A graduate whose information was stolen seeks compensation
POSTED: 1:30 a.m. HST, Nov 19, 2010
University of Hawaii alumnus Philippe Gross applied for a job at the state Department of Health in February. That's when he was notified there are four other names associated with his Social Security number.
Then in August, he discovered the unauthorized use of his credit card at nine gas stations in Georgia. He was charged $742.20.
He believes the incidents could only be a result of the recent information security breaches at the University of Hawaii, where he was a student during the 1990s.
Gross has filed a class-action lawsuit in federal court, targeting the University of Hawaii, its president, M.R.C. Greenwood, Board of Regents Chairman Howard Karr, and Chief Information Officer David Lassner.
"The difficulty of these cases is pinpointing where the breach occurred," said Thomas Grande, Gross' attorney. "The way we prove it is to exclude the other possibilities. If there's no other potential source of the breach, and we know the UH problem occurred, we would firmly establish that the problem was with UH."
UH leadership has said they recognize that "improvements are necessary and that resources must be reallocated to improve IT (information technology) security." It also recognizes that its decentralized approach is not adequate.
Gross said he had bought parking permits for his scooter between 1998 and 2009, the period that affected more than 53,000 people who did business with the Manoa campus parking office.
Gross also said he was a student between 1990 and 1998, the same period that information of more than 40,000 alumni was inadvertently uploaded to the Internet by a now-retired West Oahu campus faculty member who was conducting research.
The lawsuit asks the state court to mandate "appropriate measures to ensure the protection of private information within its possession," as well as money to compensate for damages, credit report expenditures and identity theft insurance.
"UH did not step up and offer credit monitoring, identity theft insurance, all the things they could've done to assist students and faculty," Grande said. "Instead, they left it to the individual to monitor. That's simply not acceptable. If you're an agency that releases private information, you need to take responsibility for it."
The Liberty Coalition, a nonprofit civil liberties watchdog group in Washington, D.C., said more than half of the 479,000 Hawaii records breached since 2005 were those mishandled by the University of Hawaii.
A report by the group gave UH an "F" for privacy and data security. The information exposed included Social Security numbers, birth dates, citizenship, addresses and marital status.
A Facebook group "UH Manoa victims of 09-10 data dump" has been formed. It is open only to UH alumni who may have been victims. On it, group members share experiences, information and tips on where to get free credit reports.
Its founder, David Lee Rogers, a 1997 graduate of UH-Manoa, said many other alumni have not bothered to do credit checks because they have not received notification letters. But Rogers said alumni may not have received anything because the university has been using old addresses.
He said he agrees with Gross' lawsuit seeking compensation for protection and credit check reports.
"Previous corporations have had similar accidents and data dumps, and they've offered identity theft protection. They've offered to pay for it," said Rogers, 43, who now lives in Walhalla, S.C. "UH so far is not even offering to do that, which I think is abhorrent."
Rogers also said he wants to see the research the West Oahu faculty member was working on.
"We would like to demand that this so-called research be made public, at least to those whose names were on the list, since it was our information," he said. "We feel we have the right to know. My personal opinion, I don't believe the research is legitimate."
In 2007, the university adopted policies to phase out the use of Social Security numbers as a way to identify students. However, efforts to do so have been met with resistance, said an employee of the Manoa campus who wished to remain anonymous.
The employee, who has worked at the campus since 2008, said he was shocked at statements made in meetings at UH about the information breaches. Officials in those meetings said that the university's liability due to the breaches are limited, because of the difficulty in tracing the breach back to the university, according to the employee.
"I remember being shocked by that statement," the employee said.
The employee also said he also has seen several staff members with student Social Security numbers on their workstations.
"I have personally been asked for my Social Security number when trying to get my campus ID reissued," he said. "This should not be the case. This should not have been the case a decade ago. They should get the numbers off the systems, and stop training people to ask for them."
State senators have said they intend to hold an informational hearing in January on the university security breaches.
The employee said there is no real verification system in place to ensure Social Security numbers are off the computers.
"When I see the Social Security number of all these past alumni and employees ... it's like walking through a field of body parts strewn all around," he said. "It's sickening."