OHIO UNIVERSITY BUYING COMPUTER PROTECTION The Enquirer - UC buying computer protection

UC buying computer protection

Encryption system works to keep personal info private

The University of Cincinnati is buying encryption software for as many as 8,000 university-owned computers holding personal information such as Social Security numbers.

UC is spending about $22,000 to start the encryption this year, said Kevin McLaughlin, director of information security at UC. The software protects information from anyone but an authorized user.

The move comes as UC has dealt with two incidents in the last month when it had to send letters to students, graduates and parents admitting that information had beenstolen, lost or left in unsecured locations.

In the latest case, records including Social Security numbers for about 21,000 people were in filing cabinets that were sent out to be resold.

Some of the filing cabinets were left unlocked in a public area, McLaughlin said. The letters suggested people contact credit reporting bureaus.

"We didn't have to send the letters, but if it was me, I'd want to know," he said. "The fact that the records left our control and were in a public area, you can't be too careful these days."

The incident was UC's biggest breach of personal record security and the latest local example of a trend sweeping the country.

At colleges and universities, with thousands of university-owned laptops containing grades or financial information, and even more paper records, information security departments are educating students, faculty and administrators.

McLaughlin said he will talk next week to UC's Faculty Senate about protecting records.

UC is not alone.

Northern Kentucky University is installing a computer platform that will create identification numbers different from Social Security numbers.

Dave Renaker, a systems analyst who heads information security at NKU, said his school hasn't faced a significant incidence of compromised personal information but is planning to make personal and financial information more secure.

For example, he said, it's buying portable computer drives with security already built in to go on computers that might carry students' personal information.

"A lot of this is relatively new," Renaker said. "Really, it depends on the individual who comes down to being the weakest link, the guy who's careless with his laptop. And the next question is, why is that information on the laptop anyway?"

Nationally, there have been several huge incidents.

Several years ago, a research system at the University of California at Berkeley containing data on 1.4 million people was compromised.

Extending outside the university world, the parent company of the T.J. Maxx chain said earlier this year hackers stole information from 45.7 million credit cards and debit cards.

Last spring, the names and Social Security numbers of 64,000 Ohio state employees were stolen from an intern's car where he had left the backup storage data.

A review of the data found the device also held information on 53,797 participants enrolled in the state's pharmacy benefits management program, as well as names and Social Security numbers of about 75,532 dependents.

In the other incident at UC, a stolen flash drive (a portable memory device) included names and Social Security numbers of 7,366 people. That highlights how difficult maintaining security can be for students, faculty and staff with laptops.

But McLaughlin said the encryption software provides better protection.

"Once they know they have sensitive data, the encryption package takes five or 10 minutes to install and then it just works in the background," he said.