GUARDING AGAINST IDENTITY THEFT
UCLA tightens data security
BY AJAY SINGH
UCLA Today Staff
Campus authorities have intensified efforts to protect and heighten
awareness about personal and sensitive data on computers after a
laptop was stolen from a locked van at a UCLA blood drive last November
and another laptop was pilfered from a UCLA Healthcare financial
office in late May.
The two laptops contained information that included such details
as names and Social Security numbers, which could potentially be
used to steal an individual’s identity. The first computer
taken from the van held a database containing personal data from
some 145,000 donors to the UCLA Blood and Platelet Center.
Campus officials are taking no chances with identity theft, one
of the fastest-growing crimes in the country. “In order to
prevent any unauthorized access to personal information in the future,
UCLA Healthcare is taking steps to further enhance the security
of its computer systems,” said Michael McCoy, chief information
technology officer for UCLA Medical Center.
“We’re going back through past reports of thefts to
be sure that anything with sensitive information has been accounted
for,” said Jim Davis, associate vice chancellor of information
technology. There is no indication so far of any “pattern
of identity theft cases” at UCLA.
Inventories of computers on campus exist, “but the question
is: What is on those computers?,” Davis pointed out. “Then
there is the matter of PDAs and home computers with which people
are accessing campus resources as well.”
UCLA has always taken care to protect personal and sensitive data,
officials said. Such efforts have only intensified since July 2003,
when a new state law designed to help prevent identity theft went
into effect. The law applies to personal data exposed in an unauthorized
manner, whether through theft of computer equipment or through compromise
of computers on a network.
“What has happened now is that we’ve had an event
in the middle of our response,” Davis said. “Since last
year we have run security seminars, produced reports and issued
a letter to faculty and staff. We’re now preparing successive
communications, along with taking several steps we’re in the
process of implementing.”
The first step was the creation of a network of security breach
coordinators — one for each major academic or administrative
unit — to look into what kind of personal data is stored on
computers. “Where there is sensitive data on a computer, we’re
looking at both its electronic and physical security,” said
Davis. “We’re also looking at security when people access
and download data.”
Part of the coordinators’ job is to ascertain who the proprietor
or custodian of sensitive data is, whether it pertains to a school,
division or unit, and if the data is appropriately protected.
“What needs to happen first — and is, by and large,
already happening — is that people need to ask, ‘Do
I really need to have this sensitive data at all?’ ”
said Davis, adding, “This is already driving people on campus
to remove some data from their computers.”
If they do need a piece of sensitive data, the second question
focuses on the details in that data: Does it have to include a full
Social Security number, or is it sufficient to retain only the last
four digits? This is an important issue that extends beyond data
used for patients or blood donors.
“We find examples where faculty write recommendation letters
for students, which, in the past, have often required students’
names and their Social Security numbers,” said Davis. “More
recently, there have been a number of significant efforts to move
away from using Social Security numbers entirely.”
Finally, if sensitive data must be used, appropriate physical
and electronic safeguards must be in place, including protecting
passwords from unauthorized use. But given the alarming escalation
in identity theft, stressed Davis, “I consider the first two
questions to be the primary defense in terms of addressing laws
whose real intention is to help protect privacy.”
For more information on protection of personal and sensitive information,
visit www.icompass.ucla.edu/policies/personal_info.htm.
|
