As you are aware, intellectual property and personally identifiable information are hotly traded commodities on the cyber black market. A recent report by the industry trade magazine Information Week lists the average cost of a data breach, globally, at about $3.43 million per incident and $142 per compromised record.
Academic institutions are not immune to these risks. In fact, we are custodians of a very significant quantity and broad based Personally Identifiable Information (PII,) the very information that is useful for fraudulent activity, such as opening lines of credit, getting loans, signing leases, etc. The information in university databases are often sensitive, containing for example:
- Financial data (e.g., tax receipts, account information - credit and non-credit)
- Health information (e.g., medical and insurance records)
- Personal identifiers (e.g., Social Security numbers, university IDs)
- Class lists
- Student records
- Research data
Some incidents of University exposure you may have read about include the 2009 University of North Carolina incident where a hacker broke into a UNC Chapel Hill computer server on which the personal information for approximately 160,000 women was stored as part of a research project. Also, the more recent data loss at Rice University where a device containing information involving about 7,250 Rice faculty and staff, along with some students and retirees, was stolen just a few days ago. One of the files contained a list of Rice employees and students on the Rice payroll as of January 2010 and included information such as names, addresses, birth dates, employee identification numbers, salaries, emergency contacts and Social Security numbers. Even closer to home, the City University of New York announced at the beginning of September that it had lost names and Social Security numbers when a computer was stolen that contained the names and information of 7,000 City College of New York students.
The portability and accessibility of the personal data used by staff, researchers and students makes academic institutions a prime target for identity thieves. Compounding the problem is the transient nature of academic populations (changing every 3-4 years).
It should also be noted that academic institutions, Fordham specifically, seek to foster a culture of trust. Such communities that put a premium on trust and honesty are often easy victims for identity thieves due to their lack of screening and personal data security.
Data loss can affect the lives of:
- Former applicants to the institution
- Current students and their families
- Loan guarantors for individuals listed as co-signers on student loans
- Foreign-exchange students
- Professors and school employees
- Potential students, current students and their parents and research participants (potential and past).
Beyond the immediate damages of PII breach, recovery and clean-up, a data breach can have a negative effect on an institution's brand, adversely affecting relationships through alumni and other support.
To this end, I have asked the University Information Security Office under the Executive direction of Jason Benedict to develop a set of policies, procedures and guidelines that will help mitigate the risk and secure our intellectual property and data assets. Specifically, I have directed them to look into encryption standards, privacy regulations and data loss prevention technology that will protect the University interests. I ask that you give them your full cooperation.
Frank J. Sirianni, PhD
Vice President and CIO