Ben Keith reports that one of the entities affected by a recent TeamGhostShell hack was Ohio State College of Dentistry. Okay, but here’s the thing: should the college have notified those whose names, addresses, phone numbers, email addresses and passwords were acquired and dumped on the Internet?
You might think “yes,” but Ohio state law would not necessarily agree.
University spokesman Jim Lynch said in an email that Ohio law only requires data breach notification if the compromised data could lead to identity theft, and the data taken in this incident didn’t pose that threat.
“For Ohio State, the information accessed was five-year-old, non-restricted data from the College of Dentistry,” Lynch wrote. “This vulnerability was addressed within less than one half-hour after we noticed suspicious server activity, and thankfully no restricted data was taken from the system.”
Read more on The Lantern.
Passwords are non-restricted data? Knowing that the majority of people re-use passwords, I would think that e-mail addresses combined with passwords – even five year-old ones – pose a risk of others accessing accounts that may hold financial data or SSN. What happened to “abundance of caution?” Yes, I know some people will argue that my approach results in over-notification and people “tuning out” breach notices, but tuning out is an individual’s choice. If you don’t inform them of a breach, they have no choice at all and no chance to take steps to protect themselves.