Rob Shaw reports that some people are angry at U. Tampa’s decision not to offer free credit monitoring services to some of those whose data were available on the web for months:
In addition, the records of another 22,722 faculty, students and staff — from the years 2000 through 2011 — also were potentially accessible, though not through Google or any other search engine. University officials said last week that only two UT students saw that data.
The officials said Wednesday they were busy updating their data-breach information web page and didn’t have time to answer more questions. The web page, which doesn’t appear on the university’s home page or in its News section, says unequivocally that the larger group — and those who enrolled after July 12 — “are not at risk.”
Read more on Tampa Bay Online.
So based on their risk assessment, they did not offer that group of almost 23,000 free services. With predictable reactions. In an update to their breach notice page yesterday, the university attempts to reassure the larger group:
Is it possible for someone to have accessed the files without being traced on UT’s network logs?
Access to UT information systems is logged. IT has thoroughly examined the files and associated logs, and has a record of each individual access to the files. IT has secured the activity logs, and the University is currently evaluating a proposal to engage a third-party, qualified security assessor (QSA) to verify and further analyze the findings.
Maybe they’re right. But would it cost more to offer the service if 10% enroll (the usual rate), or would it cost more to defend a lawsuit over the breach? Bean counters to Aisle 4, please. And how do we place a value on the bad feelings engendered? Will their response affect people recommending U. Tampa to potential students or faculty? Probably not, but we can’t really rule that out, either. Breach handling is crucial and so far, U. Tampa is not getting high scores from at least some of those affected.