What Can I Do About Poorly Handled Data Theft? 53
Embarrassed UTA Alumnus writes "My former college, the University of Texas at Arlington, just made the now-all-to-common announcement that student data — including Social Security numbers, e-mail addresses, grades, and other information — were on several recently stolen personal computers. The computers were from the home of a Computer Science lecturer, and perhaps more worrisome was the fact that they were the only stolen items in the incident. I had the displeasure of taking one of the lecturer's courses a few years ago, and anyone from his courses since the year 2000 is affected. In response, UTA is providing free 90-day 'fraud monitoring' (not full credit reports), and no disciplinary action has been taken against the lecturer who lost the data."
In situations like this, what can a student do when a large institution loses critical private information, makes only a token effort to fix the problem, and lets the people involved continue in practices that may make a similar, or more serious breach occur in the future?
"The data was not encrypted. The lecturer in question is one of the CS faculty at UTA who all conveniently guarded one another, so I guess I shouldn't expect more from him in that area. More importantly though, no one should have had this data on their personal computers, and Social Security numbers should not have been included at all. Furthermore, even without the concern of theft, I seriously question the need for years-old private student data. It is suspicious at the very least.
The UTA PR department is already trying to bury the issue with vague claims of new efforts to hire a system-wide CIO who would be responsible for all 15 UT system campuses. The lecturer in question responded to the student newspaper with 'no comment' each time they attempt to interview him.
I feel like the university should do more, including seeking disciplinary action against all involved. What can I do, short of keeping an eye on my credit and letting the school get away with yet another blunder?"
The UTA PR department is already trying to bury the issue with vague claims of new efforts to hire a system-wide CIO who would be responsible for all 15 UT system campuses. The lecturer in question responded to the student newspaper with 'no comment' each time they attempt to interview him.
I feel like the university should do more, including seeking disciplinary action against all involved. What can I do, short of keeping an eye on my credit and letting the school get away with yet another blunder?"
Why do professors need SSN? (Score:4, Insightful)
IANAL but... (Score:3, Insightful)
Common sense (Score:2, Insightful)
Figure out what you want and then ask for it (Score:2, Insightful)
The professor can't retroactively encrypt the data, nor can anybody unsteal the computers that contained it.
The only thing you mention is that you want to see the professor disciplined. Will this bring your data back? Will you benefit from the discipline of a professor whose class you took years ago?
What more do you want the school to do for you? You mentioned that you felt 90 days of credit monitoring was insufficient. Of course, now you can personally monitor it yourself [annualcreditreport.com] free of charge.
Just decide what it is you want and ask the school for it. You never know. If your request is reasonable, you just might get it.
Why give them your SSN? (Score:3, Insightful)
Seriously. Nobody but your bank and employer need your SSN, and it's not supposed to be used for non-Social Security identification purposes anyway. Why people insist on using it as such, and why people still freely give it away just boggles my mind.
credit agencies are at fault here (Score:3, Insightful)
The contents of the average credit report amount to unsubstantiated slander. It's tremendously easy for smudges to accumulate, with little effective recourse. In any other life circumstance, the same poor, fragmentary, and unsubstantiated quality of information about a person's status and character would be open to action as libelous.
I think the credit reporting agencies should be made libel for reporting negative information about any person as a result of criminal credential fraud. Even our terminology is wrong: we are talking about the theft of credentials not personal identity. An identity can't be stolen. Only the credentials are subject to third party manipulation. The institutions who choose to accept credentials as evidence of an identity should be prepared to bear the cost of their own mistakes.
And the worst of it is that our existing credentials are designed by baboons. It's not humanly possible to protect credentials you hand to every teenage till monkey five times a day.
We all know the truism that when you hear one person criticize another, it says as much about the person making the criticism as it does about the person being criticized. Yet the credit reporting agencies are somehow given a free pass which I've never understood. Might it be that a bad credit report reflects bad credit reporting practice? I guess we're so overwhelmed by our powerlessness in that relationship (my god, even more powerful than Miss Wormwood) that you rarely hear it suggested that perhaps the credit agencies themselves are no better than ICANN or VeriSign.