Advances in Internet technology in the past several decades have been both amazing and precarious. With Internet access, you can purchase almost anything from thousands of online vendors, receive updates on news and market info with little delay, even schedule your next semester and pay tuition8212;all from the comfort of your couch. However, with these advances come more opportunities for dishonesty.
Key findings in a 2007 report from the Web Hacking Incidents Database highlight the criminality involved in Internet use. According to the report, 67 percent of all reported computer hackings were done with the intention to gain monetary profit. Also, 44 percent of the reported hackings were tied to non-commercial sites that include both government and university sites.
In recent years, the private sector has increased its spending on computer security to avoid losing data to hackers and to limit corporate espionage, leaving universities as easy targets. A report on Educational Security Incidents from 2007 reported there were 139 university security breaches around the world that year. This number increased 67.5 percent from 2006.
With these statistics in mind, the Utah Legislature enacted the Consumer Credit Protection Act in 2006. The CCPA defined what constitutes a security breach and laid out the protocol that public institutions such as the U are required to follow in the event of a security breach. A security breach is defined as “an unauthorized acquisition of computerized data maintained by a person that comprises the security, confidentiality or integrity of personal information.” The CCPA further articulates that a “reasonable and prompt” investigation is to occur, and “if an investigation reveals the misuse of personal information for identity theft or fraud purposes has occurred, or is reasonably likely to occur, the person shall provide notification to each affected Utah resident.”
The term “reasonably likely” leaves the decision as to whether or not individuals are going to be notified of a security breach to the investigators at theU ‘s Information Security Office. In light of the statistics that show the No. 1 reason for breaching a secure network is to gain profit, “reasonably likely” is at best a sub-par standard.
It has been several years since an announcement was officially made by the U that a breach of the U’s network has occurred. With the ambiguity of the CCPA, one can only assume there have been breaches that have not been fraudulent.
The ISO did not comment as to whether there have been breaches that were not made public.
An ambiguous law left to the interpretation of a U office with a reputation to protect does not adequately protect the financial interests of students. The ISO needs to always assume security breaches include fraudulent purposes or the old CCPA should be revised to protect the personal information of students.