Powered by Google
 
  • No answers amid theft
    Administration seeks solutions to misuse of
    student information
    By Tim Esterdahl and David Pollan
    testerda@mscd.edu, dpollan@mscd.edu


       Metro’s administration has discovered that additional information, including addresses and birthdates, were on a Metro laptop that was stolen Feb 25. Accompanying that information were also the names and Social Security numbers of 93,000 former and current students, a leak of which could possibly expose the students to identity theft.
        “ This is a crisis,” said Metro spokeswoman Cathy Lucas.
    Metro first announced the incident on the morning of March 2 with an e-mail and impromptu open house.
        Daniel Parks, associate director of admissions and data management and UCD graduate student, filed a report with Denver Police on Feb. 25, to report the loss of his campus-issued laptop, which contained the sensitive data. Parks notified college officials on Feb. 27.
        The data on the laptop includes the name, Social Security number, date of birth, address, student identification number and course registration information of all students who were enrolled at Metro anytime from the beginning of the Fall 1996 semester to the end of the Summer 2005 semester, equaling roughly 93,000 students. The data also includes the student files of 1,300 other students, but these files did not contain Social Security numbers.
        Metro officials warned that bank accounts and other credit information could be accessed with the data contained on the laptop.
        The data was not encrypted and Parks couldn’t recall whether or not he had purged the data from the laptop.
        Parks downloaded the information from Banner, Metro’s information system, to conduct a 10-year analysis of online class trends. He needed this data to complete a Title III grant proposal and his master’s thesis at UCD. Metro said Social Security numbers were used for the grant; however, they were not used on the thesis.
        Parks denied several requests for comment.
        As of press time, March 7, police had not named a suspect.

    Metro President Stephen Jordan said at the March 2 news conference, that Metro’s administration believes it to be more a crime of opportunity, meaning the thief stole the laptop to sell it, and that it is doubtful the laptop was stolen for the information it contained.
        “ It is unlikely, at least to the best of our knowledge, that the individual stole it for that purpose,” Jordan said.
        At the second open house, frustrated campus community members now familiar with the dilemma asked for financial compensation for any losses former and current students may incur.
        Jordan, along with a panel of four college officials, reiterated that no unwanted activity has been reported to Denver Police in connection with the theft. He also said he would take into consideration the various speakers’ complaints.
        Metro administrators also announced they had hired Business Controls Inc., a forensic technology investigation, training and consulting service, to execute an internal investigation of Metro’s current data access and encryption policies. Business Controls will also determine what needs to be developed and implemented to prevent this type of incident from occurring again.
        “ We are actively putting together a list and giving daily updates. We are not going to hurry through this very thorough analysis. It is a process,” said Steve Foster, executive vice president of Business Controls Inc. “We will work diligently to get the information to the appropriate people.”
        Metro currently has policies in place pertaining to data encryption. However, these policies were officially instituted last July or August, after Parks was given the information to conduct his study in February 2005, according to Lucas.
        Several calls to Metro’s administrators to determine the exact policy pertaining to data encryption were not returned.
        Social Security numbers were needed as previous students used them for identification purposes. Student identification numbers were introduced in 2001 to avoid this problem.
        Jordan said Parks was authorized to have access to this data. However, according to Lucas, part of the investigation is to determine what the policy was at the time. Currently, they don’t have the wording of that policy and are also unable to elaborate on the steps for authorization.
        Jordan said Parks was working with David Conde, associate vice president of academic affairs, on the Title III grant.
        Conde told The Metropolitan he was aware of Parks using the information for his thesis, but was not asked for permission. He felt “confident” in Parks and was aware of his high-level Banner access.
        “ The master’s project was driven by the research provided in the Title III grant,” Jordan said.
        Metro is in the process of taking precautions to ensure the safety of all confidential information by modifying all data security policies and procedures. Metro, at this time, is investigating whether or not any Family Educational Rights and Privacy Act, or FERPA, policies were violated.
        FERPA states that student records can’t be released without written consent. However, they can disclose records to college officials or to consultants who are conducting studies on behalf of the college.
        According to Chris Beall, an attorney with Faegre & Benson LLP in Denver, Parks’ use of the information for his master’s thesis enters into a “gray area” within FERPA, and that it is up to the Department of Education to determine if policies were breached and whether or not to take action.

        President Jordan has restricted all Parks’ high-level data-access through the course of the investigation, allowing him to perform only tasks essential to his job. He has also restricted all student data from being released without his authorization until the investigation is complete.
        Laptops serve as the only computer for some Metro employees and there are more than 350 campus-owned laptops in use, according to George Middlemist, Metro interim vice president of IT. However, he also said less than 50 users have access to personal information.
        These laptops are currently being recalled back to campus as President Jordan has ordered. The IT department will be scanning each of these computers to assess how much sensitive data they contain. If they contain such data, a determination of either deleting or retaining with encryption will be made according to the person’s role on campus.
        President Jordan said students could have his assurance that the appropriate type of disciplinary action will be taken and future policies will be instituted to inhibit any future situation.
        In the meantime, Metro has set up a Web page, located at http://www.mscd.edu/securityalert/, to assist concerned students in contacting credit agencies and the Social Security Administration.
        Metro is in the process of contacting, through letters, e-mails, phone calls and follow-up meetings, all persons whose information may be at risk. Another public meeting is scheduled for March 9 at 4 p.m. at St. Cajetan’s.
        “ We are one of a very long line of institutions that have been subject to (identity theft),” Jordan said. “This is a prevalent problem throughout the country.”

Ads by Goooooogle

 

Fort Collins Rentals
Houses, condos, apartments to rent. With photos. Easy to list & find!
www.NorthernColoradoR

 

Over 3000 Apartments
All Colorado Springs' neighborhoods Search by price or area. Get $100.
www.GBRents.com

 

$300/Hr in Greeley?
21 Side-by-side Comparisons of Fun Jobs Paying Up to $300/Hour.
FunJobsReview.com

 

Greeley hotel
Low Rates on Greeley Hotels. Also Book Flights & Cars at ORBITZ!
www.ORBITZ.com