Campus Tightens Security of UC Data

In a year when UC campuses have been hit hard by computer security breaches, UC Berkeley's eBerkeley Steering Committee unveiled a new policy last week that standardizes usage guidelines for campus employees handling data owned by UC.

The campuswide Data Management, Use and Protection Policy is the first of its kind in the UC system and applies to campus employees who have access to any of the more than 300 computer servers, including Telebears, Bearfacts and university payroll systems.

Staff, faculty and student researchers in several campus departments frequently access student and employee personal data as part of university work.

"Because of this widespread management and use, the reliability and security of our information becomes everyone's responsibility," Paul Gray, executive vice chancellor and provost, said in an internal e-mail to campus administrators.

The policy, which the committee's Data Stewardship Council started developing in 2002, outlines security measures that those handling university data must follow and discourages staff and faculty from using restricted personal data unless absolutely necessary.

"When you download data, you download responsibility with it," said Shelton Waggener, director of Central Computing Services and a supporter of the new policy.

Recently, UC campuses have lost control of sensitive student and employee data in a string of security breaches.

UC San Diego sent letters to more than 300,000 students, applicants and alumni in May whose names and social security numbers may have been viewed by a hacker who broke into the campus' network.

The security breach campus authorities discovered in April is the first such incident that has occurred at the campus, said Sally Brainerd, UCSD associate controller.

Although the new policy will not apply to outside hackers, this most recent of the security debacles to hit UC demonstrates the continued vulnerability of restricted data.

UC Berkeley senior Sean Agazanof said he was furious after being notified he was one of the 198,000 former applicants to the school whose personal information may have been viewed.

"You don't even think twice about giving them your social security number; you trust them and then suddenly they say, ‘Oops! Oh, we're sorry, we lost all your information. It might be on the internet where hackers can look at it,'" Agazanof said.

At UC Merced, a laptop containing the sensitive data of applicants was stolen in February. Another laptop containing social security numbers and the names of 145,000 blood donors went missing from UCLA a month later. In both cases, the laptops were unprotected by computer encryption.

UC Berkeley cannot ban its employees from downloading sensitive data onto portable devices like laptops because it is part of their work, Waggener said. The new policy does, however, discourage such use.

UC officials admit there is no current way to hold people accountable for following the policy, other than the general understanding that following security procedures is part of the job.

The current lack of accountability standards irks Agazanof, he said. He said he does not believe the new policy will dramatically increase the security of UC Berkeley's student databases.

"The teachers and administrators will definitely take note of it and will definitely think twice, but I don't think they'll go out of their way to follow the policies," he said.

Gray has already asked that campus administrators follow the policy, which the Academic Senate must formally review this fall before it becomes officially binding.

Tags: