Jeanne Price of idRADAR interviewed a University of Maryland spokesperson about their recent breach. The interview provides a nice insider’s perspective on breach response, and you may wish to read it all here. Perhaps the most startling revelation was this one:
UMD did not have a data breach crisis plan in place before the event, which continues to be under investigation.
In this day and age, how can any university not have a data breach crisis response plan in place? How often does this happen? And what, if anything, should the U.S. Education Department do to foster better data security and planning at the post-secondary level? Have they conducted a survey that asks about security, risk assessment, and preparations for a breach? I suspect the situation is much worse on the k-12 level than on the post-secondary level, but post-secondary institutions may collect and retain significantly more individuals’ data than k-12.
For years, we’ve known that universities are targets of hackers, as university databases contain a wealth of information that can often be used for ID theft. Those suggesting that universities are a new target or the “next target” in the wake of the UMD breach and a few other recent reports simply haven’t been paying attention.
But given that we’ve known for years, when will it be time to do something?
The Federal Trade Commission currently does not have the authority to enforce data security in non-profits (which most universities are). The U.S. Education Department does not enforce. Pretty much, no one enforces.
Is it any wonder, then, that we continue to see massive breaches at the post-secondary level?