Officials at Indiana State University confirmed in recent weeks that the names and social security numbers of 10,420 students attending the university during the 1996 to 1997 school year were posted on the Internet due to a mistake during a database upgrade. This is certainly embarrassing for the school, but the real problem is that with someone’s name and social security number, it’s easy for a nefarious person to open a credit card or cell phone account in a victim’s name and go on a shopping spree.
Every 63 seconds, an American falls victim to identity theft. Several of my co-workers have had this happen to them within the past year, and had it not been for Colorado’s state law that allows each Coloradoan a free copy of their credit report each year, my friends might not have found out until they were turned down for a home loan or a credit card. According to attorney general John Ashcroft: “Identity theft is one of the fastest-growing crimes in the United States. An estimated 500,000 to 700,000 Americans each year have their identity stolen, and many more Americans are victimized by the crimes facilitated by the identity theft – crimes ranging from bank and credit card fraud to international terrorism.”
What happened in Indiana? More important, what can businesses and organizations do to make sure that private customer information stays safe and secure? The issue wasn’t that someone “hacked” into the system with malicious, criminal intent. That actually happened in March, when hackers illegally accessed a computer network containing names, addresses, social security numbers and other identification data of 145,000 current and former Purdue students. Rather, Indiana State University publicly posted the information on its Web site. A typical business would try to appease their customers and investors by firing the employee who was responsible for the blunder and try to reframe the issue as a person that messed up and is no longer part of the organization.
“No disciplinary action is expected,” said Teresa Exline, executive director of public affairs for the university. The university is sending letters to the 10,420 people who were “probably affected”. I’m happy that some poor, overworked graduate student isn’t getting the axe (the reports haven’t said who actually made the mistake, but universities often use graduate students as cheap labor). But what does this do to really solve the underlying issue that 10,420 names and social security numbers are now potentially in the hands of possible evildoers?
“The problem is, with identity theft, many of these thieves will not act immediately,” said Beth Givens, director of the Privacy Rights Clearinghouse, a consumer advocacy program based in San Diego. “They will hold onto it for six months or even a year.” One answer is not to collect any information in the first place, but accurate information is the lifeblood of good decisions. Detailed information, such as a credit report, can help a company avoid customers likely to default on payments. When hiring new employees, accurate criminal background reports can help businesses verify whether a job candidate has been truthful on his or her application.
When doing research to screen a potential baby sitter or prospective business partner, easy access to background information aids in the decision-making process. In the university application process, social security numbers have been used to verify test scores for entrance examinations. Perhaps the most effective solution is to educate employees (and anyone else who has access to sensitive information) about the importance of keeping the information secure and private, and have strong privacy practices and procedures in place.
Note: A four-inch thick policy and procedures manual that collects dust on the shelf isn’t enough to protect information actually talking to people about safeguarding information is required. Indiana State University officials say that in the future, students won’t have to worry about the possible exposure of social security numbers because the university is working to replace them with a student identification number. Said Exline: “Had our procedures been followed when this file was created, we wouldn’t be in this situation.” Some consolation to the victims.