MONTPELIER - Thousands of Vermont State Colleges students, faculty and staff learned this week that a VSC laptop computer stolen from a car parked in Montreal on Feb. 28 could have given thieves access to their personal financial information, including Social Security numbers and payroll data.
And while system administrators assured the thousands of potential identity-theft victims that they had all but eliminated access to the colleges' computer network from the laptop, some faculty and staff are furious that VSC took three weeks to warn them.
"I can share with you that many, many people have come to me to express their anger," said Ernest Broadwater, an education professor at Lyndon State College and the president of the Vermont State Colleges Faculty Federation.
The union has contacted an attorney to "learn what measures the VSC has taken to protect the information of our students, staff and faculty."
College administrators on Thursday insisted that the threat of stolen identities was minimal, but nonetheless urged the system's 14,000 current students, teachers and staff to be vigilant about their bank and credit card accounts. They said they fear the stolen laptop may have contained information on people associated with the five-college system from as long ago as 2000.
"Upon being notified, information technology staff took immediate steps to block network access from the laptop," said a system-wide e-mail that was distributed this week. "We have no evidence that any personal information has been accessed or used for illegal or malicious activities. However, the potential risks associated with identity theft are very serious matters."
Karrin Wilks, VSC vice president for academic and strategic planning, said she has received "many" calls and e-mails since the warning went out Tuesday.
"Although we notified everyone just this week, we took precautions immediately," she said. "We didn't know exactly what was on the machine. We had to spend time assessing the threat, and assessing our legal/moral responsibilities."
To Broadwater, those responsibilities would include more timely notification.
"I'd be interested in hearing why it wasn't sooner," he said. "It seems that they were worried about their system but not the individuals who had their identity information compromised."
The laptop was stolen from an unidentified information technology officer's car while it was parked on a Montreal street Feb. 28. The woman - whose name was not released by the VSC - put her laptop under her seat and locked the car, Wilks said. However, she left a pair of skis in the back. Thieves broke a window, and took the skis, the laptop and other items of value, she said.
"Her vacation was ruined," Wilks said.
The woman immediately contacted the VSC and also filed a report with the Montreal police.
The potential breach of thousands of people's private information was the second one for the state colleges in less than a year. In October, a former Vermont Technical College student discovered that his Social Security number was posted on the Internet. As it turned out, the college had mistakenly posted every student's Social Security number on the Web.
"We have taken swift steps to secure the information and to remove the data from the Vermont Tech server and from other sources," then-VTC President Allan Rodgers said in an e-mail to students and to alumni. According to an Associated Press report, he ordered more training on computer security.
Identity theft is a growing problem in the United States, and several states have begun passing laws to deal with it. Last year, Vermont consumers were given the ability to freeze their credit reports if they suspect that they are victims of identity theft.
In California, lawmakers passed a credit report freeze and another measure that compels companies or organizations that lose sensitive information to immediately notify potential victims.
And Congress is grappling with national legislation that would also compel quicker disclosure.
Wilks said she understood people's frustration. "People do need to be more vigilant," she said. "People need to monitor their own debit and credit accounts for unusual activity."
[an error occurred while processing this directive]