[Dataloss] Columbia University (NY) has posted SSNs on line for16months

TSG tglassey at earthlink.net
Thu Jun 12 16:59:32 UTC 2008 

Not that I am a lawyer (because I am not)  but there is an easy answer...

The way to deal with this is to use the Qui Tam statute and sue the
university under the False Claims Act based on their filings with the
Department of Health and Welfare and their filings with the State and
Federal Department's of Education which fund much of the schools internal
actions.

The security issue is a derivative error for fraudulently claiming that they 
properly met all of the operating requiments for a school. And clearly they 
havent... They (the school) are required through those filings to obey any 
and all laws relevant to their operations, so it (this breach) is a simple 
CFAA negligence claim.

Then all of the student body become a class and all that needs to be
documented is the failing to ask for a summary judgment. See the Federal
Laws, especially the Computer Fraud and Abuse Act and the Stored
Communications Act have amazing latitude here.

Todd Glassey (as a civilian).


----- Original Message ----- 
From: "Casey, Troy # Atlanta" <Troy.Casey at McKesson.com>
To: <dataloss at attrition.org>
Sent: Thursday, June 12, 2008 8:33 AM
Subject: Re: [Dataloss] Columbia University (NY) has posted SSNs on line
for16months


> "we have no evidence of wrongdoing"
>
> Apparently Columbia University does not consider an employee posting its
> students' social security numbers on the Internet to constitute
> "wrongdoing."  Pretty lax practices by the University, considering this
> same thing basically happened just 14 months before this incident!
>
> At least the victims are afforded a heaping helping of the useless
> credit monitoring service.  The University spokespeople seem to
> acknowledge no culpability on the University's part.
>
> We need some new legislation in this area.  Desperately.
>
> And that's saying a lot coming from a libertarian like myself!
>
> Troy D. Casey
>
> -----Original Message-----
> From: dataloss-bounces at attrition.org
> [mailto:dataloss-bounces at attrition.org] On Behalf Of Henry Brown
> Sent: Thursday, June 12, 2008 9:32 AM
> To: dataloss at attrition.org
> Subject: [Dataloss] Columbia University (NY) has posted SSNs on line for
> 16months
>
> From the NY Sun http://tinyurl.com/5fnfxq Columbia Students Outraged By
> Online Privacy Breach By ANNA PHILLIPS, Special to the Sun June 12, 2008
>
> Angry Columbia University students are demanding an investigation after
> it was discovered yesterday that 5,000 of their Social Security numbers
> had been searchable online for the last 16 months.
>
> Students received an e-mail message on Tuesday night from the vice
> president of student auxiliary and business services, Scott Wright,
> explaining that in February 2007, a student employee had posted a
> database of students' housing information, including this reporter's, on
> a Google-hosted Web site.
>
> "No financial data was included in the file in question, and we have no
> evidence of wrongdoing or identity theft," Mr. Wright said in the e-mail
> message. "We are very sorry for this occurrence."
>
> Columbia would not identify the student, saying only that the person had
> worked in the university's housing office.
>
> Administrators said they learned about the security breach June 3 when
> an alumna contacted the housing office. Google removed the Web site upon
> request.
>
> As a result of the security breach, Columbia is offering students a free
> two-year subscription to a credit monitoring service.
>
> Yesterday, students informed the school that the information of about
> 200 students was still searchable.
>
> A Columbia spokesman, Robert Hornsby, said Google had removed the file
> as of yesterday evening.
>
> Several students yesterday created an online petition and posted it to
> the main campus Web log, demanding that the university investigate the
> former employee and issue a report explaining how security will be
> increased.
>
> A similar leak occurred in April 2007, when the university noticed that
> three databases containing students' addresses and Social Security
> numbers were online.
>
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor
> your traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml

More information about the Dataloss mailing list