Chancellor vows to tackle 'systemic' data security problems on campus
Promises external audit, encryption of personal data, clear accountability
06 April 2005
In a strongly worded message to the campus community, Chancellor Robert Birgeneau said he was "stunned" to learn of last month's theft of a laptop computer from the Graduate Division, and promised swift action to correct what he called "serious gaps in our management" of personal data.
The laptop, which was stolen from an empty Sproul Hall office on March 11, contained Social Security numbers and other personal information for roughly 98,000 current and former graduate students and grad-school applicants, some of it dating as far back as 1976. UC Police have called the theft a "crime of opportunity," and university officials say there is no indication the information has been misused.
Nonetheless, Birgeneau vowed to rectify "the lack of clear lines of accountability, both personal and departmental" in enforcing campus policies governing computer security and the protection of personal data, policies he said have been strengthened over the past 15 months. "Our students, staff, and alumni expect us to protect the information they have given us confidentially," he wrote, "and we have not maintained that trust."
Among other steps, the chancellor promised an external audit of the university's policies and practices regarding the handling of personal data, and said campus administrators would "move quickly" to encrypt all such data stored on departmental computer systems, and to remove all "unessential data."
Birgeneau also insisted the Graduate Division "will account for how the theft could have occurred and why sensitive personal information was on a portable, unsecured laptop computer," adding that any individuals found to have violated "clear policy" will be subject to disciplinary action.
"Unfortunately, in this technological age absolute security of all information is impossible," the chancellor wrote. "However, this is no excuse for not managing the databases properly."
The university, which delayed announcing the theft for two weeks to allow police to pursue leads in the case, has sent e-mails to some 6,700 people in the database, and is notifying others by letter. Further information is available by clicking on a new "ID Alert" link on the campus home page, www.berkeley.edu, or by navigating directly to idalert.berkeley.edu. That website contains useful phone numbers, information on next steps to take, and links to credit-reporting agencies. A toll-free number and e-mail account have also been set up to answer specific questions not addressed on the website: (800) 372-5110 and firstname.lastname@example.org.