It's Time to Protect Students' Data

A third of all data leaks are at universities. Academia should be held to stricter record confidentiality standards

It pains me to say it: I am advocating government intervention and new regulations. But, as they say, special circumstances apply.

As an alumnus of the University of Texas at Austin, specifically its McCombs School of Business, I was chagrined to learn that hackers recently gained access to some of the school's 197,000 records—some of which included my Social Security number (SSN) and other personal information, as well as that of many other alums.

I've signed up with a credit-monitoring bureau and requested that the three main credit-reporting agencies put a fraud alert on my records. So the hackers have already made off with quite a lot: my time, my money, and my already fragile peace of mind.


  It can sometimes take an incident like this to jolt you out of the theoretical. I've been in the network security industry for nearly two decades and am familiar with the latest technology, trends, and what-have-you. But this time, it's hitting home. And certainly not just for UT alumni: Data thieves are helping themselves to personal data at schools across the nation, as the recent penetration of three Ohio University servers holding the SSNs of 137,000 people, attests.

It got me thinking: Colleges and universities should be held to the same government compliance standards as companies that operate in health care or financial services.

After all, a third of all data leaks are at universities, according to CNET Networks (CNET). That's not surprising, as universities walk a fine line between ensuring that users, many of whom are using personal laptops and other devices, have continuous access to network resources, while keeping those same resources safe from infections and unauthorized access. All too often, security gets shoved to the back burner in favor of keeping networks open and users productive. Cybercrooks, recognizing a good thing when they see it, are making hay while the sun shines.


 The proliferation and ease of use of wireless technology certainly haven't helped. I've talked to network administrators at some of my company's university customers; they report students doing everything from setting up unsecured wireless networks from dorm rooms to maliciously distributing worms that create a back door into the data files of infected systems. And once students are done wreaking their havoc, the chinks they've created in the network's security provide cybercriminals with yet another avenue into the network interior.

Clearly, it's time for some guidelines for the protection of sensitive personal information in this overly dynamic environment. And I think it's going to take a government mandate. Don't get me wrong. I am in favor of market-driven initiatives. But the realist in me can't believe that, with their resources already stretched thin, the constituents of this splintered and diverse market can impose and enforce their own data-integrity regulations.

Naturally, this brings to mind the government-enforced regulatory alphabet soup—CFR Part 11, GLBA, HIPAA, etc.—that, among other things, provides rules to protect record confidentiality.


  Take for instance, HIPAA, the Health Insurance Portability & Accountability Act, which is designed to ensure that health-insurance coverage is available for people who lose or change jobs. This rule, which also establishes standards for the maintenance of patient records, has had some very positive outcomes.

My health-insurance card, for instance, now bears a member I.D. number that differs from my SSN (a valid comparison when you consider that many universities use a student's SSN as a "student I.D. number," which means that the SSN is repeated on just about every scrap of information about that student). I'd say that's a change for the better.

But the HIPAA experience has certainly not been all positive. Written in 1996, and made effective in 2003, this well-intentioned act has spawned its own industry: Books, Web sites, e-mail newsletters, and the like proliferate, thanks to HIPAA's sheer complexity. Just googling "HIPAA Consulting" will generate in excess of 22,000 hits. The plethora of HIPAA consultants, methods, and approaches underscores just how challenging meeting these requirements can be.


  Even the HIPAA agreement you sign at the doctor's office reflects this. Here's a favorite quote of mine, pulled from a real HIPAA form: "If you do not object to these disclosures or we can infer from the circumstances that you do not object or we determine, in the exercise of our professional judgment, that it is in your best interest for us to make disclosure of information that is directly relevant to the person's involvement with your care, we may disclose your protected health information as described."

I'm sure this is not what those at the Health & Human Services Dept. had in mind when they crafted HIPAA.

So let's learn from HIPAA and its letter-happy brethren. Surely we can craft regulations for higher education that discourage the use of SSNs without creating too onerous a burden.

Let's try something simple, that mandates that colleges and universities have, say, one year to protect personal information by insulating it from the general network. Stage 2 could allow five years to phase out use of SSNs as the key identifier for anyone for whom that organization retains personal information, not just students and faculty.

Stage 3 could call for authentication methods that require a unique identifier other than SSN to allow interaction such as student registration, faculty study guide posting, and supplier order access. The negative reinforcement could take the shape of a publicly available, government-maintained Web site that identifies those universities and colleges who fail to take the privacy of their stakeholders as seriously as they ought.

Of course, nothing in life is quite that simple. But if we start with the idea that this can be an exercise in common sense, then we should be able to arrive at a solution that solves more problems than it causes.

Before it's here, it's on the Bloomberg Terminal.