What St. Francis College in Brooklyn Heights, NY wrote to enrollees and applicants after a security incident:
On June 28, 2014, a St. Francis employee reported the loss of an external hard drive.
Compare that to what they told the New Hampshire Attorney General’s office in their cover letter:
On June 28, 2014, St. Francis was notified by one of its employees of an incident involving the personal information of St. Francis enrollees and applicants. The St. Francis employee was carrying a password-protected external hard drive in his briefcase while attending a social function. At some point that evening, the hard drive fell out of the briefcase and has not been recovered.
Gee, I can’t imagine why they didn’t tell all that to those whose personal information – including Social Security numbers – was on the lost drive.
The college is offering some free services through Kroll. They are also “implementing policies with respect to the handling of personal data in portable formats” and will begin encrypting personal data on all external hard drives and similar devices.
And if you’re wondering why they didn’t do these things before now, well, that’s a good question for which I don’t have a good answer.
The total number of applicants and enrollees for 2006-2011 (the timeframe for data on the drive) was not provided, but statistics on the college’s website indicates that it had 2,903 enrollees for the Fall term of 2013, so we’re possibly looking at over 15,000 people whose personal information – names, postal addresses, telephone numbers, and email addresses, and SSN – may have fallen into criminals’ hands.
Did I mention that the college is covered by FERPA? Will the U.S. Education Department do anything in response to this incident? I doubt it.