Information Technology & Identity Theft Concerns & Information Assurance

Community College Loses Data Device with Student and Worker Info

October 21, Knoxville News Sentinel – (Tennessee) Roane State data device with student, worker info missing. A data storage device containing the names and Social Security numbers of more than 10,000 people has been missing since October 12 when it was stolen from a Roane State Community College employee’s car while it was parked off-campus in Knox County, college officials announced today. The college has issued an “ID alert” on its Web site, sent letters to anyone who may be affected by the theft and has notified major consumer reporting agencies. The device was used for work-related purposes. “Immediately after the theft, we did not want to release information that would interfere with the investigation,” said Roane State vice president. “Once it became clear an arrest, or the recovery of the device, was not imminent, we informed those affected as quickly as possible.” The device contained the names and Social Security numbers of 10,941 people, including 1,194 current or former employees and 9,747 current or former students. The device also contained the Social Security numbers only, but no names, for 5,036 current or former students. No academic records were on the device. The community college has posted more information here, www.roanestate.edu/idalert. The college has also set up a hot line to handle questions from those affected by the theft. The number is 865-882-4688 or toll-free 1-866-462-7722, extension 4688.

October 4, Newsday – (New York) E-mail error sends out students’ Social Security numbers. Suffolk Community College has agreed to pay a company for the next year to monitor the credit of 300 students whose last names and Social Security numbers were mistakenly listed in an attachment to an e-mail sent to those students last month. The college vice president, said Sunday there is “no indication” that any of the personal information has been misused, but added that the college decided “it was the right step to take the extra precaution” to minimize students’ risk of identity theft. The error, said the vice president, occurred late in the day September 17 and was discovered the next morning. She said college officials immediately shut down the server and took steps to retrieve unopened messages and attachments. She could not say how much of the personal information was recovered or whether anyone was disciplined for the security breach. The vice president declined to comment on whether the college would be liable if student’s information was misused, saying such circumstances are “conjecture” at this point. The same day the college learned of the problem, the vice president said school officials mailed a letter to inform students of the problem and alert them to immediate steps they could take to protect their personal data, including registering an alert with the three companies that monitor credit information.

Points for Consideration:

• Does your department, school, or district have information and IT device controls and protocols for handling (physical, virtual, & human) and safe storage?
• Should this personal information become, lost, stolen, or compromised does your organization know what to do? What specifics steps would you take should an information compromise occur?
• Getting rid of old cell phones, zip disks, CDROMs, and computers that may contain personal information need to be considered when discarding items.

INFORMATION TECHNOLOGY CAN BE A DOUBLE EDGED SWORD IF YOU AREN'T AWARE OF THE RISK.