Adam On…

There is an interesting article over at the Hollister Free Lance site about a potential security incident that may have occurred at Gavilan College. It seems that Tim Holliday, a former Student Trustee and Student Body Senator, is making noise about a Student Body laptop he claims contained personal information such as names, Social Security numbers and photos on 3,100 students, faculty and staff that went missing last year. Apparently, after reporting the missing laptop, Holliday is displeased with the lack of action by the college for more then a year and he is urging the college to notify affected students about the potential risk.

However, the college is taking a different view on the incident. According to the article, the college investigated the report and discovered that Kayed Asfour, a Gavilan student, was the last person to see the laptop. Apparently Asford assured the college that he deleted all of the Social Security numbers from the laptop before it went missing.

Satisfied with this the college choose not to report the incident. According to Gavilan President Steven Kinsella the college took the necessary precautions and that the college cannot verify that the laptop contained personal information. In addition, Kinsella points out that the Associated Student Body is independent organization. As Kinsella states in the article, it is not an issue to the college.

Um… what? I do not understand how the possible exposure of 3,100 records containing personal information not be an issue any college or university. If what Holliday claims is true, there are some serious questions that beg to be answered about this incident. Unfortunately, there is little more information online about this story beyond the article over at the Hollister Free Lance site.

I found this to be a very interesting story for a number of reasons. It strikes at the heart of what many organizations deal with when discussing what actions to take in the event of a suspected incident. There are contradicting stories, unclear information exposure and questions about authority and responsibility for notification. I hope that more of this story becomes known since I have so many unanswered questions about this incident

While there is not enough information available to draw any conclusions about this incident, here are some personal ideas about breach reporting.

1. I do not believe that notifying individuals only when personal information loss can be verified is best approach. When there is the possibility that personal information has been lost or exposed the should always strive to notify unless the organization can prove the information was not lost/exposed.

2. The assurances of one individual does not count as adequate proof to stop notifications, especially when these assurances are contradicted by another individual within the organization. ‘Tis better to err on the side of caution in my opinion.

3. Information lost by an independent entity does not absolve an organization of the responsibility to notify affected individuals, especially if the information was given to the independent entity by the organization for official use. After all, when Iron Mountain lost backup tapes belonging to the Louisiana Office of Student Financial Assistance, LOSFA immediately contacted the affected individuals to make them aware of the incident. The same held true when independent third-parties lost information given to them by Waseda University, the University of Akron, Kansas State University, and Berry College.