The use of laptop encryption in higher education, especially by faculty and staff, seems like a no-brainer to me. After all, such computers are full of personal information, not only of the devices' owners themselves but also of the student body (they still use SSNs as student IDs, don't they?).While the Department of Education may not openly require the use of encryption software, it's always a good idea. Even if you think that your computer is properly protected behind locked doors. Why? As the University of South Carolina shows us, doors can be busted.
According to databreaches.net and a breach notification letter posted at abccolumbia.com, the physics and astronomy departments at the University of South Carolina experienced a data breach when a laptop was stolen from a locked room. The data breach affected 6,000 students who were enrolled in physics and astronomy classes at SC between January 2010 and today.The breached data involved full names, SSNs, and other personally identifiable information. While disk encryption for student data was not employed, password recovery was used (which is tantamount to applying leaches to a massive melanoma – in other words, less than useless) and the laptop was stored in a locked room.Considering the type of information that was being stored in that room, however, it surprises me (well, maybe it doesn't. I've heard of worse, actually) that these were the only things between a sensitive data and a burglar. One wonders: if the Department of Education also had a policy of issuing monetary fines – like the Department of Health and Human Services, which can impose a penalty of up to $1 million – for preventable data breaches, would the University of South Carolina relied only on a door for their security needs?You know what's really surprising, though? That in the past three years, 6,000 students were enrolled in physics and astronomy courses. (And, personally, this is music to my ears.)
Many universities and small colleges have undergone the process of replacing student ID numbers with something other than SSNs. This is a great first step towards data security. After all, you can't have a data breach on what you don't collect.However, personal information encompasses more than SSNs alone. A student's grades, for example, are also subject to protection. Naturally, these scores have to be linked to some form of identifier, be it a first and last name, a student ID number, or whatever.In fact, that such information has to be linked to an identifier means that the potential for a data breach is always there. Not using proper protection, then, is an invitation for future data breaches.