Ms. Devon Chaffee of the ACLU of New Hampshire gave the keynote address at the 9th annual data security conference hosted by Dartmouth College. “Securing the eCampus 2015,” was attended by Chief Information Officers from academic institutions throughout the country. The conference featured presentations from information security and educational IT leaders.
Devon’s presentation—titled “Data Privacy and Security on the Digital Campus”—focused on the data breaches and blowbacks from data sharing relating to educational content; the recent and changing legislative landscape regarding data privacy on college campuses; and, the best practices institutions can take to mitigate risks to data security and privacy in the digital campus.
Ms. Chaffee highlighted high-profile hacks such as Target, Anthem, and Sony in just the last two years. She went on to underscore the many more, equally serious instances of data breaches on college campuses across the United States in the past few years. In 2014 alone, 30 educational institutions experience data breaches and five of those 30 data breaches were actually larger than the notorious Sony hack. These breaches affect the sensitive data that most colleges and universities collect on students such as Social Security numbers, back account and student loan information, healthcare history, and more. As an example, the March 2014 hack on University of Maryland’s online systems compromised more than 300,000 student, faculty, and staff records.
“These breaches and the sensitivity of the information compromised clearly demonstrate the vulnerabilities of data stored at universities are real, even as universities are gathering and storing more data on students than ever before,” Ms. Chaffee said. “These breaches have the potential to have a real negative impact on a student’s financial future, their professional lives, and even their personal relationships.”
The current primary federal law governing this area of colleges and universities, the Family Education Rights and Privacy Act (FERPA), is blatantly inadequate to deal with the current data collection technologies and practices. As a result of these hacks, Ms. Chaffee expects more state legislatures will begin to take interest in data security and privacy on campuses.
Colleges can take immediate action, recommended Ms. Chaffee, to mitigate the risks to student data privacy and the risk of public blowbacks. One important way to mitigate data security and privacy risks is data minimization, meaning if an institution doesn’t collect and retain large amounts of personal data, there is less of a risk that hackers will access it.
Ms. Chaffee emphasized other cautionary steps such as when dealing with third parties, the importance of informing students what data is being collected, and the criticalness of outlining clear college or university policies. In addition, Ms. Chaffee asserted, “The digital campus will never be secure if professors and students aren’t aware of steps that they need to take to protect their own data and the data of those in their possession.”
For more information about “Securing the eCampus 2015,” please check out the conference website at http://www.ists.dartmouth.edu/events/ecampus/.