What Can I Do About Poorly Handled Data Theft? 53
Embarrassed UTA Alumnus writes "My former college, the University of Texas at Arlington, just made the now-all-to-common announcement that student data — including Social Security numbers, e-mail addresses, grades, and other information — were on several recently stolen personal computers. The computers were from the home of a Computer Science lecturer, and perhaps more worrisome was the fact that they were the only stolen items in the incident. I had the displeasure of taking one of the lecturer's courses a few years ago, and anyone from his courses since the year 2000 is affected. In response, UTA is providing free 90-day 'fraud monitoring' (not full credit reports), and no disciplinary action has been taken against the lecturer who lost the data."
In situations like this, what can a student do when a large institution loses critical private information, makes only a token effort to fix the problem, and lets the people involved continue in practices that may make a similar, or more serious breach occur in the future?
"The data was not encrypted. The lecturer in question is one of the CS faculty at UTA who all conveniently guarded one another, so I guess I shouldn't expect more from him in that area. More importantly though, no one should have had this data on their personal computers, and Social Security numbers should not have been included at all. Furthermore, even without the concern of theft, I seriously question the need for years-old private student data. It is suspicious at the very least.
The UTA PR department is already trying to bury the issue with vague claims of new efforts to hire a system-wide CIO who would be responsible for all 15 UT system campuses. The lecturer in question responded to the student newspaper with 'no comment' each time they attempt to interview him.
I feel like the university should do more, including seeking disciplinary action against all involved. What can I do, short of keeping an eye on my credit and letting the school get away with yet another blunder?"
The UTA PR department is already trying to bury the issue with vague claims of new efforts to hire a system-wide CIO who would be responsible for all 15 UT system campuses. The lecturer in question responded to the student newspaper with 'no comment' each time they attempt to interview him.
I feel like the university should do more, including seeking disciplinary action against all involved. What can I do, short of keeping an eye on my credit and letting the school get away with yet another blunder?"
Re:IANAL but... (Score:3, Informative)
I agree, see if you can get a case. See if you can get it class action. Breach of privacy, lack of due diligence, there has got to be more than a few regulations that were broken. When I worked as a student aid at my college I had to sign paperwork and read some laws about how to handle student data to prevent all this kind of stuff. He should be liable under those laws (as should the school).
I'm not a lawyer, but I bet you can find one that will take your case.
School respond to two things: lawyers and money. You don't have enough of #2 (you can't with hold your yearly $10,000,000 donation) so #1 is your only hope.
possible actions (Score:4, Informative)
Seeing as most of the administration sees information loss as nothing more than a potential liability to them, you need to make it clear to the University top administration that this gaffe is totally unacceptable. They need to understand how bad this is -- and that it will affect their alumni fund drives.
I'm assuming that you're fully aware of the potential problems, and how serious they are (why else would you be asking the question). You need to inform the administration, by letter (make sure you cc: your local newspapers and television station(s), and follow up with them to try to get somre more negative publicity for the U), just how serious it is.
One other thing you can do (from an OU mishap [merit.edu]):
It is a violation of FERPA (Score:5, Informative)
Sera
UTA Knew About Data Security Problems, Did Nothing (Score:4, Informative)
Perhaps the most frustrating was when my name, phone number, dorm room number and Social Security Number were PUBLISHED ON THE INTERNET. This was in Feb 2003. The university was notified, they eventually took down the webpages that had been indexed by Google (searching for someone's name who lived anywhere on campus at UTA resulted in their social security number popping up in a result on Google. How handy!) and they engaged in massive spin-control.
After it happened, it became fairly public knowledge that UTA used your social security number as your student id, and that your student id was actually encoded in plaintext on your student id card. Lose your student id card, lose your social security number.
The University of Texas System made some system-wide rules after another data security incident occurred shortly thereafter at the University of Texas at Austin. Schools were no longer to release social security numbers to professors, since they had no need for it, and all schools in the UT System were to stop using social security numbers as identifiers within a year or two. This deadline was continually extended, until they finally set it at September 2007.
UTA knew that too many people had access to students social security numbers; indeed, the school newspaper has over 92 articles concerning the school's use of social security numbers, the questionable legality of such use and the dangers (ref.: http://search.yahoo.com/search?p=social+security+
My social was also one of the ID #'s that were stolen in this theft. I too, was appalled at how UTA handled this. Originally, the notification on UTA's website said that the Office of Information Technology would have a form you could fill out giving them your email address and asking them to check if you were affected; the notification was later edited to say that you must call the University's registrar's office and update your address, email address and phone number if you wanted them to contact you - clearly an effort to update the records of the Office of Development so that they could get your current address to begin spamming you about their new fundraising campaigns. And the "discounted" identity monitoring service...from a company I've never even heard of? Nice, UTA. Makes me so proud to call UTA my alma matter.
I honestly think there's enough here for a lawsuit, and would love to participate in it. Anyone heard anything about a suit, or considering one?