Data security precautions taken
Free credit monitoring ends after one year

FROM RICE NEWS
STAFF REPORTS

The year of free credit
monitoring for more than 7,000 Rice employees, students and retirees in
response to the random theft off-campus of a device containing some personal
information is coming to an end, university officials announced today. No data
breaches were reported from the theft, and employees will have the option to
extend the service at their own expense.

”Based on the information
we have collected over the past year, we have not seen any evidence of identity
theft that can be linked to the theft of the device, and that’s good news for
everyone,” Vice President for Administration Kevin Kirby said.

Kirby said the university
has taken several additional steps to improve the security of sensitive data on
Rice-owned computers.

A new Security Task Force
chaired by Bart Sinclair, associate dean of the George R. Brown School of
Engineering, recommended a policy on 

Protection
of Personally Identifiable Information. That new policy reaffirms that the
university complies with federal, state and local laws and regulations for
collecting, storing, transmitting and disposing of confidential or sensitive
information. The policy was adopted in February, along with other task force
recommendations to improve data security.

”The protection of
personally identifiable information is a critical, shared responsibility and
one that will require the combined efforts of the entire Rice community,”
Sinclair said. ”The importance of this cannot be overstated.

”The members of the task
force recognized that one of the most important elements in the implementation
of this policy is raising the level of awareness of the issue across campus and
providing guidance, processes and tools for managing data security in all
media, electronic as well as paper.”

The task force
recommendations included creating a new position of project manager for
security of confidential personal information. Frank Rodriguez was appointed to
that role this past summer and has been working with departments to help them
better protect their sensitive information, and with other offices on campus
that are responsible for data security, including Information Security Officer
Marc Scarborough.

Another task force
recommendation was to add an additional IT security analyst position – filled
by Peseng Yu – that reports to Scarborough. Yu follows up on Rodriguez’s
findings by implementing the technology needed to protect each department’s
sensitive data both on the computer and when it is transported. 

Those efforts build on
steps taken by Information Technology since the theft last August to install
encryption software on laptops and portable devices used to transfer
information.

Scarborough and his team have evaluated and purchased technology to help the Rice community identify and, where appropriate, remove protected information from their computers. They are also evaluating and testing technology that can ensure that protected information does not leave the campus through Rice’s email servers.

While such safeguards have
improved the security of confidential information, human error can still pose a
risk, Scarborough said. For example, recently personal information on some
students was inadvertently shared due to an email error. The mistake was
quickly caught and remedial action taken. The 12 people who inadvertently
accessed the information were contacted and told to delete it. As a precaution,
the university offered a year of free credit monitoring to the affected
students.

Security awareness and
training are high priorities for the Information Technology staff. Scarborough
and his team have hosted several forums on mobile data security and are
preparing for an information security awareness campaign in October.

”Our ultimate goal is to
educate the Rice community about best practices in data security and provide
them with tools to prevent data security breaches,” Scarborough said.

Meanwhile, more than a
year has passed since the device theft last year.

The deadline for
registering for the free credit monitoring service was Dec. 31, 2010, so it will
end between Sept. 15 and Dec. 31, depending on when people signed up.
TransUnion is sending letters to the 2,932 Rice subscribers approximately 30
days before their free service ends to remind them of the expiration date and
to offer the option of continuing the service at their own expense.

For more information on
securing data, visit https://docs.rice.edu/confluence/display/ITTUT/Secure+your+Rice+data.

For information on
protection from identity theft, visit https://docs.rice.edu/confluence/display/ITTUT/Protect+yourself+from+Identity+Theft.