August 17, 2005
U.S. Colleges Struggle to Combat Identity Theft
LOS ANGELES -- Despite their image as leafy enclaves of higher learning shielded from the real world, universities across the United States are finding themselves on the front lines of the battle against identity theft.
With their huge databases, universities may rival financial institutions as attractive targets for the crime, estimated to affect over 9 million Americans a year at the total cost of more than $50 billion, experts said.
Nearly half of the publicized incidents of data breach since January occurred at universities, according to the San Diego-based Identity Theft Resource Center.
The focus on campus computer security comes as pending legislation in Congress seeks to address on a national level the growing problem of identity theft, in which criminals steal personal information so they can impersonate the victim to obtain credit and drain money from financial accounts.
In academia, major institutions like the University of California system and smaller private schools from Tufts to Stanford are equally affected as hackers exploit computer vulnerabilities to access sensitive data and laptops get stolen.
The problem is hardly new, but available data are incomplete. California, for example, only recently starting to require disclosure after a data breach. Some experts say that universities only contribute to 20 percent of all breaches nationally.
"(Universities) are certainly getting a collective black eye," said Beth Givens, director of the San Diego nonprofit group Privacy Rights Clearinghouse. "I suspect there's a lot of hand-wringing in universities these days. Those in the IT departments are starting to tell administrators, 'See, I told you so, we have to have better control."'
Universities provide a target-rich environment for identity thieves -- an abundance of computer equipment filled with sensitive data and a pool of financially naive students.
"A lot of times younger people think, 'I don't have a lot of money, so I don't have to worry about this."' said Dennis Jacobe, chief economist at Gallup. A recent Experian-Gallup poll found that a quarter of surveyed consumers under 30 said their personal information had been stolen.
The academic culture that embraces the open exchange of information lends itself to identity theft. Add to that diffuse tech systems and independent departments and the struggle to stifle breaches becomes even more challenging.
"Because we're so big we're kind of decentralized," said Anthony Wood, director of academic computing at the University of California, San Diego, which has experienced several data breaches in the past year. "Academic freedom (tends) to have people doing things on their own. And because we have so many (Internet) addresses, we're more visible."
Wood said the school has gone beyond hardening its network to educating users on the dangers of keeping unencrypted files containing sensitive data on their computers and the vital need to maintain security patches.
The costs of doing little can be high. Rodney Petersen of Educause, a nonprofit group focused on the use of information technology in higher education, says breaches involving more than 50,000 people entail between $300,000 to $500,000 in notification and investigation costs.
LEGISLATION SPURRING CHANGE
The awareness of campus identity theft in California is a result of the 2003 state law requiring notification by state and public entities if a third party acquires encrypted personal data. A bill by California Sen. Dianne Feinstein to enact similar national legislation is one of many working their way through Washington.
Another state law forbidding the public posting of social security numbers has led more schools to scrap the common practice of using them as student identifiers, said Joanne McNabb, chief of California's Office of Privacy Protection.
These laws have the "biggest impact on changing practices that are helpful to protecting privacy," she said.
But some say change will be slow until parents begin boycotting schools with recurring breaches.
"Follow the money," said Linda Foley of the Identity Theft Resource Center. "The retail industry has a financial reason to implement some safer information handling because they're losing money each year. Have universities lost any money on this? Not a penny."
But McNabb disagreed, noting that schools "have things at stake, too."
"Generally, (the university is) a public-spirited type organization. It certainly doesn't want to be doing this to students."