Wednesday, November 03, 2010
UH security breach conference call summary
by Larry Geller
A few notes on this morning’s conference call with National ID watch on the UH security breach in which 40,101 alumni personal data records were breached.
First, no one from the University of Hawaii was on the call, or they refused to identify themselves if they were there. No press were on the call except for Disappeared News and Burt Lum and Ryan Ozawa from Bytemarks (tonight at 5 p.m. on Hawaii Public Radio, KIPO, 89.3 FM).
On the timing of the discovery of the breach, National ID Watch discovered the data leak with a Google search that anyone could have done, on October 18 and notified UH. They managed, with some difficulty apparently, to convince Google to take the data out of their cache, and then notified the press on October 27.
As to the possibility of a lawsuit against UH, it would be difficult, according to Aaron Titus the attorney who discovered the breach. Paraphrasing his response to a caller’s question:
- You’d have to prove five things, all difficult:
- The person must suffer actual monetary damage
- They must actually find the ID thief
- They would have to prove that the data came from UH
- They must show that UH had a duty to protect the data
- It would be necessary to show that UH violated that duty
A better route, it was suggested, would be legislation imposing a fine for each breach of personal data. Another course would be to demand 3rd-party audit of UH security policies and procedures.
I understand that the conference call was recorded and may be posted at the National ID Watch website.
It was also confirmed that UH will not pay for ID theft insurance etc., and in answer to whether UH has notified those affected, probably a large number of affected alumni have changed their address and could be unreachable. Unless I misunderstood, UH has yet to attempt to contact anyone. Also, thinking about this just now, if UH alumni retain their email addresses after graduation, that would seem to be a way to reach those affected besides the US mail.
Thanks for the fast summary, Larry. I did get a letter in the mail about this breach last week. It came from UH West Oahu, so I wasn't sure at first what they'd have to do with me. On one hand it made me curious enough to open the envelope, but on the other, I'm sure others might have dismissed it out of hand as a solicitation of some kind.