QUESTION: Whatever happened to the University of Hawaii’s efforts to strengthen its data security, after several high-profile breaches?

ANSWER: The University of Hawaii is working with a consultant in shoring up its data defenses.

In November, consultant Cedric Bennett & Associates conducted an information security assessment, which looked at the university’s problems, and offered suggestions on how to fix them.

The university is facing a class-action lawsuit from Philippe Gross and Grande Law Offices over the data breaches. Recently the law office called for university officials to release the report. The university released part of the report Wednesday.

“Until recently, no requests for the consultant’s report had been received other than in the litigation context,” said Lynne Waters, associate vice president of external affairs and university relations.

Waters said the university believes the law office’s call for the report was a reaction to the university’s rejection of a demand from attorney Thomas Grande for “very large attorneys’ fees” in the case.

“The university has misstated our position on attorneys’ fees,” Grande said, adding that although they disagreed on what needs to be paid, no decision has been made. “The court retains final authority over the amount of attorneys’ fees, whether or not it’s agreed upon by the parties.”

Grande said he’s “dismayed” that it took the university so long to release part of the report, and is hopeful to see the report in its entirety soon.

The first part of the report states that two underlying issues contributed to the university’s data breaches:

>> A significant under-investment in information security resources.

>> An attempt to operationally manage information security as a fully decentralized activity.

The report suggests that the university develop a well-funded, universitywide information security program that is centrally managed and operates in collaboration with the many decentralized units throughout the system.

In the most recent data breach, revealed in November, a former faculty member at the West Oahu campus inadvertently uploaded to the Internet personal information of more than 40,000 students.

A report released last year by the Liberty Coalition, a Washington, D.C.-based nonprofit civil liberties watchdog, said at least 479,000 Hawaii records were breached since 2005, and that UH was responsible for 54 percent of those breaches.

The university has refused to settle the case, Grande said. He said he filed a motion for class certification, with a hearing scheduled in September.

Waters said the university believes the lawsuit is “totally without merit,” and will soon file a motion to dismiss.

“The university continues to work toward protecting all of its constituents against future data breaches,” Waters said.

———

This update was written by Gene Park. Suggest a topic for “Whatever Happened To …” by writing Honolulu Star-Advertiser, 500 Ala Moana Blvd., Suite 7-210, Honolulu 96813; call 529-4747; or email cityeditors@staradvertiser.com.