Colleges store millions of pieces of sensitive personal information, including employment data, financial records, transcripts, credit histories, medical histories, contact information, Social Security numbers — the list goes on. Although higher-education institutions should be forums where information and knowledge are easily exchanged, the free flow of information is sometimes unintentional. Colleges should avoid the following organizational policies and behaviors that put personal information in jeopardy:
Inadequate security for old data. Colleges generally do a good job of guarding data about current students, but few have policies that deal adequately with the storage of older information. Failure to safeguard old data is especially risky if the institution previously used Social Security numbers to identify students.
Indeed, almost every week a faculty member backs up an old hard drive to his personal Web space, unaware that the hard drive contained former students’ grades and Social Security numbers. Occasionally the professor is aware of the information but mistakenly believes that his university-provided Web space is not available to the public. Often the data sit on the institutional server for up to five years undetected and forgotten — until the information turns up on Google.
Shadow systems and unregulated servers. Professors, colleges, departments, and even student organizations regularly copy information from the core system and maintain it separately — whether as sophisticated databases under high security or simple Excel spreadsheets on personal laptops. Such shadow systems are at particular risk of exposure, and they multiply at an alarming rate because faculty members can create their own databases at any time.
Thus, even though a small army of information-technology professionals may guard a college’s core systems, the security perimeter extends much further. Many institutions have thousands, or even tens of thousands, of faculty members with administrative rights and full access to sensitive information. And despite strict policies governing information control, employee turnover makes training about privacy and security issues a continual struggle.
Some faculty members and third-party vendors also set up their own unregulated servers outside their universities’ firewalls, often for legitimate academic use. Those servers are particularly vulnerable to hackers and accidental online exposure. In a security audit, one private university uncovered 250 unauthorized servers connected to its public Internet network, each containing sensitive student information.
Unsophisticated privacy policies. Colleges’ policies often demonstrate a basic lack of understanding of the law and, more important, of how the institution carries out the law through internal processes. Many policies basically say nothing more than “We follow the law,” without explaining what the law is or how they follow it. Even worse, some simply say, in essence, “Trust us, we’ll be good.”
Many institutions’ privacy policies also erroneously mimic commercial policies, which are narrowly tailored to cover only information collected online. Those policies are deficient in a college setting because just a small fraction of personal information that colleges maintain is collected online.
Further, a single institution may have dozens or hundreds of separate privacy policies, each dealing with a different, and incomplete, set of issues. For example, at some highly decentralized institutions, the colleges, the departments, and even some facilities like student unions have their own privacy policies. While privacy policies should reflect the practices of each group, inconsistent policies can create confusion among staff members who must explain or carry them out.
Improper use of Social Security numbers. Even though many colleges don’t now use Social Security numbers to identify students, they once did. Those old records sit like land mines on old servers. Meanwhile, ancillary organizations like banks and other lending institutions continue to use the Social Security number for identification purposes. As a result, some institutions that have otherwise discontinued use of Social Security numbers otherwise still print them on academic transcripts and official documents. In fact, the American Association of Collegiate Registrars and Admissions Officers recommends printing the Social Security number on transcripts and says that 79 percent of American colleges did so in 2003. (A January 2007 study that I conducted, published by the Privacy Rights Clearinghouse, found that the proportion may have declined to 37 percent — but that is still a good many institutions.)
Unsanitized old hard drives. When a user deletes a file, it remains almost unchanged on the hard drive until it is overwritten or physically destroyed. Unless old hard drives are properly sanitized or destroyed, someone can recover just about everything on them.
My experience indicates that most universities have a sanitization protocol when retiring old hard drives. But as with all centralized policies, enforcement in an administratively decentralized college setting can be challenging.
In a well-publicized study, Simson Garfinkel, a privacy specialist and a graduate of the Massachusetts Institute of Technology, purchased 158 old hard drives from law firms, computer stores, and eBay. Part time, and on a budget of less than $1,000, he was able to recover thousands of e-mail messages and credit-card numbers, detailed financial information on hundreds of people, confidential corporate files, and numerous personal journals.
To avoid such situations, college administrators should:
- Regularly search institutional networks for sensitive information, such as Social Security numbers, grades, and financial information. Institutions can use a combination of search engines, like Google or Yahoo, and internal textand file-scanning software to detect personal information.
- Create a policy of retiring “old” data on institutional servers but allow faculty members to un-retire old data they still use. Although automatically retiring data comes with its own set of inconveniences, permission-based access to sensitive information is the best way to curb unauthorized copying. Sensitive personal information should be available to faculty members and departments only on a need-to-know basis.
- Establish the date that the institution last used Social Security numbers as a “radioactive date” before which files last modified are presumed dangerous.
- Establish a data-retention-and-access policy by doing a threat-based analysis of the sensitivity of the information, the benefits of storing the data, and the risks of allowing faculty members to access it.
- Establish and coordinate an interdepartmental network of privacy and security professionals from each college, department, or facility that maintains its own personal information or privacy policy. Coordinate privacy policies and practices.
- Make sure that the policy covers all privacy issues arising in a university setting. Explain privacy rights and practices that protect offline employment information and sensitive student records. Also explain work-flow protections (for example, “only director-level employees have access to Social Security numbers” ) and technical practices (for example, “employee data are stored on encrypted hard drives”). Privacy policies should deal with more than just cookies and Web forms.
- Eliminate Social Security numbers from official records where possible, or establish a policy whereby students can opt to omit their numbers from transcripts or other records.
- Physically destroy all old hard drives.
Institutions of higher education must promote the free exchange of ideas while protecting sensitive personal information. Although the academic environment can seem at odds with information security, the appropriate practices and procedures can effectively balance information freedom and personal privacy.
Aaron Titus is privacy director at the Liberty Coalition, a nonprofit organization in Washington that promotes public policy related to civil liberties and basic rights.
http://chronicle.com Section: Commentary Volume 55, Issue 9, Page A35