Academic Institutions and Identity Theft: What You Need to Know
From past applicants and alumni, to current students and faculty, academic institutions store an ever-growing database of personal information, making them a prime target for identity thieves. This wealth of data also signifies the growing constituency to Identity theft and data security breaches pose serious threats to which they are accountable.
ID theft expert Brian Lapidus, senior vice president of Kroll Fraud Solutions (www.krollfraudsolutions.com), is very familiar with the data security risks specific to today's academic institutions. Lapidus oversees a highly skilled team that includes veteran licensed investigators specializing in supporting breach victims and restoring individuals' identities to pre-theft status. Here, he speaks with University Business to answer some of the top security questions, and discusses the key protections that every institution should observe.
A: There has been a major increase in the incidence of individuals affected by academic data breaches, growing from 1,877,573 in 2005 to 2,383,001 in 2006--a 78 percent increase. Data breaches within lower level (K-12) educational institutions have also been on the rise, suggesting that risk exposure is not limited to higher education. In addition, we are observing that data accessed with intent to harm (i.e., internal and external theft, hacking, etc.) is more common than accidental data loss.
These examples demonstrate some of the most recent trends in identity theft at academic institutions:
A major university experienced two separate data breaches, leaving the personal information of 17,500 students, faculty members and staff members at risk. A hacker using a foreign web address cracked a university firewall and accessed the names, Social Security numbers (SSN), employee ID numbers and birth dates of more than 14,000 staff members - more than half of whom were longer employed at the university. The second incident exposed the personal information of about 3,500 current and former students, when two laptop computers were stolen from the home of a university professor.
Another large university's population was breached when hackers compromised a server to access the personal information of some 46,000 students, faculty and staff members. The breached data included the names, SSNs and bank account information used for payroll and reimbursement deposits.
A thief stole two laptops from a major public school system's central office that contained names and SSNs of 40,000 current and former employees who contributed to the local teacher's pension fund.
A break-in at a public school system's administration storage facility exposed the SSNs (printed on time slips) of 1,600 employees including full-time teachers, substitutes and other staff members.
A: Academic institutions are at risk of a data breach primarily due to the large quantity and nature of the Personal Identifying Information (PII - the information that is useful for fraudulent activity, such as opening lines of credit, getting loans, signing leases, etc.) they house. The information in university databases is often sensitive, containing:
Financial data (i.e., tax receipts, account information - credit and non-credit)
Health information (i.e., medical and insurance records)
Personal identifiers (i.e., Social Security numbers, university IDs)
The portability and accessibility of the personal data used by staff, researchers and students makes academic institutions a prime target for identity thieves. Compounding the problem is the transient nature of academic populations (changing every 3-4 years). Finally, academic institutions tend to amass unnecessary data for long periods of time.
It should also be noted that academic institutions seek to foster a culture of trust. Many have honor codes that students must abide by, often through a contract signed upon admission, to allow for open book and take-home exams. Such communities that put a premium on trust and honesty are often easy victims for identity thieves due to their lack of screening and personal data security.
A: When a security breach of Personal Identifying Information (PII) occurs within an academic institution it can affect the lives of:
Former applicants to the institution
Current students and their families
Loan guarantors for individuals listed as co-signers on student loans
Professors and school employees
With potential students, current students and their parents and research participants (potential and past).
Academic institutions that experience a loss of PII may also experience a negative impact on critical funding Beyond the immediate damages of PII breach recovery and clean-up, a data breach can have a negative affect on an institution's brand, adversely affecting relationships through alumni support and monetary donations. Most people would think twice about giving money to an organization that has experienced a PII breach, even if it is their alma mater.
A: Due to the large amounts of Personal Identifying Information (PII) stored and used in academic institutions (i.e., through admissions, students applying for financial aid, school computer networks, campus health clinics, student registration, bursar's offices, alumni and research databases), almost all departments are at risk.
A: The top three security mistakes made by academic institutions today are:
1. The use of Social Security numbers (SSN) as a primary method of student identification. Academic institutions using this method of identification require students to give out their SSNs to various departments, professors and student workers, thus increasing their risk of exposure to potential identity theft. Academic institutions utilizing student workers or staff members who regularly access Personal Identifying Information (PII) may benefit from a relationship with a company specializing in thorough background checks.
2. The use of flash drives, unsecured wireless networks and laptops to store and transmit PII. The media is replete with stories of data breaches from network hackers or onsite laptop thefts, as well as academic staff losing their laptops offsite (accidentally or to thieves).
3. The unnecessary accumulation of PII. It is unnecessary and hazardous to keep PII of former students, employees and research participants on file for longer than is essential. Recommendations for proper data minimization include:
Don't acquire information unless it is needed.
Minimize the number of places where information is retained.
Purge data once the need for it has expired.
A: There are two answers here. The first part is what you should do before a data breach occurs.
1. Designate a privacy official responsible for developing and implementing an academic institution's plan for data minimization, privacy policies and procedures regarding the use of Personal Identifying Information (PII) and network security. These plans should be disseminated to staff and students, particularly those with broad management responsibilities (i.e., deans, vice presidents, data stewards, department chairs, senior administrative officers, researchers and IT support staff). Once policies and procedures are in place, regular audits should be conducted to maintain compliance and implement sanctions against negligence.
2. Academic institutions should be extremely cautious about allowing offsite use of and access to the PII of its students, staff and alumni. When offsite access to PII is necessary (i.e., professors processing grades via laptop), great rigor must be used to ensure that risk mitigation policies, procedures and workforce training have been effectively deployed.
3. Collaborate with an institutional breach and data security expert to map a breach response strategy and plan. An academic institution must mitigate, to the extent practicable, any harmful effect caused by use or disclosure of PII-by its staff or an outside group-to avoid potential legal action and loss of integrity.
After a data breach occurs, you should:
1. Develop a relationship with an institutional breach and data security expert so that any investigation can begin immediately and affected individuals can be notified in a timely manner. Collaborating with a company that can investigate, notify and assist breached individuals goes a long way to protecting an academic institution's integrity.
2. Specify who is in charge of any internal investigation and who will speak to the police and media. Notify your institutional breach partner as soon as possible that an incident has occurred.
3. Maintain a good relationship with local, state and federal law enforcement throughout the investigation. A positive report about an academic institution's cooperation with law enforcement helps maintain integrity and credibility.
A: One university who suffered a breach of Personal Identifying Information (PII) created a three-step program to improve security measures, lessen the exposure of Social Security Numbers in their systems and provide resources and tips for responding to identity theft concerns.
Another academic institution launched an awareness campaign to dissuade users from storing sensitive data on removable disk drives and USB devices. The institution is currently trying to encourage more encryption of stored data and is setting policies that prohibit users from downloading regulated data, such as health records, to personal systems that are connected to the school's network.
If you or your organization would like to discuss a particular identity theft protection solution or issue, visit www.krollfraudsolutions.com to get additional information or to contact a Kroll Fraud Solutions specialist.