Securing Data 101.

[ILLUSTRATION OMITTED]

After two data breaches involving the records of more than 28,000 students, the University of Cincinnati (UC) is shoring up its electronic defenses. But it also needs to protect data stored in unlocked file cabinets in university offices across campus.

In August 2007, a flash drive containing more than 7,000 students' names, Social Security numbers, and dates of attendance was stolen from a desk at the College of Applied Sciences. Just two months later, insurance waiver forms including Social Security numbers for approximately 21,000 people were stored in filing cabinets that were sent out to the university's Asset Management office to be resold.

University policy requires three separate inspections of office equipment before leaving UC property. Each checkpoint failed.

After two incidents within two months where personal student records were stolen, lost, or left unsecured, the school said it would install encryption software on more than 8,000 UC computers to protect sensitive records.

However, a Cincinnati newspaper, The New Record, discovered a room at the McMicken College of Arts and Sciences containing multiple, unlocked filing cabinets filled with student information. The paper reported that its staff members were able to enter the unlocked room, open file cabinets, and access inactive student documents easily and without being questioned.

"Lock your file cabinets" Kevin McLaughlin, director of UC information security, told the paper. "Lock your desks and don't keep sensitive data that you really don't need."

Amazingly, McLaughlin said his department, which has been in place for about 20 months, has not placed "too much focus on paper documents" and has not emphasized safeguarding printed documents about individuals associated with the university.

To improve security, the UC information technology department said it would purchase 2,000 copies of data encryption software. To get a handle on physical records, university officials are attempting to identify the whereabouts of unsecured information about students stored at various locations and offices across campus.

"We need to know where sensitive information is, [and] if we need it, we need to protect it and get rid of information that we have no true business having" said McLaughlin, who also plans to teach professors and administrators how to better protect sensitive information.