A series of data thefts at the University of California over the
past two years that compromised the personal information of
hundreds of thousands of students and Californians has pushed
administrators to investigate new security measures and prompted
Sen. Dianne Feinstein to propose new legislation.
Feinstein (D-Calif.) is currently pushing legislation which
would implement a nationwide version of a California law, known as
SB1386, which requires businesses or government institutions to
inform individuals if their Social Security number, drivers licence
number, state identification number or financial information might
have been stolen.
And this week the senator plans to announce a rider to her bill
requiring all personal data kept for commercial purposes to be
encrypted, said Howard Gantman, a spokesman for Feinstein.
Recent problems the UC has had with data includes a laptop with
the names, birth dates and Social Security numbers of 145,000
people was stolen from the UCLA Blood Bank in November 2003.
In October 2004, hackers stole 600,000 peoples’ Social
Security numbers and medical information from a UC Berkeley
professor’s computer, and a laptop with 98,000 names and
Social Security numbers was stolen at Berkeley in March of this
year.
And last week, UC San Francisco notified 7,000 students that
their personal data may have been compromised in February.
UC information security staff say the UC is already looking
into, and in some cases implementing, data encryption, but there
will not be a simple solution.
Kent Wada, director of information technology policy at UCLA,
said encryption can be a useful tool, but it is inconvenient.
At the minimum, an encrypted system requires a password every
time it is accessed, Wada said. And since there is no consensus
about how to set up encrypted systems, complications often multiply
with questions about how many people will know the keys to decode
the encryptions and how the pass codes will be stored and
transferred.
But Wada said encryption can still be an attractive option
because if data is lost or stolen, no one can read it without
breaking the code. Current California law states that if encrypted
data is stolen, institutions do not have to notify the people whose
data was stolen.
“To me it is not just a cost issue, so much as changing
the culture that people are going to have to accept some
inconvenience,” Wada said.
Paul Eggert, a UCLA professor of computer science, said
encryption could help reduce data theft, but it is not foolproof or
easy.
“Doing it right is going to be a pain,” Eggert said,
adding that when someone decodes encrypted data it gets saved all
over their computer. “The best you can do is encrypt some of
the data some of the time.”
In addition, he said if a hacker breaks into a server, they can
steal encryption keys along with the encrypted data.
Despite the difficulties, several UC campuses are beginning to
encrypt their data.
Wada said several UCLA departments, such as the medical center,
have begun encrypting their data. And UC Davis has put aside funds
to buy encryption technology, said Robert Ono, information
technology security coordinator for UC Davis.
Encrypting data is the last line of defense for personal data,
and Wada said UCLA is focusing on making the community conscious of
the data they use and eliminating information that is no longer
necessary.
This process began when SB1386 was passed in June 2003, but it
ramped up when the laptop was stolen from the UCLA Blood Bank in
November of that year.
While encryption could provide an additional level of safety,
Wada and Eggert stressed the role of university culture in keeping
data secure.
“Universities are all about the free exchange of ideas,
everything we are about is to share info and make info available,
so everything we do on campus is set up to share info and make it
available, except for in very specific areas,” Wada said,
referring to the need to control personal data.
But Eggert said universities may be taking the brunt of the
criticism for data loss because they report it more often than
other institutions.
Eggert, who said he used to do consulting for banks, said people
tend to think less about controlling information at universities,
but they also feel more responsible to report it when it goes
missing. He said financial institutions do not always report
information loss.