Big data, redux
By compromising the social security numbers of roughly 18,700 students, the University nabs the starring role in a data-security farce
We’ve repeatedly called on the University to be more transparent. Its disclosure of students’ social security numbers was not what we had in mind. The 18,700 or so students who recently received Aetna Health Insurance mailers with their social security numbers stamped on the envelopes’ fronts will likely agree. Between last summer’s opacity and this summer’s recklessness, it might take until summer 2014 for our school to strike a sane middle ground when it comes to what information it shares and what information it protects.
This month’s mailing error was not the first time the University has failed to exercise due diligence to protect vulnerable data. Last June, officials accidentally posted more than 300 transcripts, some containing social security numbers, on a University website. And in 2006 a computer programming error caused a spreadsheet listing the social security numbers of 632 students to land in other students’ email inboxes.
Given the importance of respecting sensitive information in a so-called “digital age,” one would expect an institution as large and as eminent as the University to have protocols in place to ensure private data stays private. The University’s information-security procedures are indeed fairly robust. The University’s Institutional Data Protection Standards classify social security numbers as “highly sensitive,” and social security numbers can be transmitted only via encrypted channels. The trouble with the recent mailing, of course, is that the social security numbers should not have been sent to Aetna at all.
The University in 2008 launched an initiative to phase out its use of social security numbers in favor of University ID numbers. In the past, University ID cards displayed social security numbers on the front. A 2008 document informing departments of the SSN initiative promises that the University will “authorize the fewest number of people possible to access SSNs in both electronic and non-electronic form.” Such authorization clearly does not extend to whomever might be looking at students’ mail.
In allowing students’ private data to be compromised, the University failed to live up to its information-security procedures and cast doubt on the efficacy of its SSN initiative. The mailing may also have violated state law. Virginia Code prohibits cod 2.2-3808 agencies from sending or “causing to be sent or delivered any letter, envelope, or package that displays a social security number on the face of the mailing envelope.” Another section cod 59.1-443.2 of Virginia Code dealing with social security privacy notes an exemption for public bodies, which state law defines to include boards of visitors of public higher-education institutions. Whether the University will manage to sidestep legal culpability because of this provision’s public-body exemption remains to be seen. Aetna may not fare as fortunately.
The madcap mailing mishap has all the elements of farce. First, Student Health used an outdated computer program to mine student data from SIS. This lapse caused students’ social security numbers to be released to Aetna, the company the University works with to provide student health insurance. If any staffer was managing the information transfer, he either neglected to glance at the data being sent to Aetna or conducted the transfer while blindfolded.
At Aetna, the administrative slapstick continued. The company violated its own rules by failing to review the mailing labels before sending the information to a third-party mail vendor. The mail provider then continued the trend of blindly passing on sensitive information. This point in the story is where a small but not insignificant missing piece remains. Aetna and the University have yet to release the name of the mail vendor. Regaining students’ trust after an error of this magnitude requires openness. For transparency’s sake, they should tell students which firm mailed the brochures.
A final twist: For the many students who are on their parents’ health plans, or who would otherwise choose not to purchase student health insurance through Aetna, the mailer was little more than glossy kindling. A substantial portion of the 18,700 students who had their private data compromised did not need the brochure in the first place. And approximately zero students needed their social security number stamped on an envelope and mailed to them.
The comedy of the situation is undeniable. But don’t expect any University student whose identity is seized to crack a smile. A breach of this magnitude makes identity theft close to inevitable for at least a few students. And identity vultures are unlikely to place much stock in the honor code.
In accordance with its data-protection standards, the University has offered free credit monitoring to affected students. We encourage students to read the fine print before signing up for any service.
University President Teresa Sullivan announced in an email Monday evening that she had appointed the always-able Chief Operating Officer Pat Hogan to chair a task force to review the University’s information-protection policies. In addition to studying policy, the task force should review the technologies the University uses to house sensitive data. This month’s incident was a result of outdated technology and human carelessness more so than it was a failure of policy. For the task force to issue meaningful recommendations, it must examine not only what the University pledges on paper, but also how the University implements — or fails to implement — its procedures.