The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar



Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Thursday, October 20, 2005

Incident: Personal information of Vermont Tech students internet-accessible for over a year 

Another university-related privacy/security breach:

Personal information on Vermont Tech students ends up on the Internet

Vermont Technical College's entire student body had their names, addresses, Social Security numbers and academic information inadvertently posted on the Internet by a college staff member more than a year ago, and the records remained publicly accessible until last week, Vermont Tech officials said Wednesday.

A former Vermont Tech student happened upon the 2003 student information last week after using the search engine Google to look up his own name, Vermont Tech President Allan Rodgers said. The college, which notified Google and removed the information from the college computer server on which it was stored, is contacting all 1,100 students whose private information was likely available on the Internet since January 2004.

"We have taken swift steps to secure the information and to remove the data from the Vermont Tech server and from other sources," Rodgers wrote in an Oct. 12 e-mail to students and alumni. "We regret this incident, and we are reviewing our security practices, policies and employee training."

A Vermont Tech employee who coordinates the college's tutoring services was responsible for the error, Rodgers said. The staff member, he said, attempted to electronically submit the student information over a privately secured computer drive but inadvertently sent it to a publicly accessible college Web site.

The information included student names; ethnicity; Social Security numbers; addresses; and student identification numbers. Academic information, including SAT scores and academic standings, were also part of the compromised data.

"This is the first time we've been aware that this information could be accessed," Rodgers said, referring to the former student's Internet discovery. Rodgers said he has since spoken to one or two students who are curious about what happened and how the college will follow up on it.

Rodgers said all Vermont Tech employees, including the employee who made the error, will receive additional training on computer network security.

"People have to have access to information in order to do their jobs, and we need to make them understand what is secure and what is an unsecured venue for information transmission," Rodgers said.

While there is no indication that any of the Vermont Tech information was lifted off the Internet by identity thieves, the possibility that such a thing could happen is very real, said Gary Kessler, an associate professor at Champlain College and director of its information security program.

Kessler said universities and colleges, with their vast computer networks and wealth of sensitive data, might be particularly vulnerable to hackers. The University of California, San Diego, and the University of Texas at Austin, he said, are among the growing number of institutions that have fallen victim to identity thieves.

Champlain College recently spent millions of dollars on a new administrative student database system that includes state-of-the-art security. As part of the new system, only specific employees may access private data, such as Social Security numbers.

"With the new system at Champlain, I cannot get Social Security numbers of my students. I can't even accidentally disclose the information," Kessler said. "The only people that generally require Social Security numbers are dealing with financial aid."

Labels: , ,

Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs