Universities vulnerable to ID thieves

Universities also need to communicate freely with other educational institutions and the public to foster research.

"On the academic side, we want people to see what we do and who we are, within limits," said David Farber, professor of Computer Science and Public Policy in the School of Computer Science at Carnegie Mellon University.

Universities do take seriously, however, the need to separate sensitive personal data from academic data that is more open, Farber said.

"On the administration side of the house, they are running a business and should behave like a business," he said.

Tougher penalties for data breaches also need to be enacted, said Robert Brownstone, an attorney at the Silicon Valley law firm Fenwick & West LLP.

Despite several attempts, there is no strong federal law mandating that universities notify everyone whose information has been compromised due to security breaches. Laws in 33 states vary in notification requirements placed on universities and corporations.

Notification is not enough, Brownstone said. Tough financial penalties also need to be included in future legislation.

"It's kind of a backward stick," Brownstone said. "Theoretically, it would make a company want to take tougher security measures. But if the only real penalty is you have to send a notice out, even that strong statute is deficient."

Credit card numbers, Social Security numbers, dates of birth and other items of personal information can be sold on the black market and used to make illegal online purchases. Young adults, with their usually blank credit histories, make ideal targets for identity theft.

The UCLA and University of Texas breaches are among the latest involving universities, financial institutions, private companies and government agencies.

This spring, Ohio University announced the first of what would be identified as five cases of data theft, affecting thousands of students, alumni and employees — including the president. About 173,000 Social Security numbers may have been stolen since March 2005, along with names, birth dates, medical records and home addresses.

In 2005, a database at the University of Southern California was hacked, exposing the records of 270,000 individuals.

MORE FROM SECURITY

Security Section Front

Internet activists push for greater democracy EU assembly adopts Internet, phone user rights 'Mr. Right' grifts widow's $50K in Web scam U.K. cops arrest people ‘just for the DNA’ Virus attacks ‘jail broken’ iPhones China attacks ‘biased’ U.S. cyber-spying report Chinese military Web site target of cyberattacks FBI: Hackers targeting law and PR firms House pushes ban on peer-to-peer software Facebook hit by ‘Control Your Info’ intruder Security Section Front   Add Security headlines to your news reader: