Nonprofits and data breaches: universities are the most likely place for data incidents.Scott Ksander compares the evolution of IT security to that of bank security. Whether it's the Wild West or the 21st century, people still rob banks, despite the advancements in things like vaults and video surveillance. The big difference might be that banks don't have 5 million records a month being breached. If information from the Privacy Rights Clearinghouse Privacy Rights Clearinghouse (PRC) is a project of the Utility Consumers' Action Network (UCAN), an American 501(c)(3) non-profit consumer advocacy organization. The Privacy Rights Clearinghouse is devoted to upholding the right to privacy and protecting consumers against identity (PRC) is any indication, you might think data breaches have reached epidemic proportions, particularly at colleges and universities. The San Diego-based consumer information and advocacy nonprofit A corporation or an association that conducts business for the benefit of the general public without shareholders and without a profit motive. Nonprofits are also called not-for-profit corporations. Nonprofit corporations are created according to state law. lists a chronology of data breaches on its Web site, www.privacyrights.org, dating to 2005. Incidents listed on the site from January 2005 through early June of this year total 155,048,651 records containing sensitive personal information that have been involved in security breaches. That's an average of almost 5 million per month. With everything going online these days--including donor records and other organizational data--nonprofits must be careful to take precautions precautions Infectious disease The constellation of activities intended to minimize exposure to an infectious agent; precautions imply that the isolation of an infected Pt is optional, but not mandatory. when expanding into the World Wide Web. PRC lists only breaches that put personal data at risk that can lead to identity theft, with the majority of cases being exposed Social Security numbers, said Director Beth Givens. Still, the list includes breaches of personal data on a semi-weekly, at times daily, basis within the private and public sectors, whether it's a hacker A person who writes programs in assembly language or in system-level languages, such as C. The term often refers to any programmer, but its true meaning is someone with a strong technical background who is "hacking away" at the bits and bytes. , a lost or stolen laptop, or an inadvertent Web posting. "There's some merit to the argument that the university environment for information technology is wide open. That's the nature of academic life, not only is it wide open but it's decentralized de·cen·tral·ize v. de·cen·tral·ized, de·cen·tral·iz·ing, de·cen·tral·iz·es v.tr. 1. To distribute the administrative functions or powers of (a central authority) among several local authorities. ," Givens said. "Universities of course want to provide maximum access to information technology for students and faculty, staff, researchers of all types. These are much less controlled environments than corporate environments." The chief information security officer and executive director for IT networks and security for Purdue University Purdue University (pərdy  `, -d`), main campus at West Lafayette, Ind. , Ksander said tech
security in some ways is following a somewhat similar, if accelerated
path as bank security. "We had a time when we had fairly weak
protection, mainly pre-Internet. The net work has added another
dimension to security." There's lots of work to do and many
institutions are doing a considerable amount, he said, but "even
when we get to where we want to be, we would be incorrect to imply
that's a 100-percent solution."
Some colleges are getting out of the habit of using Social Security numbers as a means of student identification, specifically because of the threat of identity theft. As a result of human error, not hackers or laptop thieves, Stony Brook University The State University of New York at Stony Brook (SUNYSB), also known as Stony Brook University (SBU) is a public research university located in Stony Brook, New York (on the north side of Long Island, about 55 miles east of Manhattan, New York). on Long Island inadvertently displayed Social Security numbers of nearly 90,000 faculty, staff, students and others this past April. The information was part of a process to reconfigure a university Web site, only an older file was never removed, according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. Patrick Calabria, university media relations officer for Stony Brook Stony Brook may refer to: Massachusetts:
"We're also making sure that file, and fries like it, such as those residing in a dead place, have been eliminated," he said. "This incident certainly raised the consciousness of not using Social Security numbers as identifiers," Calabria said. "There are areas of the university where there is a perceived need to use them, and we're making sure that perception is real? Organizations are using a variety of methods and procedures to ensure that private data doesn't go public, or fall into the hands of identity thieves. About four years ago, Purdue suffered a data breach that included nearly 80,000 names. The West Lafayette West Lafayette, city (1990 pop. 25,907), Tippecanoe co., W Ind., a suburb of Lafayette, on the Wabash River; inc. 1924. A primarily residential city, it is the seat of Purdue Univ. , Ind., school has since launched a four-pronged effort to keep its data safe, said Ksander. The first step, obviously, is the standard technology solutions, such as firewalls, antivirus programs Software that searches for known viruses. Also known as a "virus scanner." As new viruses are discovered by the antivirus vendor, their binary patterns are added to a signature database that is downloaded periodically to the user's antivirus program via the Web. and intrusion protection. Second, policies, procedures and best practices must include a varied and well-delineated set of data handling rules that are required and documented for those who handle data. Third is the remediation aspect, to go back and get rid of things that aren't necessary, such as data that were sensitive several years ago but haven't been disposed of yet. "If you don't have it, it can't be breached," Ksander said. Finally, awareness and training is a regular and constant initiative, Ksander said, reminding people of proper procedures and being diligent dil·i·gent adj. Marked by persevering, painstaking effort. See Synonyms at busy. [Middle English, from Old French, from Latin d . The University of Colorado University of Colorado may refer to:
With a network of 6,000 systems campus-wide, Jones said it's important to segment the network to protect things internally. "From there, it's a matter of vulnerability scanning from the central IT point of view," he said, to identify systems that are vulnerable. "A network our size, you always have something occur." DATA ENCRYPTION data encryption, the process of scrambling stored or transmitted information so that it is unintelligible until it is unscrambled by the intended recipient. Historically, data encryption has been used primarily to protect diplomatic and military secrets from foreign Encrypting data is the most common answer to the question, how do you keep your data safe? "Our chronology wouldn't exist if sensitive data were encrypted en·crypt tr.v. en·crypt·ed, en·crypt·ing, en·crypts 1. To put into code or cipher. 2. Computer Science ," said PRC's Givens. David Friedland, vice president of business development for CoSort, a Melbourne, Fla.-based data transformation company, said that while encryption The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. is the magic word, it can be overkill overkill Vox populi An excess of anything . He suggested encrypting data but only where it needs to be, down to the field level if necessary, which is faster and more useful than hiding entire records or files. The company already does field-level manipulation of data, and recently announced its field-level protection product this past spring. Encrypting a laptop's data is not a bad idea, except it cuts off access to everything, he said, not allowing manipulation of data or access to non-sensitive data. "If you had data encrypted during the process, it wouldn't matter. "By preventing, you don't have to go through the pain and expense of overprotecting," Friedland said. Encryption isn't the only answer for organizations, Friedland said. Anonymization removes the individual characteristics of data so what's stored in the original field can't be identified. And there are different types of it, that are recoverable or non-recoverable, he said. Pseudonymization is similar but it also allows the data to remain individualized in·di·vid·u·al·ize tr.v. in·di·vid·u·al·ized, in·di·vid·u·al·iz·ing, in·di·vid·u·al·iz·es 1. To give individuality to. 2. To consider or treat individually; particularize. 3. and followed through different departments and identified again, if necessary. HAVE A PLAN Organizations should have a plan in case data gets compromised, Givens said. If that's occurred, a data breach must be analyzed to "plug holes" before an announcement is made, she said, but a group's reputation will take a hit if they wait too long to notify people. "Affected individuals will lose faith in that nonprofit if they wait too long." Once a breach occurs, Givens suggested an organization provide information on what individuals can do to prevent identity theft, and other types of harm, such as establishing a fraud alert or how to contact the three major credit bureaus. "Give them a road map as to what they need to do to reduce the risk of identity theft and other types of fraud," she said. An important early step in the development of a data breach plan is coming up with an inventory, analyzing the personal information an organization has and determining how sensitive it is. If a nonprofit does not collect Social Security or credit card numbers, they may actually not have a need for this kind of breach plan, Givens said. But for some nonprofits, names and addresses might be considered sensitive information. Givens also suggested an analysis of sensitive personal information that organizations possess. Some organizations may never have done an inventory of all data they hold on individuals. "They might be surprised," she said. It's just as important in that analysis for a nonprofit to examine whether it really needs to gather certain categories of information. "The best protection against a security breach is not having the data in the first place," Givens said. Part of the issue is tracking down data that's sensitive, a chief information officer's responsibility. Data at risk can be considered at rest or in motion. "Thumb drives See USB drive. , emails with data attached, that's data in motion. Someone's got to get a handle on that," Friedland said. "How to find stuff when it's already out there is tougher than if you had protected it in the first place." Since January 2005, Privacy Rights Clearinghouse (PRC) has been tracking incidents where sensitive personal information may have been compromised. During the first week of June alone, PRC posted nine incidents involving at least 32,116 records that may have included sensitive personal information. * June 1 Fresno County/Refined Technologies Inc., Fresno, Calif. 10,000 Records Missing computer disk contains names, addresses, Social Security numbers. County sent it by courier to a software vendor's office in San Jose San Jose, city, United States San Jose (sănəzā`, săn hōzā`), city (1990 pop. 782,248), seat of Santa Clara co., W central Calif.; founded 1777, inc. 1850. to determine workers' eligibility for health care benefits. Software company, Refined Technologies Inc., said they never received the disk. Jax Federal Credit Union, Jacksonville, Fla. 7,766 Social Security numbers and account numbers of clients accidentally posted on Internet, then indexed by Google. Credit union was transmitting information to a printer for a pre-approved auto loan mailing when the information was picked up by Google from the printer's Web site. JFCU JFCU Justice Federal Credit Union normally transmits information on an encrypted disk delivered by courier, but when the printer couldn't open the disk, the information was sent again, but wasn't encrypted and included Social Security numbers and account numbers. Northwestern University Northwestern University, mainly at Evanston, Ill.; coeducational; chartered 1851, opened 1855 by Methodists. In 1873 it absorbed Evanston College for Ladies. , Evanston, Ill. 4,000 Files containing personal information of students and applicants were available online. * June 3 Gadsden State Community College, Gadsden, Ala. 400 Students who took an art appreciation class at the Ayers Campus between 2005 and 2006 had their names, grades and Social Security numbers scattered Scattered Used for listed equity securities. Unconcentrated buy or sell interest. across a local business' driveway. * June 4 Stevens Hospital, Edmonds, Wash. 550 Laptops exposed to Internet when subcontractor One who takes a portion of a contract from the principal contractor or from another subcontractor. When an individual or a company is involved in a large-scale project, a contractor is often hired to see that the work is done. had lapse in data security procedures. Information included names, addresses, and Social Security numbers. * June 6 Cedarburg High School Cedarburg High School (CHS) is an American high school located in Cedarburg, Wisconsin. Cedarburg's mascot is the bulldog and their colors are orange and black. The school was founded in 1956, and 1168 students attend the school. , Cedarburg, Wisc. Unknown Students obtained names, addresses and Social Security numbers and might have accessed personal bank account information of current and former district employees. Dearfield Medical Building, Greenwich, Conn. Unknown A box discovered inside trash bin in May contained information about lab tests and insurance approvals as well as other medical issues, and patient names and contact information. HarborOne Credit Union, Brockton, Mass. 9,000 Data compromise disclosed by retailer in January. The breach resulted in HarborOne having to block and reissue re·is·sue v. re·is·sued, re·is·su·ing, re·is·sues v.tr. To issue again, especially to make available again. v.intr. To come forth again. n. 1. about 9,000 debt cards. * June 7 Huntsville, Ala. 400 As many as 400 people and banking institutions may be victims in a credit card or debit card debit card, card that allows the cost of goods or services that are purchased to be deducted directly from the purchaser's checking account. They can also be used at automated teller machines for withdrawing cash from the user's checking account. cloning. In Alabama and Georgia card numbers were stolen after the cards were used at Huntsville restaurants and carry-out businesses. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion