Friday, August 19, 2011
KCC Chancellor Leon Richards dodges question on delay in notifying students of data breach
by Larry Geller
More than 1,900 students were put at risk of identity theft when boxes of files containing personal information, including credit card and social security numbers, went missing at Kapiolani Community College. Their absence from a storage area was discovered on July 1, 2011.
Yet the administration did not notify students of the breach until August 11.
This data breach is the latest in a string of personal data leaks that has occurred in the past three years involving more than 100,000 students, faculty, and those using parking areas. The breaches are the subject of a class action lawsuit against the university system (see also: Attorneys report on negotiations that could lead to credit monitoring for UH data breach victims, 8/14/2011).
“It’s scary because someone could be using your credit card and you wouldn’t know,” said Sepe Albert, a freshman who was on campus for orientation Friday.
[KITV, Missing Files From Locked Storage Prompt Alert, 8/12/2011]
I emailed Kapiolani Community College Chancellor Leon Richards on Monday asking:
“Why did KCC wait from July 1, the date the breach was discovered, until August 11 to notify those affected?”
He replied in an email outlining the sequence of events and referring me to a webpage for information, but did not answer the question. So I asked it again. So far, no further reply.
When there is potential for identity theft, time is of the essence. Thieves can move quickly to use the data, so rapid notification of those potentially affected is critical. From discovery of the missing data until notification of students took KCC 40 days.