Academic Institutions and Identity Theft

Resource: Interview with Brian Lapidus (Senior VP of Kroll Fraud Solutions) by University Business
http://www.universitybusiness.com/article/academic-institutions-and-identity-theft-what-you-need-know
Academic institutions store an ever-growing database of personal information varying from information from past applicants, alumni, current students, and faculty. This expanding database is making academic institutions a prime target for identity thieves, identity theft, and data security breaches. Data breaches are a main risk because of the large amount of Personal Identifying Information (PII: the information that is useful for fraudulent activity) containing financial data (tax receipts, account information, credit), health information (medical and insurance records), personal identifiers (Social Security numbers and university IDs), class lists, student records, and research data.

There has been a major increase in the incidence of academic data breaches. Due to the nature of academic populations (changing approximately every 4 years), there tends to be a lot of unnecessary data held for long periods of time that leaves a lot of people at risk. Those at risk include: former applicants, alumni, current students and their families, loan co-signers on student loans, foreign-exchange students, and professors and school employees.

Academic institutions seek to foster a culture of trust but a data breach and the recovery/clean-up afterwards can have a negative effect on an institution’s brand and culture and even monetary donations and alumni support.

Mistakes made by academic institutions that are being made today:

  1. The use of Social Security numbers as a primary method of student identification
  2. The use of flash drives, unsecured wireless networks, and laptops to store and transmit personal identifying information.
  3. The unnecessary accumulation of personal identifying information.

Recommendations:

  • Don’t acquire information unless its needed.
  • Minimize the number of places where information is retained.
  • Purge the data once the need for it has expired.

To better protect themselves in order to prevent data breaches, academic institutions should design and implement a strategy of policies for data minimization and privacy procedures regarding the use of personal identifying information and network security. These plans must be shared with staff and students. Regular audits should be conducted to maintain compliance.