In May, Ohio University (OU) announced that a security violation was discovered in which “The computer system contained biographical information for more than 300,000 individuals and organizations, including the Social Security numbers of more than 137,000 individuals” was penetrated by unknown persons. A later report indicated that another breach exposed the Social Security numbers and also health records of “60,000 people including all current students as well as some school faculty.”

Adam Dodge, a graduate student in Norwich University’s MSIA program, recently sent me a summary of the consequences of these breaches and others at the unfortunate school. As usual, I have edited the contributor’s original material for publication in this newsletter.

* * *

It seems that OU has begun to receive heated backlash from alumni regarding the recent information breaches suffered by the university. A June 12 article in the _Athens News_ by Jim Phillips reviews alumni reactions. Reactions include disgust (some of it expressed in vulgar language) at the loss of reputation for OU; promises to stop any future donations; possible class action lawsuits; and a proposal from one alumna to bill OU for the time she has spent checking her credit reports.

These reactions raise interesting questions. What are the legal liabilities and responsibilities of an organization that exposes personal information to criminal hackers? Like many other organizations, OU has set up a hotline and several University Web sites with detailed instructions on steps individuals should take if their information was exposed, how to protect your Social Security number, and steps to take if you have been a victim of identity theft.

However, the help offered by OU on these Web pages is informational only. OU offers individuals exposed to possible identity theft no monetary assistance in maintaining a watchful eye on their credit reports. Nor does OU offer any personal assistance in dealing with the consequences of identity theft. Instead, OU recommends that individuals use free yearly credit reports and place an extended alert on their credit report, but only if they have already become victims.

These recommendations may be inadequate. Yearly credit reports are too far apart to catch and mitigate identity theft. OU recommends ordering free reports from each of the three major reporting companies at intervals throughout the year; however, even four months between reports offers identity thieves time to ruin their victims financially and cause immense damage to their credit ratings.

M. E. Kabay, PhD, CISSP-ISSMP, is Program Director of the Master of Science in Information Assurance program at Norwich University.