IU must be held responsible

The recent discovery that someone downloaded 3,230 names and Social Security numbers, including mine, from the Bursar’s computerized records has shaken my confidence in IU. What upsets me most about the situation is the amount of time that passed between discovery and notification. In my case a total of 18 days passed between the time my information was compromised and the time I received the letter telling me that an unknown user had downloaded my name and Social Security number.

What is additionally upsetting is that the Bursar’s office kept this information within its office until Feb. 20 — a full 14 days after they discovered this information. Only then did the staff tell the University administration — 14 days during which mass publicity could have put the University on alert and helped us protect and safeguard ourselves.

Without a doubt, the Bursar’s office let down the 3,230 students whose names were compromised.

The initial letter I got from the Bursar offered no apologies, no details and no real assistance, other than two Web addresses. It was the news stories that came out after the letters that started to provide additional information — the dates of break-in, the number of students involved and the assurance the problem has been fixed.

Let me say right now I am glad the problem has been fixed, but I am still dismayed at the response of the Bursar’s office and of IU administration in general. As such, I believe IU must take tangible actions to assure students this will not happen again and that there is genuine concern on the part of the administration, as opposed to platitudes that came out in the first few days. It was not until Wednesday at the meeting organized by the Graduate Student Organization that I heard anyone from the administration apologize.

This type of incident has happened before at IU and other universities, including the University of Utah. The major difference between IU’s response and that of the University of Utah to a similar situation seems to be the level of caring. At the University of Utah, exposure happened two and a half years ago, and involved more than 23,300 students, faculty and staff. The university contacted local media even before sending out letters, to give people a heads up.

Here’s my proposed deal with affected students — it is a plan that will help assuage the fears of those students whose information was compromised and a plan that will help send strong signals to University staff members.

  • IU should provide free credit reports to affected students twice a year for the next seven years, if not longer. This step will help assure affected students IU is being responsible for its gross error — and minimize student costs associated with a mistake beyond their control. It will also bring peace of mind to many affected students.
  • Additionally, IU should compensate students for the time they have spent working on protecting their names. I would estimate that each student spent about four hours on the phone calling credit card companies and checking their credit reports, and at an average rate of roughly $10 an hour, or $40 each. This is real time people have lost from other productive uses of time.
  • IU should eliminate student Social Security numbers from the University’s computer systems. There is no need to have these numbers as identifiers on Bursar accounts. There is certainly no need to put them on rosters and to use them in computer systems. I realize students at the forum were told new identification numbers were going to be issued in two years, but this could actually be implemented by the end of the semester, if the University wanted. The only place IU needs to use Social Security numbers is on federal financial documents.
  • IU must reprimand the Bursar. I realize Susan E. Cote is not directly responsible (University Information Technology Services has taken blame for the actual breach), but she is ultimately responsible for everything that happens through her office. This step will help send a strong and significant message to all University staff and faculty who have access to Social Security numbers that they will be held accountable for their mistakes.

IU can learn a lot of lessons from this mistake, and I do believe it was just a mistake. Let’s hope it doesn’t happen again.

– – – – –

Correction: During the editing process an error was introduced to this column, and the following correction was printed on March 6, 2001:

“An opinion column, `IU must be held responsible,’ (March 2) contained misinformation.  The bursar took responsibility for the breach of its database.  The IDS regrets this error.”

, , ,

Comments are closed.