What Can I Do About Poorly Handled Data Theft?

Embarrassed UTA Alumnus writes "My former college, the University of Texas at Arlington, just made the now-all-to-common announcement that student data — including Social Security numbers, e-mail addresses, grades, and other information — were on several recently stolen personal computers. The computers were from the home of a Computer Science lecturer, and perhaps more worrisome was the fact that they were the only stolen items in the incident. I had the displeasure of taking one of the lecturer's courses a few years ago, and anyone from his courses since the year 2000 is affected. In response, UTA is providing free 90-day 'fraud monitoring' (not full credit reports), and no disciplinary action has been taken against the lecturer who lost the data." In situations like this, what can a student do when a large institution loses critical private information, makes only a token effort to fix the problem, and lets the people involved continue in practices that may make a similar, or more serious breach occur in the future? "The data was not encrypted. The lecturer in question is one of the CS faculty at UTA who all conveniently guarded one another, so I guess I shouldn't expect more from him in that area. More importantly though, no one should have had this data on their personal computers, and Social Security numbers should not have been included at all. Furthermore, even without the concern of theft, I seriously question the need for years-old private student data. It is suspicious at the very least.

The UTA PR department is already trying to bury the issue with vague claims of new efforts to hire a system-wide CIO who would be responsible for all 15 UT system campuses. The lecturer in question responded to the student newspaper with 'no comment' each time they attempt to interview him.

I feel like the university should do more, including seeking disciplinary action against all involved. What can I do, short of keeping an eye on my credit and letting the school get away with yet another blunder?"

Obviously

[Rob+T+Firefly]

Give them fake info when you sign up to college. As an added bonus, you'll never have to pay off that student loan.

Only downside is eventually having to explain the diploma in the name of "Nospamplease Fuckoff" proudly displayed on your wall.

It is a violation of FERPA

[Seraphim_72]

Though usually seen as a law regarding the voluntary violation of privacy I wonder if you couldn't get it to work in this case as well. One of the rules for FERPA is that

A school MAY disclose education records without consent when: * The disclosure is to school officials who have been determined to have legitimate educational interests as set forth in the institution's annual notification of rights to students;

Now IANAL but I would bet at no point did the school ever tell you that instructors got to get your SSN. More over I bet that they ever told you they get to retain that data either. Plus, one of the rules is that the person recieving the data must be getting it for a legit reason (like it being your ID number). I can tell you this though - I work at a college in a small IT Dept, we get 2 yearly lectures about student privacy, because of FERPA. I say write the FERPA people about it, you have never seen an Institute of Higher Ed move faster than when the Feds show up and start talking funding.

Sera