Simon Says – Musings of a Technology CTO

datalossdb.org entry / Cornell University Entry

Another typical notification of data loss by an educational establishment. In summary, the personal details of around 45,000 current and former students and staff were lost when the laptop containing them was stolen.

Cornell have been very open with the facts of the matter, their site talks about what they have, and will do about it, and the help they are offering people affected. They also mentioned that their policy is that such data should be either encrypted, or in a secure location. Two things they admit this particular member of staff violated.

Interestingly, it lets us make some assumptions about how much this is costing them:

1. Write and post letters to 45,000 people

$9000 – $15,000 depending on pre-sorting the letters – USPS bulk rates

2. Contract with Kroll, Inc. to provide credit reporting and identity theft restoration services

As Kroll also wrote to everyone, let’s assume that the initial cost to Cornell was at least the same

Total tangible cost  – $18,000 to $30,000

Not much you may think, but put it into perspective – a typical everyday data loss just cost them around $25,000 directly, and much more in intangible expenses. Multiply that by the number of mislaid USB sticks, CD/DVD’s, PDA’s, Laptops, Printouts, Unintended data transmissions etc and you get the idea that it’s an expensive problem, with surprisingly inexpensive solutions.

This is not the first time it’s happened at Cornell though – They lost (or rather had stolen from checked baggage) another laptop back in December 2006 – although much more minor with only 122 peoples records lost.

Before that back in December 2005, they lost 900 records when “security was breached” on a computer ( I guess a network attack?).

In the latter two cases, the unlucky guy at the sharp end of the stick is Steven J. Schulster, Director, IT Security Office. I feel for him a little, he’s got policies in place, he’s obviously thought about the problem and provided mitigating solutions, but still his users are not paying attention. He’s certainly well aware of the need for data protection, having purchased tools such as Data Finder to help clean up personal information, and although not my product, at least offered Encryption to laptop users.

Cornell have performed studies into how people feel about Protection of Personal Data in the past, and even made a Video teaching people how to be more secure.

What more can Steven do? He has policy in place, technology to help, yet still his users are playing roulette with PII.

I hope the IT guy who’s at the root of this problem, the one who broke policy, stored PII, then had his unprotected laptop stolen realizes that it most likely also contained his personal information as well. Identity protection and security starts with users, you, me, our colleagues etc valuing our own information and identities – Policy, process and technology, as Cornell have found, can only help us, it can’t solve the problem.