Privacy Practices Get a Failing Grade
Colleges and universities are a gold mine of data -- personal information about students and employees, the fruits of research efforts, information about the reading habits of library patrons, even patient data for institutions with medical schools. That store of information -- and the fact that the institutions often don't have sufficient security procedures or clearcut privacy policies -- make them targets both for identity thieves and for government officials seeking sensitive data, appropriately or not.
“Universities are unique in the volume and sensitivity of the data we collect. We do poorly in dealing with policy, and the failure to take action is troubling,” Fred H. Cate, director of the Center for Applied Cybersecurity Research at Indiana University, told dozens of university chief information officers at a policy conference sponsored by Educause, a higher education technology group.
The session, "Safety, Security and Privacy: The Politics of Surveillance," included discussion about the well-publicized incidents of security breaches of campus technology networks, but it focused most heavily on the tension between government requests for data and the university's interest in protecting students' and employees' privacy.
Cate said that government agencies are putting increasing pressure on colleges to release the sensitive data they collect, as recent controversies over the USA Patriot Act have shown. “I’m not suggesting that these are all illegitimate requests. We are becoming a supplier of data because we have it,” Cate said.
What sometimes happens, he added, is that university officials hand over information without demanding that the requester get a court order because they either aren’t familiar with their institution’s privacy policies or they don’t want to be perceived as standing in the way of a free flow of information.
Recent research conducted at Bentley College backs up Cate’s assertions. Of the 236 universities and liberal arts colleges included in the Bentley-Watchfire Survey of Online Privacy Practices in Higher Education, just 65 have privacy notices linked from their home page. Each institution had at least one instance of a Web page without a link to a privacy notice.
The Bentley study also cited data collected by the Office of Privacy Protection in California showing that since 2003, nearly one in four cases of information security breach in the state involved a college. In one recent case case at the University of Texas at Austin’s business school, students, alumni, faculty and staff members had their Social Security numbers potentially exposed.
Students are susceptible to identity theft because of the regularity with which they post personal information on social Web sites such as Facebook.com and MySpace, Cate said. Colleges sometimes willfully provide student or alumni information to credit card companies in exchange for monetary rewards.
Mary J. Culnan, the Bentley College professor who wrote the online privacy practices report, said that “the higher education world enjoys a tremendous amount of trust with the public, and they’ve operated in an environment where [security breaches] haven't been a problem in the past.”
Culnan said it’s time for colleges to catch up with the private sector, which she said has put an emphasis on protecting itself from identity theft and fraud. She said the first step is for colleges to add privacy notices to their Web pages. “If you don’t have a privacy notice, it says to the public that you don’t have any formal policy. And if you have a policy that’s not backed up by governance, that’s another problem.”
W. Lee Hisle, vice president for information services at Connecticut College, said incoming faculty on his campus are required to take classes on security procedures. Cate said students, who are often perceived to be ambivalent about privacy issues, will take notice if security becomes a persistent problem. “The moment it compromises their safety, they get angry,” he said.