It is nearly impossible for an educational institution to stay current with data privacy
A day doesn’t go by when headlines in newspapers and alerts on the Internet proclaim another outrageous data breach. We receive e-mail notifications from retailers telling us that our data has been exposed and that we need to take certain measures to protect ourselves from identity theft. Privacy laws in the United States are changing rapidly. The federal government and state legislatures have placed the privacy of consumers’ personal data high on their radar screens.
Last year, more than 35 bills were introduced into the U.S. House and thirty-three separate and unrelated bills were introduced in the Senate related to data privacy. The bottom line is that the protection of personal data and the enhanced regulation of privacy and security standards of businesses, including educational institutions, should be a high priority.
Why the concern? Take a look at the Privacy Rights Clearinghouse website www.privacyrights.org. It is scary.
It contains a daily tally of the number of records that have been breached. Educational institutions have had their fair share of breaches. Some of the breaches listed on the website include a breach on Jan. 12 at Arizona State University where an encrypted file containing user names and passwords of 300,000 individuals was downloaded by an unauthorized person. It caused the university’s online services to shut down and all users were required to enter new passwords.
On Nov. 29, 2011 the dining-services registers at the University of California were compromised by a cyber hacker who stole and fraudulently used 5,000 students’ credit and debit cards, including access to their PINs.
What are the obligations of the institution to notify when a breach has occurred? It depends on the type of data involved. Thirty-six states have enacted different breach-notification laws that generally require notification to an individual if there is a reasonable belief that the breached information can be used for the perpetration of identity theft or another harm against the individual.