http://news.cincinnati.com/apps/pbcs.dll/article?AID=/20071023/NEWS01/710230351/1056/COL02

Second time this month. My mother is calling me wondering what this letter she got means. Apparently it wasn't just student info since I am the only family member to have attended there and that was 8 years ago. In light of the missing backups at the state level earlier in the year you'd think people would know better. Now who do I contact to complain, they should pay for credit freezes.

http://news.cincinnati.com/apps/pbcs.dll/article?AID=/20071023/NEWS01/710230351/1056/COL02

Second time this month. My mother is calling me wondering what this letter she got means. Apparently it wasn't just student info since I am the only family member to have attended there and that was 8 years ago. In light of the missing backups at the state level earlier in the year you'd think people would know better. Now who do I contact to complain, they should pay for credit freezes.

I submitted a an email to Greg Hand asking for more information on this and to complain about the data handling issue. I did get a reply back from him stating that this only affected UCOL grads but didn't say how far back the data went. The people in charge of data handling have already punished the parties involved.

Also

UC moves to protect private info (http://news.enquirer.com/apps/pbcs.dll/article?AID=/20071029/NEWS01/310290054/1056/COL02)

"We didn’t have to send the letters, but if it was me, I'd want to know," he said. "The fact that the records left our control and were in a public area, you can’t be too careful these days." - Kevin McLaughlin, director of information security at UC

If they were a financial institution, the Fed (http://www.idtheft.gov/) and FTC (http://www.ftc.gov/bcp/edu/microsites/idtheft//) would be all over them.

Looks like a third example, although this one is not computer based.

Your data isn't safe at UC (http://media.www.newsrecord.org/media/storage/paper693/news/2007/10/31/News/Your-Data.Isnt.Safe.At.Uc-3067000.shtml)

New opinion article in the News Record (http://media.www.newsrecord.org/media/storage/paper693/news/2007/11/01/Opinion/Staff.Editorial.Ucs.Handling.Of.Data.Loss.Unaccept able-3069996.shtml) this morning.

Quinn Shamblin, a UCit information technology analyst was critical of the carelessness of UC employees with access to such personal data. "Don't use portable devices for this type of information," Shamblin said. "And if a portable device is necessary, it has to be encrypted.

In my opinion it should be taken to the next level... disable all USB ports so that nobody can bring in a portable device to copy the data.

In my opinion it should be taken to the next level... disable all USB ports so that nobody can bring in a portable device to copy the data.

The thing that bothers me the most is that they shouldn't have to do this. If you work in IS/IT you should be smart enough to know better than to copy sensitive information to portable media in an unencrypted format.

In my opinion it should be taken to the next level... disable all USB ports so that nobody can bring in a portable device to copy the data.

On all campus computers? On all campus computers accessible to the UC network? I don't really think this is a feasible solution. When I worked for DoD the policy was that any portible device that touched a classified computer became classified and any computer that touched a classified device became classified as well (and had to be removed from any non-classified networks). I don't know of anyone that actually followed those rules (except myself, of course) and they basically acted as a giant red-tape nightmare for anyone that tried to remain in compliance.

Disable every USB, remove every floppy and CD drive and prevent the computer from accessing any outside networks and suddenly the computer itself is completely useless and we are back to faxing student records to the state government when they request them (I realize you didn't meniton CD's or floppies, but if USB's aren't allowed something is going to be used).

It isn't that hard to simply say 'don't put information with student identifiers on a portable device, and if you do you are fired.' That's a much more manageable policy than shutting down USB ports and other portable media attachments.

The thing that bothers me the most is that they shouldn't have to do this. If you work in IS/IT you should be smart enough to know better than to copy sensitive information to portable media in an unencrypted format.

Most of the people that work with this kind of information on a college campus aren't IS/IT professionals.

QSilvr, my point is on any machine with access to sensitive data (such as student personal info). The student computer labs should allow USB devices to transport documents, just PCs that are in the financial aid offices, registrar, etc., should have their USB ports disabled.

Floppy drives are no longer used, and not needed.

CD drives can be CD-ROMs only, not writable drives.

You also can block access to any sites outside of UC, which most of these would not need as it is.

It isn't that hard to simply say 'don't put information with student identifiers on a portable device, and if you do you are fired.' That's a much more manageable policy than shutting down USB ports and other portable media attachments.

Terrible solution.
A. Most of the time you don't even catch the data loss, thus they wouldn't get fired UNLESS there was an incident.
B. Doesn't stop someone wanting to steal the information for illegal uses.

The most manageable policy that protects UC, its students, staff, and faculty, is to disable all USB access.