset. Corporations have traditionally sought to guard their trade secrets; universities have focused on disseminating information. An IT group might fix the mechanism by which intruders gain access, “but they can’t imbue an organization with a culture of information security,” says Lisa Sotto, head of the privacy practice of the law firm Hunton & Williams. “Universities are focused on making their systems open and available to all users.”

How dangerous is a theft like the one that took place at Yale? Experts disagree. Beth Givens, director of the Privacy Rights Clearinghouse, says administrators invariably emphasize that hardware, not data, was the thief's target—which she says is beside the point. “Administrators have no way of knowing the path that the data or the computer will take,” Givens maintains. “The thieves could get a twofer out of this one—extract the data and sell it on the black market and sell the laptop itself on the street.” (Other privacy experts say that institutions often tend to overestimate the protective value of passwords for files on laptops.) A single individual’s profile, Givens says, can fetch anywhere from $5 to $50. She argues that Yale should have recommended that the exposed individuals ask the credit bureaus to freeze their accounts, not just flag them.

 
“People steal equipment for equipment.”

Fred Cate, a law professor at the Indiana University Center for Applied Cybersecurity Research, believes some of Givens’s concerns are overwrought. He points out that identity theft has declined 18 percent in the past four years, according to Javelin Strategy and Research, an independent group that studies financial institutions. In addition, Cate thinks there’s an important distinction to be made between laptop thefts and crimes like hacking, which explicitly target data. He knows of no documented instances of identity theft resulting from a reported laptop theft in industry or academia. “People steal equipment for equipment. Individuals have statistically zero to fear from this breach.” The majority of identity thefts, he adds, ensue after a personal theft like Feder’s stolen wallet or targeted thefts by dishonest employees or outsiders.

The biggest risk from Yale’s security breach, Cate says, is to its own good repute. That’s an important consideration for a university that relies on the goodwill and donations of alumni. “The danger is reputational and institutional,” he says. He believes that the individuals whose data have been lost have a right to be concerned. “Even if they don’t think they’ll be victims of identity theft, it would be reasonable for a student to say, ‘You possess a lot of information—can’t you protect it? I don’t want my data leaking on the street.’”

In Europe, where the Nazis and the Communist regime of the Soviet Union mined data as a tool of persecution, privacy is viewed as a fundamental human right. Coming out of a tradition in which data have historically been used for marketing, Americans traditionally have been less protective of their privacy. “In Europe, data was used to kill you,” Sotto says. “In the U.S., data is used to market you to death.”

 
The US does not have an omnibus national law on privacy.

Unlike many other countries, including all the European Union nations, the United States does not have an omnibus national law on privacy. Instead, it has a raft of state and federal laws that govern different industry sectors. Hospitals protect patient data as directed by the Health Insurance Portability and Accountability Act (HIPAA); financial institutions protect customer information according to the Gramm-Leach-Bliley Financial Modernization Act; and universities protect student records under the Federal Education Right to Privacy Act (FERPA), which dates to the 1970s. FERPA covers institutional records like transcripts and medical records; it does not, however, apply to student information that a professor might have lying around an office or on a laptop. It also doesn’t include a private right of action, which means that only the government is able to take steps when a university is lax about complying.

The recurrence of data breaches nationwide has led to more than 35 state laws requiring notification of individuals whose personal information (such as Social Security numbers, other forms of identification, and financial account information) has been compromised. The letter Yale sent to Dan Feder appears to fulfill its legal obligation under Connecticut law.

The theft makes clear that Yale could be doing more to secure the sensitive data it collects on students and employees. William Sledge, medical director of Yale–New Haven Psychiatric Hospital and a former master of Calhoun College, learned of the burglary at a business event with Dean Salovey. (Salovey was “dismayed,” Sledge says.) But it was only on receiving his own letter from the dean’s office that Sledge realized his personal information had been stolen along with the computers.

Like Feder, Sledge was familiar with the credit bureau procedure: he is a military veteran whose Social Security number was compromised in the high-profile theft of a laptop belonging to the U.S. Department of Veterans Affairs in 2005. (That laptop held files containing the identities of 26.5 million veterans.) Just what, Sledge wondered, was his information doing on a computer at the dean’s office?

