Does UCLA Have a Campuswide, Integrated Crisis Plan?

By Terry Calhoun

My heart g'es out to campus IT folks who experience private data security breaches. I know—we all know—that, except for a few extreme cases, each one of these could be any of us. No matter how hard we try, there is always some vulnerability. The latest, of course, is the largest campus-based breach of all: More than 800,000 records at the University of California, Los Angeles (UCLA).

About 800,000 database records on students, faculty, and staff were “exposed” in a series of intrusions that went on from October of 2005 until late November 2006. Some of the information at risk included birth dates, Social Security numbers, names, and other information useful in identity theft. The university says there is no direct evidence that any of the information was actually misused, and it's doing its best to do the right thing:

"In spite of our diligence, a sophisticated hacker found and exploited a subtle vulnerability in one of hundreds of applications," said Jim Davis, UCLA's chief information officer and associate vice chancellor for information technology. "We deeply regret the concern and inconvenience caused by this illegal activity. We have reconstructed and protected the compromised database and launched a comprehensive review of all computer security measures to accelerate systematic enhancements that were already in progress."

In recent months, I've taken a more subdued approach to news items in IT Trends about such breaches, much for the same reason that I don't focus that much on another building, or another part of a campus getting wireless access points. Who cares? Well, the answer is that the folks living or working in a location without a good wireless signal care

The IT staffers involved care about wireless ubiquity, too, but no one's likely to lose their job because the planning for wireless connectivity is too slow or is over budget. That stays a pretty strictly internal affair except for an occasional letter to the editor of a student newspaper.

Hackers getting into personal information is an entirely different story. Not only is it a reputational crisis for the institution--just ask the folks at Ohio University, which experienced five separate incidents last spring that included exposure of the president's personal information and not only resulted in tremendous staff angst (including a new CIO), but became the catalyst and focus for other criticisms of the institution's overall management and reputation--that kind of breach brings federal and state laws into play and ignites some pretty extreme phobias among students, faculty, staff, alumnae, vendors, and so forth. Here's Peter Adler, of Adler InfoSec & Privacy Group LLC and former interim Chief Information Security Officer at the University of Colorado puts it in a recent EDUCAUSE Review article:

[C]ontrolling risks to personal information through enhanced information security has become the subject of state and federal laws. The recent upsurge in the number of state and federal laws and regulations represents an emerging legal standard that imposes obligations on colleges and universities to protect the data they collect, store, process, use, and disclose. These laws increasingly affect how higher education institutions, often operating in multiple jurisdictions, handle personal information, including sensitive health and financial data. