Last October, an embarrassing leak of documents containing student records spurred Kansas University to take a close look at its privacy policies.

Documents that included identifiable information such as Social Security numbers and student ID numbers were found in university recycling bins and were mailed to several local media organizations, including the Journal-World.

In the wake of the incident, which involved the mathematics department, KU revised its privacy policy and stepped up its use of technology to block outside infiltration.

“It’s an ongoing and never-ending process, basically educating staff and keeping policy current with changing technology, because we have to make sure things are secure, but also accessible so we can do our business,” said Todd Cohen, director of University Relations.

University-wide initiatives

Following the document flap, Provost Richard Lariviere initiated an education program that requires all university staff to be aware of how to properly dispose of sensitive materials.

Cohen said KU contracted a second paper shredding company and has distributed more secure boxes for disposal of documents with private information.

“The bottom line is that there’s a lot more outreach so folks are aware” of their responsibilities and issues that can arise from carelessness, Cohen said.

A new privacy policy drafted after the documents were distributed to media organizations further defined the responsibilities of faculty and staff, and laid out penalties for failure to adhere to the guidelines.

Lessons learned

Jack Porter, mathematics department chair, said his department created its own privacy policy after the incident.

“I think maybe we felt we were doing things in the right order, but I think after last fall, we looked at it, we talked to the privacy officer and so forth. We decided that we should have our own written policy,” he said.

The math department’s policy is similar to the university’s but specifically addresses department personnel. He said departments must be vigilant about protecting personal information.

“We’re doing what we can to prevent it. There’s little bitty things like when a grad student that’s been teaching for us leaves us in May; before we move somebody else into that office, we go in and check to see if there’s any papers and so forth around. I think that’s part of what we were not doing before. We make sure that’s all disposed of,” Porter said.

Security on all fronts

It’s not just hard copies that KU is cracking down upon.

Cohen said more attention is being paid to technology, specifically encryption of e-mail programs and laptop computers belonging to employees who deal with IT security, finance and student data.

Jeff Perry, manager of security services and operations, said the university is constantly fine-tuning its approach to computer security.

“KU is approaching it on a multitiered front. You’ve got to approach it not from a network security standpoint, but also from the workstation, the data, how do people use (computers),” he said.

That’s the right approach, said Matt Harcourt, director of government and education for Juniper Networks, a network security consultancy based in Sunnyvale, Calif. Juniper Networks provides security to about 2,000 universities across the country.

“To me, the physical security is an important piece of it, but the electronic data is 100 times more important,” he said. “If a school is not concerned about maintaining the security of their network … then I think they’re missing the boat.”

Harcourt said he hears of electronic security breaches involving universities every few weeks. It’s troubling for universities, which must protect not only private information but also proprietary research.

“It’s a big issue, and it’s a tremendous challenge that these universities have,” he said. The solution, Harcourt said, is to use multiple firewalls and to allow encrypted remote access by authorized users, while ensuring the data and network are vigilantly maintained.

KU is doing that and is constantly updating its procedures, Perry said. He’s confident that private data collected by the university is safe.

“I sleep pretty well at night. I feel comfortable,” he said. “It’s one of those things that any large institution has to continually look at. It’s never going to be done.”