A recent report by Educational Security Incidents found that the number of data breaches on college campuses rose 67.5 percent last year, compared to 2006. But at Penn, officials say, a number of measures are in place to protect data.
According to a policy Penn has had for 10 years, "anyone storing any confidential University information has to meet a set of security standards," David Millar, the University's information-security officer, said.
These standards include proper security patches, strong passwords and trained staff. Penn also scans computers for weaknesses twice a year in order to prevent data breaches or possible leaks of information.
Kenneth Green, founding director of The Campus Computing Project, said most reported data breaches occur because of "perpetual adolescent issues," referring to the independent academic program or research lab that links to a centralized network and fails to meet the security standards set up by the parent network.
"If you follow the rules, you reduce the risk," he said. "But you have to recognize that rules continue to change as the environment changes."
In order to prevent problems common with its decentralized network, Penn has developed an annual assessment of the 20 to 25 schools and centers, Millar said.
Lauren Steinfeld, Penn's chief privacy and institutional compliance officer, said the Security and Privacy Impact Assessment program, which was implemented about two years ago, helps Penn's various schools' centers make sure they have the right security and privacy controls in place.
Steinfeld stressed that Penn is "trying to have the students understand some of the issues and to educate them about how to protect themselves. . Our job is to make sure people are educated about these issues."
Some of the awareness programs include an informational brochure that Penn has sent out the past three summers to students and their families.
Also, for the first time this year, the University included an information privacy component during a New Student Orientation session.
This year, NSO also included a special session organized in cooperation with Student Financial Services about managing finances and protecting student identities.
"It is important to remain vigilant on privacy and security matters," Steinfeld said.
With that in mind, she added, Penn will "continue to look for what new threats may be out there for the data and what we can do to reduce the risks."
This vigilance has led to a new policy for faculty and staff about Social Security numbers.
The policy is a new drive to encourage people to try to identify Social Security numbers on old papers and files and to eliminate them when possible or convert them to Penn identification numbers.
"We recognize that sometimes Social Security numbers are necessary to maintain, and in those cases, the policy establishes strong security requirement to help protect that sensitive data," Steinfeld said.
