In the past two years, the University of California has admitted
to losing personal information on about a million individuals. The
frequency and severity of these security lapses is evidence of how
desperately reforms are needed.
Security breaches at UC Berkeley, UC Davis, UC San Francisco and
UCLA have jeopardized the social security numbers, donor histories
and other sensitive data of students, applicants, research
participants and blood donors.
The worst incidents occurred at UC Berkeley, where a hacker
gained access in August 2004 to the social security numbers of
600,000 research subjects, and at UCLA, when someone in November
2003 stole a laptop containing social security numbers, names and
dates of birth of people who donated to UCLA Healthcare Blood Bank
in the preceding 15 years.
On Thursday, UC Berkeley Chancellor Robert Birgeneau apologized,
saying, “Our students, staff and alumni expect us to protect
the information they have given us confidentially, and we have not
maintained that trust. Accountability for this effort ultimately
lies with me.”
But the responsibility for preventing future incidents should be
shared. This week, the San Francisco Chronicle reported California
Sen. Dianne Feinstein plans to introduce federal legislation
requiring additional safeguards against identity theft. A bill
already being considered by the Senate Judiciary Committee, also
introduced by Feinstein, would expand California’s
notification laws to the national level.
Guaranteeing individuals be notified when personal information
is compromised is an essential right, but it is only part of the
solution. Preempting information theft is critical, and
Feinstein’s efforts to ensure such data is encrypted and
stored only on secure computers should be supported.
Our digital lifestyle has made it far too easy to compromise
privacy. When the identities of hundreds of thousands of people are
rolled together into nothing more than a file on a laptop,
it’s disturbingly easy for those possessing the information
to lose respect for its value.
A UCLA memo in June 2004 said it best: “The best defense
against unauthorized access to sensitive data is not to have the
data in the first place.”
Organizations must be more critical of what types of information
they collect. For example, when UCLA lost the personal information
of blood donors in 2003, it became apparent it never needed to
collect social security numbers from donors.
When an agency decides it must collect personal information, it
should be more proactive in ensuring it’s encrypted and
stored on secure computers. Necessary, sensitive information must
be subject to numerous levels of protection. A laptop or CD is
never an appropriate storage place for such valuable
information.
In light of such breaches ““ at least five at UC campuses
in the past two years and many more at private companies ““ it
has become apparent that the government must mandate tighter
security procedures.
The UC has been a significant contributor to the problem, and it
should lead in establishing standards that provide trustworthy
solutions.