Online security breaches that exposed Social Security numbers and other sensitive information at the University of Hawaii have revealed a need for improved record security. The decision by UH officials and state legislators should not be whether to install a needed system quickly, but how to pay for it. Failing to do so would be pound foolish.
Personal information of about 40,000 UH students and faculty was compromised last October when a faculty member uploaded material to a server he thought was private. The mistake prompted a class-action lawsuit a month later. In the past seven years, nearly 260,000 private records held by the university have been inadvertently released — an appalling track record that earned UH a grade of "F" for online security breaches from The Liberty Coalition, a nonprofit civil liberties watchdog group.
Legislators were informed this week that $1.9 million is needed to tighten UH’s systemwide Web security, and an additional $764,000 a year would be necessary to keep the upgraded system operational. Any such improvement would necessarily involve all 10 of the UH campuses.
UH is not alone among colleges and universities coping with the problem that they have been slow to address. An open academic environment has conflicted with the need to protect sensitive information and generally deal with security issues, as students and professors absorb themselves with public and private computers.
"Accounts are left open, computers are left logged on and data can be easily lost amid the day-to-day shuffle," explained a report last year by Application Security Inc.
As a result, the report noted, colleges and universities nationwide have experienced 158 data breaches resulting in more than 2.3 million reported records compromised since 2008.
It’s a dismally lax environment ripe for cyber-theft, one in which UH and other institutions must take seriously and tighten.
The national economic downturn has resulted in budgetary tightening, causing higher institutions to balk at addressing the problem. Only half of them planned last year to fix their systems, even though breaches threaten to create even more expensive predicaments.
The Ponemon Institute research center reports that data breach incidents cost organizations $204 per compromised customer in compensation and attorney fees in 2009. At that rate, last year’s UH breach alone could cost UH a whopping $8 million plus in legal defense spending.
David Lassner, the university’s vice president for information technology, told state senators UH might free some money through greater centralization to pay for the improvements, but he has yet to find a source for the full amount needed.
Budgetary concern may be the main reason why some colleges and universities are putting off installation of improved database security, but they are making a mistake that is likely to backfire.
Another key component in tightening online security is a non-monetary one that must also occur: stringent protocols, training and awareness among information users about the crucial nature of Web security.
UH should recognize that the astronomical cost of compensating victims of a breach should require prompt installation of an effective system as part of the university’s essential needs.