Privacy & Compliance >> Better Safe Than Sorry
Here’s what’s happening with privacy and compliance legislation—and
why it’s in your institution’s best interest to keep up.
Two thousand. 145,000.
380,000. 600,000. What do these numbers have in common? Each number relates
to a security breach within the past year in which a computer holding sensitive
personal information in California was compromised. The numbers represent the
number of people whose personal data had been potentially compromised in each
incident. Though these are only a sampling of such incidents, together they
put more than a million people at a higher risk of identity theft, at least
potentially. How could this be allowed to happen? Why aren’t companies
keeping data secure? [Photo] Sun Chairman Scott McNealy delivers his famous
'Get over it' speech in '99,and the battle for sticter privacy legislation is
on.
These are the questions that typically come to mind when a letter arrives notifying
a computer user that his data may have been compromised due to a computer security
breach. No doubt, the recipient of that notice also experiences the fear that
an unscrupulous person may now be stealing his identity [see “The Power
of Who,” January issue, www.campus-technology.com/authentication],
not to mention the accompanying anger with those responsible for allowing the
privacy debacle to happen in the first place. It’s a natural reaction:
Identity theft is now the fastest-growing crime in the nation, and the damages
to credit and reputation can take months or years to clean up. So why is more
care not being taken to protect privacy?
Motivating disclosure. The truth is, a lot of care
is being taken to protect personal data, by organizations that collect it for
one reason or another. Colleges and universities are no exception: We do take
great care to protect personal data we are responsible for, whether it is social
security numbers during registration for classes, or credit card data for purchases
at the bookstore. Nevertheless, most of the incidents referred to previously
were computer security breaches that occurred anyway, at institutions of higher
education in California. We know about these breaches because they eventually
made it to the media, and importantly, that’s because a new law in this
state requires disclosure of security breaches of computers containing personal
information of California residents. Notifying people whose personal information
may have been compromised helps to alert them to the possibility of identity
theft.
Sen. Feinstein (D-CA) pushes for federalizationi of privacy breach notification.
But organizations responsible for disclosing breaches of personal information
in California now have new reasons to do this well: If they do, they may avoid
remediation costs and negative media attention. And in the future, these same
incentives for action may spread nationwide, as the principles of this legislation
form the basis of a federal counterpart (S. 1350) being proposed by Senator
Diane Feinstein (D-CA). Yet, this is only one of the new reasons colleges and
universities have to concern themselves with protecting privacy.