A story regarding the University of Missouri is making me wonder whether they've not had a breach, as they're claiming. After all, some conditions under the Missouri data breach notification law are met. On the other hand, the law specifically states that notification is for computerized data.
Data security breach notification laws went into effect in Missouri last August. One of the big highlights was that the use of encryption software like disk encryption provided safe harbor from making a breach public. I assume this is because the use of encryption software renders the breach moot--even if the data is in the hands of some criminal, the information cannot be accessed. So what constitutes a breach? While there are numerous factors, I'd like to point out that losing an individual's first name and last name and a Social Security number is considered a breach. (Lose just two out of the three, and it isn't a breach).
Data security breach notification laws went into effect in Missouri last August. One of the big highlights was that the use of encryption software like disk encryption provided safe harbor from making a breach public. I assume this is because the use of encryption software renders the breach moot--even if the data is in the hands of some criminal, the information cannot be accessed.
So what constitutes a breach? While there are numerous factors, I'd like to point out that losing an individual's first name and last name and a Social Security number is considered a breach. (Lose just two out of the three, and it isn't a breach).
The reason I bring up the above is because UM had an envelope glitch, where students' SSNs were displayed through the window on the envelopes. (The SSNs were there because these were IRS tax forms regarding tuition payments.) The university does not know how many people were affected. It's believed that the mistake arose from incorrect folding or the like. This is where it gets interesting. This implies that SSNs were viewable through the address window on the envelopes. I assume addresses were also viewable through this same window. Addresses generally contain the recipient's first and last names. First name, last name, and Social Security numbers: this is a data breach per the Missouri breach notification laws.
The reason I bring up the above is because UM had an envelope glitch, where students' SSNs were displayed through the window on the envelopes. (The SSNs were there because these were IRS tax forms regarding tuition payments.)
The university does not know how many people were affected. It's believed that the mistake arose from incorrect folding or the like.
This is where it gets interesting. This implies that SSNs were viewable through the address window on the envelopes. I assume addresses were also viewable through this same window. Addresses generally contain the recipient's first and last names.
First name, last name, and Social Security numbers: this is a data breach per the Missouri breach notification laws.
The university doesn't think so: "The university takes very seriously the protection of its student information,” [university spokeswoman Hollingshead] said. “We always regret when something happens. But it wasn’t a security breach. While we’re sensitive to the issue, we’re thinking the risk is relatively low." I'd agree with this assessment that this is not a data security breach (and, no, I'm not a lawyer, so none of this represents legal advice). Note that I'm not saying there is a relatively low risk of anything: even with a low risk of anything untoward happening, like ID theft, a breach is a breach, period. However, I had to change my stance regarding the issue. Initially, I reasoned that the name and SSN combo would mean that this is a data breach. I took another peak at the legislation, though, and noticed the following definition for "breach of security:" Breach of security" or "breach", unauthorized access to and unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information. Good faith acquisition of personal information by a person or that person's employee or agent for a legitimate purpose of that person is not a breach of security, provided that the personal information is not used in violation of applicable law or in a manner that harms or poses an actual threat to the security, confidentiality, or integrity of the personal information. [my emphasis] Per the law, the University of Missouri is right; they didn't have a security breach since the information that was breach is not in computerized form. It's been printed on paper. And I'm guessing that's pretty significant, because other states have passed similar breach notification laws where a breach occurring from incorrectly discarded paper documents also triggers breach notifications.
The university doesn't think so:
"The university takes very seriously the protection of its student information,” [university spokeswoman Hollingshead] said. “We always regret when something happens. But it wasn’t a security breach. While we’re sensitive to the issue, we’re thinking the risk is relatively low."
I'd agree with this assessment that this is not a data security breach (and, no, I'm not a lawyer, so none of this represents legal advice).
Note that I'm not saying there is a relatively low risk of anything: even with a low risk of anything untoward happening, like ID theft, a breach is a breach, period.
However, I had to change my stance regarding the issue. Initially, I reasoned that the name and SSN combo would mean that this is a data breach. I took another peak at the legislation, though, and noticed the following definition for "breach of security:"
Breach of security" or "breach", unauthorized access to and unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information. Good faith acquisition of personal information by a person or that person's employee or agent for a legitimate purpose of that person is not a breach of security, provided that the personal information is not used in violation of applicable law or in a manner that harms or poses an actual threat to the security, confidentiality, or integrity of the personal information. [my emphasis]
Per the law, the University of Missouri is right; they didn't have a security breach since the information that was breach is not in computerized form. It's been printed on paper.
And I'm guessing that's pretty significant, because other states have passed similar breach notification laws where a breach occurring from incorrectly discarded paper documents also triggers breach notifications.
Related Articles and Sites:http://www.columbiatribune.com/news/2010/jan/20/envelope-glitch-gives-peek-at-data/http://www.columbiamissourian.com/stories/2010/01/19/mu-student-social-security-numbers-may-have-been-visible-tax-form-envelope/http://www.house.mo.gov/billtracking/bills091/biltxt/truly/HB0062T.HTM