It’s a good question, particularly because in 2005, as a security measure, Yale stopped using Social Security numbers for student and staff identification purposes. And the alumni address database, used for mailings and research by departments throughout the university, does not include any Social Security or financial account numbers.

 
The theft has spurred Yale to clean up its hard drives.

It turns out that the files stolen from the dean’s office were “residual,” according to Tom Conroy, deputy director of public affairs at Yale. “The files had been overlooked,” he elaborates. “They were not in any use and would have been deleted if it had been known they were on the computers." Yale’s oversight is commonplace. A surprising number of security breaches involve old data like the files on the stolen laptops.

Conroy would not discuss what additional security measures, if any, are being instituted to guard the dean’s office or the offices of other high-level officials. But the theft has spurred Yale to clean up its hard drives. In an e-mail to the alumni magazine, President Richard Levin offered alumni “our sincere apology for this incident,” and said that, in response to the theft, “We have expanded and accelerated our ongoing program to secure all sensitive data and to eliminate all copies of such data that cannot be adequately protected." Conroy adds that some sensitive computers have been scanned to determine whether their data should be protected through encryption or deleted. (Prior to the theft, access to financial systems and student information systems on campus was encrypted, as well as any information about benefits or health or banking transactions when they were transmitted off campus.)

Conroy didn’t offer specifics about which departments have been targeted for improvement. Of course, a complete scrub of all old data would probably be impossible. For instance, the use of Social Security numbers for identification purposes at Yale was once so widespread that, until 1999, alumni who volunteered to interview applicants to Yale College received the applicants' Social Security numbers on the interview forms. And as recently as 2004, faculty and staff who served as freshman advisers were routinely given the Social Security numbers of their advisees.

There are additional precautions Yale could take to make its data safer. The university has a chief information security officer, and it has individuals in charge of enforcing the privacy requirements of FERPA and HIPAA. But Fred Cate suggests that Yale should also have a privacy officer—“whose job it is to wake up every day thinking about how to protect data.” Every Fortune 500 company has a privacy officer, he says, but less than 2 percent of universities do. In 2002, the University of Pennsylvania became one of the first institutions of higher education to hire such an officer.

A privacy officer might recommend a comprehensive privacy assessment to track how data flow through Yale—from collection to storage and transmission, and ultimately to disposal. That kind of analysis, experts say, can help an institution identify vulnerabilities and determine which data or laptops to encrypt. Encryption offers a much higher level of protection than a password, but often it is expensive and has some technological drawbacks. An assessment can also help to identify which employees or departments need additional training about how to protect privacy.

The good news is that Yale has had no indications that anyone is trying to exploit the data on the laptops. And, Conroy says, the Yale police have a significant lead. They have made an arrest for burglaries that they believe are connected with the laptop thefts. The case remains under investigation.

Feder, for his part, is willing to give Yale the benefit of the doubt, as long as this breach is an isolated mistake. He’ll continue giving online the small amount he’s been sending to Yale since he graduated, trusting that his financial account information won’t end up tomorrow on a forgotten file.  the end

 
 

 

 

If you’re concerned about identity theft, here are some basic precautions.

Never send personal information like Social Security or bank account numbers over e-mail.

Check your credit reports regularly to make sure no one is taking out credit cards in your name. There are three major credit bureaus—Equifax, Experian, and TransUnion—and you are entitled to a free credit report from each yearly. Request reports at annualcreditreport.com.

Opt out of pre-approved credit card offers by calling (888) 567-8688.

If you’ve been a victim of theft, or you want to take more precautions, you can place fraud alerts on your credit reports—or freeze them altogether, if your state has that option. You must unfreeze the reports to take out a loan or new credit card.

If you suspect fraud has occurred, you can call the Social Security Administration fraud hotline: (800) 269-0271.

Credit card companies usually absorb losses due to fraudulent cards. But costs are passed along, says Givens of the Privacy Rights Clearinghouse: “Consumers pay for all this fraud.”

 
 
 
 
spacer
 

©1992–2012, Yale Alumni Publications, Inc. All rights reserved.

Yale Alumni Magazine, P.O. Box 1905, New Haven, CT 06509-1905, USA. yam@yale.edu