« The Case Against Public Synonyms | Main | The Case Against (Public) Database Links »

Data Security

I knew that data theft was a big problem, but I didn't know how big. Then I came across this web site that has tabulated all of the known data breaches in the US. It is called the Privacy Rights Clearinghouse. It is an excellent resource on data security and privacy.

if you take a look at the tables of data breaches, you'll see a lot of them involve large data sets at public Universities. Some are due to lost or stolen laptops. Others are the result of hacking activities.

The hacking jobs remind me of one that occurred at UT Austin McCombs School of Business in 2006. The associate dean, Allison Davis-Blake, had just been named the dean of the Carlson School of Management here at the University of Minnesota, and I was at Carlson at the time. The breach was a pretty big deal, affecting 197,000 student records. What's not shown on the PRC table linked above is that it was an inside job. An employee with access downloaded the data with the intention of selling it.

The UT Austin case underscores an important point: we tend to believe that data hacking is only done by mean people in China and Uzbekistan, but often it comes from within. We can do everything to secure our systems to the outside world, but it means nothing if we do not have the proper controls and auditing in place internally. Nowhere is this more important than at a university, where there are thousands of students working on the same networks as the IT systems, where administrative offices are often housed in the same buildings as classrooms, where student data is replicated across systems in every college, and where there is no central control on data security.

The consequences of a data breach at a university can range from a PR nightmare to hefty fines. Student data is regulated under FERPA and medical data under HIPAA.

Unfortunately, people are content to put data security off until a later time. It is one of those IT services, like backups, that don't really deliver any value in return for the investment. I think there is a general understanding that security is important, but most people prefer to tempt fate and put security off in favor of more glamorous projects. Or they have immediate problems to deal with and can't afford to switch to security. I don't know what I can do other than to keep bringing it up.

I've seen the fallout from a couple of security breaches and it is not pretty. People look for someone else to blame, sometimes people lose their jobs, and every time there are a few administrators who put in a lot of extra hours to rebuild affected systems. It is something I hope I never have to deal with.