Highlights of this Post:
- Since 2005, security breaches at American colleges and universities have exposed more that nine million records containing sensitive, personal information to unauthorized parties.
- OIT recommends that you not collect, store or transport sensitive information like social security numbers, drivers’ license numbers, and credit or debit card numbers. If you must do so, you should consult with OIT regarding the security of this data.
- Sensitive, personal data should not be stored on individual computer hard drives. If it is necessary to travel with such data or to work with such data on a personal computer, OIT recommends that the data be stored on a USB drive that encrypts the data.
- Ohio law requires that organizations notify individuals who might be at risk of identity theft as a result of a data security breach. Potential breaches, including the loss or theft of laptops, other computers or data storage devices should be reported to OIT immediately.
In the last three and a half years, 252 separate data security failures at American colleges and universities have exposed more than nine million records to unauthorized parties. Each of these exposed records contained sensitive, personal information that could and may well have been used to perpetrate identity theft. The actual number of breaches and exposed records may well be much larger, since these counts reflect only those incidents that were detected and reported. I write to request your assistance in protecting the sensitive, personal information of members of our community, and in assuring our institutional compliance with applicable state law.
The Office of Information Technology suggests that you not collect, store or transport sensitive, personal information unless you absolutely must do so. Obviously, social security numbers, driver’s license numbers, and credit or debit card numbers are particularly sensitive. If your work activities require that you collect and store such data for students, employees, alumni, donors or other groups, please consult with OIT to identify appropriate means of securing this data.
Storing such data on individual computer hard drives should be avoided if at all possible. Such data is particularly vulnerable when stored on the hard drive of a laptop computer. Many of the more than nine million records mentioned earlier were exposed when laptops were lost or stolen. If it is necessary to work with such data on a personal computer, or if it is necessary to travel with such data, OIT strongly recommends that the data be stored on a USB drive that encrypts the data. Manager of User Services Mary Schantz can provide advice and assistance with such devices.
Since February 2006, Ohio law has required that organizations notify individuals who might be at risk of identity theft as a result of a data security breach. In general, the law regards an individual as at risk of identity theft if his or her name is exposed to an unauthorized party along with one of the following: social security number; driver’s license number or state identification card number; account, credit or debit card number.
The loss or theft of a computer or storage device containing such data in unencrypted format is regarded as a data security breach. Any suspected data breach, including the loss or theft of any computer should be reported to Mary Schantz, Manager of User Services. Such reports should be made immediately as state law imposes specific deadlines for notifications. In the case of lost or stolen computers, owners must be prepared to describe any sensitive, personal information that may be exposed as a result of the loss or theft, and to identify the individuals who might be subject to identity theft as a result.
The Privacy Rights Clearinghouse maintains a list of security incidents that have exposed sensitive personal information of U.S. residents–including those mentioned at the beginning of this letter. This list and related information can be accessed at www.privacyrights.org. The Ohio Revised Code is available online at codes.ohio.gov.orc. Relevant provisions are located within Title XIII, chapter 1349.
I very much appreciate your attention to this important matter and welcome any questions that you may have on this topic.
David Waldron
Chief Information Technology Officer
