The University of California (UC) system announced last month that it had been hit with a massive data breach. The locale was a third-party file-transfer application called Accellion. UC was just one of the victims of the international cyberattack, which may have afflicted roughly 100 institutions, also including Stanford Medical School, the Universities of Maryland, Colorado and Miami and Yeshiva University in New York.
How much data was stolen remains unknown. The University of California wrote in a FAQ that the compromised information includes names, addresses, telephone numbers, birth dates, Social Security numbers and bank account information for “employees and their dependents and beneficiaries, retirees and their beneficiaries, students and their families,” and possibly other people with UC connections.
Prior to the November election, we were virtually alone when we wrote on how Section 15 of California Proposition 24 should not have exempted certain school-related businesses from requirements to protect privacy. When it came to certain student information, the section exempted these businesses from complying with parts of the California Consumer Privacy Act. One significant exemption allowed businesses to refuse a student’s “right to be forgotten” under Section 1798.105 of the California Civil Code. Exercising such a right would have allowed students to submit requests for the deletion of their data.
If students were allowed to retain more power over their personal information, especially as it relates to third parties, the damage caused by future breaches like this could be mitigated. The reason the “right to be forgotten” is desirable, in part, is that many institutions, like schools, have a foolish tendency to hold data in a centralized place with few cybersecurity protections. Data “opt out” and “opt in” options could also offer more control over how much data a school can give a third party.
Moreover, educational institutions themselves should do a better job protecting the data of their students and employees. Schools hold troves of personal information, making them prime targets for cyber criminals. In March, hackers breached the computer systems of Florida’s Broward County Public Schools, the sixth largest school district in the country. The hackers held the personal data for a ransom of $40 million, but the school district couldn’t pay, in part because no district has $40 million on hand. As threatened, the hackers published 26,000 of the stolen files online. It is unclear whether this attack was related to the university attack.
In a recent report from the K12 Security Information Exchange and the K-12 Cybersecurity Resource Center on the state of K-12 cybersecurity, the authors write, “For the second calendar year running, at least 75 percent of all data breach incidents affecting U.S. public K-12 school districts were the result of security incidents involving school district vendors and other partners.” Jagger Henry, who works on education technology, said in an interview with Wired Magazine, “When I took a look, there was so much that was vulnerablejust a stupid amount of vulnerability.”
After the breach, a faculty member we know signed up for a credit-monitoring service recommended by UC. The monitoring service has since found his Social Security number on the dark web four times. He has had to place security freezes on his credit report with the major bureaus to make it harder for someone to open an account in his name, but he still worries about identity theft.
Despite the real threats of large-scale data breaches, California and other states fail to recognize a definitive right to private action to remedy damages caused by negligent data holders. It’s difficult to get recourse against the people whose negligence contributed to things such as identity theft. A salient point that the Electronic Frontier Foundation makes is that data-privacy laws should allow “ordinary [people] to bring their own lawsuits against the companies that violate their privacy rights.”
Strong privacy protections are not bulletproof and cybersecurity threats will persist. But better policies can help protect individuals and provide victims with a remedy.