The University of Pittsburgh has alerted its alumni that a stolen laptop contains their information, including Social Security numbers and names. Former students were alerted August 27 on the theft from Mervis Hall. The university has declined from releasing any specific information, including how many were affected by this latest potential data breach. What is quite clear, however, is that this wouldn’t be an issue if the university were to have made the installation of laptop encryption solutions a requirement for all administrative computers.
Well, actually, I’m assuming that the computer in question was university property. It could have been a personal notebook computer. Regardless, a university employee was working on some kind of survey that required the opinion of graduates from the College of Business Administration, and had stored the information on the laptop. According to a university spokesperson, this was in violation of university rules, since only the registrar has the need (and I presume the authority) to store such information. My guess is, that by “such information,” they’re referring to sensitive personal data such as the SSNs in question. I mean, someone conducting a survey has to be able to record the results somewhere.
Which leads to the question: did the employee get the sensitive information prior to, while, or after conducting the survey? Because, depending on when that person got such information, we have grounds for further finger pointing. Let’s face it, the employee in question showed poor judgment. He or she saved information on a computer without any form of data protection (hm…now that I think about it, this is an assumption on my part as well. The problem is that the University of Pittsburgh is not releasing any useful information). File encryption or disk encryption would have gone a long way to ensure that the alumni information is kept safe.
But those SSNs don’t fall from heaven—it has to be given out. Did the employee ask for the information from those being surveyed? If so, I’d say that the (possibly) eventual victims ought to share the blame. Why would anyone release their SSN information, in this day and age, for something so trivial and prosaic as a survey? I’d have hung up on that person or ignored their e-mail. (Pfft…asking for my SSN…) Or, if the information was not shared by the alumni, but taken from the university records, either before or after the survey was done, why was the employee given access to such records? What’s the point of having SSNs included in a survey, anyway? Isn’t the point of a survey to give honest opinions? No one gives out honest opinions if they’re being tagged like cows.
The answer—again, I must assume—is to ensure that the same person is not surveyed twice. If there are two or more Bob Smiths with two different addresses on your list, how do you know if they’re the same person or not? After all, you don’t want to be surveying the same person twice. You need a unique identifier. An SSN would do the job admirably. So would a student ID, which for most alumni, is also the SSN. Of course, you could also use a combination of date of birth and date of graduation as unique identifiers as well. The bigger problem in this story may be that the employee in question was able to access the information in the first place.
Related Articles:
http://www.wpxi.com/news/17434541/detail.html
http://www.thepittsburghchannel.com/money/17434147/detail.html
http://www.pittsburghlive.com/x/valleyindependent/teenscene/s_587340.html