The information age brings easy access to data that is also easily shared. But left unguarded, the convenience of electronic files can exact a toll on privacy and security: Personal information becomes vulnerable to theft.
Individuals potentially affected by the recent data breach:
A data breach at the University of Hawaii — the third such episode in about 18 months — underscores a critical weakness that alumni rightly condemn.
Most recently, a UH-West Oahu faculty member had saved files containing personal data from 40,101 students and, a year ago, uploaded them to a non-secure UH Web server. Among the files were lists of some student names paired with Social Security numbers. The researcher, using the files for a study of student academic success, assumed that because the server was password-protected it was secure, a spokesman said.
Not so. The Liberty Coalition, an organization of civil liberties advocate groups, found the files through a search. Software that constantly "crawls" the Web retrieved them, and they turned up on Google. The affected alumni are understandably angry about this latest breach, which constitutes compelling evidence that the university has lacked adequate security policies governing the varied information systems at its campuses.
The coalition, through its site NationalIDWatch.org, provides identity exposure reports as a public service. Its attorney, Aaron Titus, last week told the Star-Advertiser that UH should hire an independent auditor to find security problems on its computer networks systemwide.
That would be a reasonable safeguard that UH leadership should consider. Meanwhile, university spokespersons say staffers have taken the more urgent first step to remove the server from the Web; they’re now securing any personal information before it goes back online.
Further, it’s a relief to see that UH has pledged to reform the way sensitive information is handled across all 10 of its campuses. This includes scanning databases for other personal information and determining which ones need better security.
Finally, the most important element in its plan is training — which should be part of orientation for all employees — about the proper way of handling computer files. The training would need to be most rigorous for faculty and staff with access to sensitive files. Also, rules for transferring files must be spelled out. The West Oahu researcher had moved them at one point to a personal computer, and any standard protocol should bar that practice.
The coalition proposed that legislation be introduced to make breaches punishable by fines. At minimum, the university reforms should include setting administrative rules on handling data, with penalties for violations.
There’s clearly a need for such curbs. In May 2009, computer malware compromised the personal information of more than 15,000 students who applied for financial aid at Kapiolani Community College. A year later, a hacker broke into a UH parking office computer server with data for 53,000 people, including many Social Security numbers and some credit card information.
If breaches have been this frequent at UH, other government agencies that collect information in the course of their business may have similar problems. Lawmakers ought to look into that distressing possibility. Members of the public who seek government services ought to be able to do so with the confidence that their private data is held in safe custody.