Why Colleges Fail the Privacy Test
Most college Web sites lack online privacy policies. What does that say about their ability to secure people’s private information and to avoid data breaches?
How well do educational sites handle people’s private information?
To find out, researchers from Bentley College and security vendor Watchfire Inc., both based in Waltham, Mass., assessed the privacy practices of the top 236 U.S. colleges, per the US News and World Report 2004 list of best colleges.
Taking a cue from the Federal Trade Commission’s ongoing surveys of e-commerce sites’ privacy practices, the Bentley researchers studied the privacy notices posted on colleges’ Web sites, as well as how the sites linked to them internally. Meanwhile, researchers at Watchfire ran automated scanning to assess the Web sites for common security problems, including insecure cookie or data-collection practices.
Of the 65 schools with privacy policies, 85 percent did note whether their site collected personal information. Roughly two-thirds of the privacy notices also defined the scope of the privacy notice, and an equal number offered contact information for any privacy-related concerns. Yet only one in five sites detailed how changes to the privacy notice were handled. Interestingly, none contained a privacy seal.
Decentralized IT vs. Privacy Practices
Perhaps this isn’t surprising, given the decentralized nature of many colleges, not to mention their related IT and information security practices. As the report notes, “one of the particular challenges of managing privacy in higher education is the fact that most schools operate in a decentralized information environment with norms of academic freedom that do not exist in the private sector.” Translation: the average IT staffer has no power to regulate the actions of faculty or staff, who may run their own departmental servers, buy and use servers or wireless routers on a whim, and gather and store information however they choose.
An Educational Data-Breach Epidemic
Beyond setting privacy policies, universities must also foster an organizational information-security proficiency, and culturally make security a requirement for anyone collecting and storing sensitive information. Yet “while most CIOs in higher education identify information privacy and security as a critical challenge, too often this view doesn’t permeate organizational culture and spending,” notes Traci Logan, the vice provost and vice president for information technology at Bentley, who helped design the study.
Indeed, almost every educational Web site the Bentley researchers studied had at least one data-collection form that didn’t link to a privacy notice, and at least one page for collecting data that wasn’t secure. For example, many data-collection forms relied on the GET method for collecting data, which isn’t optimal since it leaves a copy of any submitted information in the Web server log files, which typically aren’t as well-secured as more high-value assets.
Beyond collecting data, many colleges have problems storing it securely. For example, since California passed SB 1386, numerous data breaches involving educational institutions have been reported. Just last month, Ohio University reported an alumni database hack could have compromised information on 300,000 people, including 137,800 Social Security numbers. In April, the University of Texas McCombs School of Business in Austin reported a data breach that may have affected 200,000 people. Those follow other collegiate data breaches reported this year and last, many of which individually affected the person information of more than 100,000 people.
In short, “higher education is not immune from concerns about online privacy,” says Bentley’s Culnan. Poor privacy practices also have institutional repercussions. For starters, “privacy breaches potentially undermine consumer trust and confidence, and make people less willing to disclose personal information online.” Also, don’t discount fallout from alumni donors.
Improving Privacy Practices
The law details what the privacy notice should disclose, which includes the categories of information being collected, the third parties who will have access to it, and how individuals can access or change information they’ve submitted.
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.