Jordan exonerates administration
Leaves
students to foot the bill for credit alert
By Nic Garcia
ngarci20@mscd.edu
Metroís administration
has concluded its investigation and has absolved itself of any blame regarding
a stolen laptop that may contain personal identification information of 93,000
current and former students.
"We
are not the perpetrator of this crime," Metro President
Stephen Jordan said during a March 9 public meeting.
Now,
Metroís administration will begin to re-examine, write and
implement new policy to make sure a similar situation does
not happen again.
"In
the interim, no studies are to be done regarding Social Security
numbers (or other sensitive data) without my explicit approval," Jordan
said.
Jordan
said Metroís third-party investigation team, Business Controls,
Inc., has found that the work done by Associate Director
of Admissions and Data Management Daniel Parks, the employee
who had possession of the laptop when it was stolen, did
not violate any Metro policies or state or federal law by
not deleting a file with Metro student information or using
the information from the project outside the scope of the
Title III grant he had been working on.
Because
of this, "Metro has made the decision, that at this
time, we will not pay for outside extended credit monitoring
services," Jordan said.
Despite
it all, Metro officials still "strongly encourage" students
to contact a credit-reporting agency and put a 90-day alert
on accounts free of charge. Students may buy an extended
90-day alert if they wish to.
Letters
will be mailed out this week to all students, past and current,
who are believed to have been on the list. Those students
would include anyone enrolled in classes at Metro from the
Fall 1996 semester to the Summer 2005 semester.
Jordan
said Parks had permission from his supervisor, then-director
of admissions William Hathaway-Clark, and associate vice
president of academic affairs David Conde to use the research
published in a Title III Grant for a project in his masterís
program at UCD. The grant investigated online course trends.
The administration has learned that permission was not needed
because the grant became a public document once it was made
available to the college.
Conde,
however, said he was not asked permission by Parks, but was
told of his intentions by the associate director and saw
no problems with Parks using the information for his project.
Phone
calls to Hathaway-Clark went unreturned.
No
Social Security numbers or other private information was
used in either the grant or the project. Parks used the data
and created charts from the numbers he ran. The grant was
completed in May of last year and the project was submitted
in August, seven months before the laptop was stolen.
The
laptop may or may not have contained a document with 93,000
studentís names, Social Security numbers, addresses, birth
dates and course numbers. Together, this information could
be used to cause serious damage to a personís credit.
Parks
has said he does not remember whether he did or did not delete
the file on the college laptop he used at home to complete
the grant. The file, regardless, was not encrypted and could
be accessed without a password.
Parks,
who, due to his job, had privileged access to the information,
is still employed at Metro. However, his access to Banner,
Metroís Web portal used to register for classes and which
houses every studentís information, has been restricted.
Parks
appropriated the data from the Web portal to use in the study.
Another 988 employees have access to similar student data
and of those, 114 have the same high-level access Parks had,
Jordan said.
The
Auraria police are working with the Denver police in the
criminal investigation. Parks is not a suspect, Jordan said.
As
of press time, there was no evidence any data that may have
been on the laptop had been used illegally.
"Because
this situation has received much attention, there may be
phishing scams," Jordan said. "If someone calls
from a credit bureau or a financial institution, do not give
them your information; instead, verify the information they
are providing you."
A
phishing scam is when someone tries to obtain personal information
in order to commit identity fraud.
" Iím
so mad at Jordan," said Metro student Erika Phebus. "He
thinks he will walk away from this neat and clean."
Phebus
is worried the issue is going to "fall by the wayside" and
has begun to write her state representatives.
"Iím
floored there are no consequences for Mr. Parkís actions," she
said at the meeting. "He failed in a very serious way."
Jordan
dismissed claims the school is fiscally responsible and that
there was no problem with Parks working with sensitive material
outside of his office. Identity theft is something we all
have to deal with in this century, he said, and he pointed
to the business world as precedent for people working at
home.
"This
is one of the ways business is done," Jordan said. "This
is the way America is working today."
Students,
administration
discourse through SGA
The laptop theft issue was one of the Student Government
Assemblyís top priorities at its senate meeting on March 8.
It
was agreed the communication between Metroís administration and students
is the SGAís biggest responsibility in the matter.
Speaker
of the Senate Jesse Samora said the SGA needs to work closely with the faculty
and help keep the students informed.
"I
think we need to just direct all questions to the shared governance committee," he
said. "Thatís what theyíre there for."
Gary
Lefman, an SGA shared governance committee member and senator, suggested
students be told the SGA can offer assistance.
"The
larger issue is," Samora added, "that while this is very important,
there is still a lot of other business going on right now. We have to remember
our priorities. We owe the student body more than this."
-Josie
Klemaier
Metro
following in UNCfootsteps, missteps
In
January 2005, the University of Northern Colorado experienced a possible
security breach, similar to the recently stolen Metro laptop.
The
UNC Department of Information Technology reported a missing backup hard drive
to senior management Jan. 18, 2005.
"We
never determined for sure if the hard drive was lost or stolen." Gloria
Reynolds, Director of Communications and Media Relations, said. "We
went through all the garbage and everything," she said.
The
hard drive contained names, addresses, social security numbers, bank account
numbers and birth dates for 150,000 employees.
According
to Reynolds, the records went back as far as 1997, and some of the employees
were also students.
"Itís
not like a CD or zip drive or any kind of regular technology you or I use
on our PCs," Reynolds said.
UNC
officials held the first open meeting concerning the lost hard drive on Jan.
20, 2005, two days after the hard drive was reported missing.
"We
couldnít rule out that it was stolen, so we told everyone to take the same
kinds of precautions just in case," Reynolds said.
Following
the first meeting, the university held a series of meetings explaining how
to put fraud alerts on credit reports.
UNC
brought in an independent consultant to help determine what information was
missing and to come up with procedures for being more secure in the future.
"We
wanted to be sure we knew what it was we were missing," Reynolds said.
UNC
also hired a security policy expert, who has been working methodically to
make sure things are secure, according to Reynolds.
UNC
is changing its entire computer system to the Banner Information System,
educational software that many universities use.
"Weíll
have a new way of doing things," Reynolds said.
-Andrea
Schreiner
