A campus-wide e-mail from Chief Technology Officer Dinny Taylor on Thursday alerted the campus to what Taylor called a “possible breach of personal data.” The theft of a laptop containing names and social security numbers (SSNs) of approximately 750 people associated with the College prompted the Office of Information Technology (OIT) to take action to protect the people affected, as well as to review the current policies in place for protecting personal information.
Taylor’s e-mail announced that there was no reason to believe the personal information had been misused in any way. Nonetheless, the College put “credit monitoring and ID theft support services” in place for the affected individuals â€“ mostly former students, according to Criss Laidlaw, director of Administrative Information Systems.
The laptop containing the personal data was stolen from a College vehicle in early October. The College refrained from announcing the security breach until November due to Massachusetts “data breach” laws with which notifications must comply. The laws, according to Laidlaw, “impose specific requirements about what can or must be said â€“ and how it should be said â€“ in connection with events like this,” he said.
According to Laidlaw, the theft of College laptops is not unheard of. According to Seth Rogers, director of Desktop Systems at OIT, a handful of College-owned laptops have been stolen over the past five years. College policy mandates that when laptop thefts occur, employees must call Campus Safety and Security, as well as the police in the location the theft took place. “We track the serial numbers of all College-owned laptops and can use the serial number to identify it as ours,” Laidlaw said. He noted, however, that no stolen laptops have been recovered to date.
Taylor’s e-mail identified measures the College has been taking in recent years to minimize the threat of such a breach, including moving away from using SSNs, training staff in data protection and cleaning and encrypting laptops.
Laidlaw says that the College has reduced the use of SSNs to identify students, although they are still collected to comply with state and federal government requirements. The files on the laptop that contained SSNs were old, Laidlaw said.
Much of the protocol surrounding personal information protection stems from the laws Massachusetts enacted in the fall of 2007 regarding identity theft. “From the time of its passage, the College began work on identifying when and how legally protected information is collected, stored and used across campus,” Laidlaw said. He added that employees are trained in information security from “both practical and legal standpoints,” and that the training â€“ which focuses on staff members in offices that work with “legally protected information” â€“ will include all staff by late 2010.
Laidlaw added that an additional measure of protection is to restrict the handling of personal information, allowing access only to employees who have a need to use it. “We are reviewing our policies and procedures in light of the particular circumstances of this incident,” Laidlaw said.