Alumni Data And University Administrative Functions: Data Encryption Is Vital, For Now.

There is news today that over seven thousand former students of the University of Cincinnati were affected in a data breach.  A flash drive with sensitive information on 7366 students and graduates was stolen from an employee’s desk.

One of the people interviewed for the article, Cybil Pearson, stated that she had not been at the University of Cincinnati since 1997, so this is a surprising and annoying development for her.  Like many people entering their thirties, she’s probably in a state where she monitors her credit carefully as her carrier takes off and she begins to have several opportunities for investing assets, be it a new home or otherwise.  If somebody were to take over her identity, it will be a huge setback for her.  Trying to get things straightened out would not be easy, as detailed numerous times in the media.

One might wonder, why is a university hanging on to this information in years after graduation?  In many ways, purging information on students who are not enrolled in academia would be a way to protect former students from potential harm.


However, for an academic institution this would not be an option.  For starters, admission to, and graduation from, an institution of higher learning means that you belong to a particular tribe—also known as being an alumnus (or alumna, for our female readers).  While it’s doubtful that they will sell alumni information, such as mailing addresses, the university will send former students newsletters, letters, requests for donations, and other missives.  I know I’m getting hit every year for pledges. (On a personal note, I’m not sure how they found me—I never updated my address with them.)


At this point, you’ll probably be thinking, “but why keep Social Security numbers?”  I don’t know about other uses, but I recently had to get a new copy of my diploma, and one of the information fields that they were asking for was a Social Security number.  It kind of makes sense: you don’t want to be releasing an official university diploma to the wrong person.  Common names, such as Robert Smith, could match up and the wrong diploma could be issued (School of Engineering vs. School of Medicine).  But if you have a unique identifying number, such as a Social Security number, it’s much easier to verify the validity of the request, in combination with a signature, and much harder to make a mistake.  The same goes, I would assume, for issuing transcripts.


Granted, lots of academic institutions are weaning off Social Security numbers as distinct student identification numbers, and issuing their own to prevent future problems.  This might not be the best method, however.  As an international student at my alma mater, I was issued a student identification number since I did not have an official US Social Security number at the time of enrollment.  When filling in the Social Security number field for the new diploma form, I knew from experience that I was supposed to provide my student ID number—except I couldn’t remember it.  And, I have not kept a copy of it because it is a student ID number; I figured it would be worthless to me once I graduated.  On the other hand, if it had been a Social Security number that was being used, you can bet I would have remembered it.


Long story short: purging data is not really an option for academic institutions, unlike retailers who are required to purge stored credit card information after a certain amount of time.  They can use identifiers that have a lower potential of risk for current and incoming students, but this is not feasible for former students.  So, if that’s not an option, what could the University of Cincinnati have done or do going forward?


To begin with, I would take a look at my current data security policy.  When it comes to dealing with sensitive information of current and former students, would I want people to have small storage devices such as a USB flash drive in the premises?  And if so, what contingency measures do I have in case a small storage device gets lost or stolen?


Information in use implies information in motion.  Perhaps the University of Cincinnati uses flash drives to transfer data, as opposed to using e-mail which has its own set of potential problems.  If that’s the case, encrypting the data prior to transferring it to the flash drive or encrypting the flash drive itself, just like you would encrypt an entire laptop, would be necessary.  AlertBoot would’ve helped in such a situation, either with content encryption or device encryption or both.  If external storage devices are not to be used, there’s a need to control which devices can be connected and given access to computers.  Application control, another service offered by AlertBoot, would have been extremely useful for specifying what can be connected to ports, USB or otherwise.

Comments (0)

Let us know what you think