Today, the Associated Press reported that University of California Los Angeles (UCLA) officials have alerted about 800,000 current and former students, faculty and staff that their names, social security numbers, home addresses, and birth dates were exposed during a year of data security breaches. The attacks began in October 2005 and weren't detected or stopped until November 21 of this year. Here's a link to the article on CNN.com.
"We have a responsibility to safeguard personal information, an obligation that we take very seriously," Acting Chancellor Norman Abrams wrote in a letter sent to the affected individuals. "I deeply regret any concern or inconvenience this incident may cause you."
If I were one of the "affected", I would find Abrams' assertion that UCLA takes data security "very seriously" laughable. UCLA my want to take data security seriously, but failing to detect these attacks for a full year is shameful.
Unfortunately, UCLA is but the latest organization to put personal data at risk. The past year is littered with stories of lost laptops, missing backup tapes, and database breaches. So, what can we do to ensure their our data isn't stolen from large databases? Nothing.
Take the UCLA case; I doubt students or university employees can refuse to supply their social security number. These numbers are used for financial aid, payroll processing, and a host of other record keeping tasks. Neither can the affect individuals take their business elsewhere. Is a senior really going to leave their school a few semesters before they graduate? Are faculty and staff going to quit en mass? No. They may want to. They probably should. But, the reality is they can't—and organizations know it.
Other than a few days of bad press, UCLA will suffer little from this serious security lapse. The same is true for most organizations who loose or have personal data stolen. For the most part, customers, employees, and members have little if any recourse against the organization who lost the data. And herein exists the problem.
Yes, ChoicePoint did pay $15 million to settle Federal Trade Commission (FTC) charges that its lax procedures violated consumer protection laws, but this is the exception not the rule. ChoicePoint was also a private firm handling customer data, not a public institution. Furthermore, the FTC derives much of it's authority to fight lax data security procedures from the Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act" or GLB Act, which applies to financial institutions. Although the GLB Act provides a broad definition of "financial institutions", it clearly does not cover institutions like UCLA. And while the Family Educational Rights and Privacy Act Regulations (FERPA) might cover the release of UCLA student data, I haven't seen one case where the U.S. Department of Education has withheld federal funds, as FERPA allows, from a university that has lost or had student information stolen.
As the number and scope of personal data breaches rise, Federal, state and local governments must either step up to the plate and get serious about protecting our private information or give consumers and employees the tools to hold organizations accountable. A free annual credit report just doesn't cut it.