In a meeting with Journal-World reporters and editors, Kansas University spokesman Todd Cohen, surveys a stack of documents sent to the Journal-World and other newspapers Wednesday at the News Center, 645 N.H.

Graded student exams. Student ID numbers. Health insurance information. Social Security numbers. Cell phone numbers. Home addresses. Names.

An identity thief’s dream.

All of the above records – some originals, others copies – were contained in Kansas University documents mailed Tuesday to the Lawrence Journal-World.

The records were accompanied by an anonymous letter, written ostensibly by former mathematics department teaching assistants and current employees of the KU Recycling Center, that said the records had been recovered from trash and recycling receptacles in the KU math department. The letter went on to say that the writers had repeatedly tried to persuade the math department to better safeguard personal information.

“We’ve been informed that personal documents and records were sent to the media, along with allegations of improper handling of private information,” Lynn Bretz, KU spokeswoman, said in a statement. “The protection of private data is critical, which is why we’ve started an investigation into where these records came from and what changes need to be made to ensure a similar breach doesn’t occur again.”

That’s too little, too late, though, for those whose information was left unprotected.

“It is kind of nerve-racking because ID numbers are useful for a lot of things that go on here on campus,” said Vanessa Cunningham, a sophomore from Olathe whose name and student ID were released. “We have to change our passwords every now and then on the computer for our KU Web site. If they’re not taking care of that information, then there’s no point in a lot of things we do.”

Math department chairman Jack Porter said he was concerned that this information may have been ascertained through other means, such as theft from an office, pointing out that he keeps student information on his desk. He said the department does have a policy on the care of personal information, but he otherwise refused to comment.

KU policies

KU’s Privacy Office maintains a set of standards and practices for the safekeeping of this kind of information, including keeping all student information, such as exams, in a locked filing cabinet.

“Always shred or pulverize paper containing personal, private information,” the standards state. “Recycle paper containing private information only in secure, locked bins.”

The anonymous letter stated some of this information was found in recycling bins, but much of it was discovered in a trash bin behind Snow Hall.

The Journal-World contacted KU to inquire about the documents Tuesday night. University spokesman Todd Cohen said an investigation was launched almost immediately. All told, the records contained nearly 400 names and student ID numbers. There were 14 Social Security numbers – including a copy of one Social Security card – four dates of birth, three pieces of health insurance information and 17 phone numbers. There were also immigration documents, high school report cards, student final exams and student transcripts in the package.

“We take protecting this kind of information very seriously. This is a very, very serious issue,” Cohen said.

This is the second time in the past six months that student personal data was found unsecured. This summer, a number of student final exams were discovered unsecured in the halls of Wescoe Hall, which was about to undergo renovations. At the time, the university pledged to do a better job of safeguarding records.

Any disclosure of student information not considered directory information – such as names, addresses, e-mail addresses and possibly phone numbers – is forbidden by the Family Educational Rights and Privacy Act. Though extremely rare, violation of FERPA can result in termination of federal funding to the offending school or university. People also could sue individually for breach of privacy, if they choose.

That penalty sounds somewhat hollow, though, to students, faculty and staff whose personal information has been exposed.

Victims feel violated

For KU student Melissa Farr, the discovery that her personal information was disclosed to the media came as a shock.

“Never would I have thought the news would end up with my personal information. I thought they properly disposed of old exams, papers, etc.,” she wrote in an e-mail. “I guess since I work at the hospital and disposing of patient information is such a huge deal, I guess I haven’t thought that it could be happening right where I go to school.”

With a student ID and name, it’s possible to access transcripts, tuition bills and some student health information.

Pamala Shadoin, a KU staff member, was dismayed to learn her information had been included in the documents. She mentioned the possibility that more papers could be out there to be found by anyone.

“It worries me a lot,” she said. “This is something the university should really care about. It’s unfortunate it takes something like this for the university to take action.”

In addition to the Journal-World, the records were sent to two other area newspapers, according to the letter. The university has requested that all of the documents be returned to the university immediately.

The Journal-World has made the documents available to KU to assist with its investigation but does not plan to return them, said managing editor Dennis Anderson. No copies of the documents will be made public and they will be destroyed once reporting of the story is complete, Anderson said.

“We have no interest in the contents of the documents,” he said. “Our priority is reporting how this happened and what the university is doing in response.”

The Journal-World has kept the documents in a locked filing cabinet since receiving them, taking them out only to catalog the contents and to attempt to contact people whose records are included. The Kansas City Star, as of Wednesday night, had not determined what it would do with the documents it received, said editor Mark Zieman.

“We’re still discussing that. We know that they’ll be disposed of properly, one way or another,” he said.

The University Daily Kansan, the other newspaper to receive a set of documents, made a copy of the documents for its reporters to use, but returned the originals to the university, said editor Erick R. Schmidt.

“We’ve kept them locked up since we got them,” Schmidt said. “The university said they wanted to contact faculty and staff who were involved, and they couldn’t do that without the documents.”

A possible solution

Even before these documents were sent to the media, KU had started a review of how it deals with information. At this fall’s faculty/staff convocation, Provost Richard Lariviere said the new protocol would require a major change in how the university does business.

Denise Stephens, vice provost for information services, who is leading the new initiative, said it is critically important that faculty and staff who routinely handle information know how to safeguard the information – while retaining it for possible use in the future. An example would be research data that could be built on in coming years.

The initiative has four broad parts: records retention, data stewardship, accountability and training. Stephens said it’s important that departments designate a person to be responsible for information being dealt with correctly.

“We’re building a comprehensive program across the university,” she said. “Information is all over the university. It’s going to be important to identify what’s out there, who has it and what risks it presents if it’s lost or inappropriately accessed.”

Stephens said it could take years for the initiative to take hold among all faculty and staff, but it’s worth the time and effort.

The Federal Trade Commission suggests anyone whose personal information, especially Social Security numbers, has been compromised take four steps. Place a fraud alert on your account with the three major credit bureaus – Equifax, Experian and TransUnion – close any accounts that may have been tampered with, file a complaint with the FTC, and, if necessary, file a police report. More information on identity theft is available at www.ftc.gov and www.privacy.ku.edu.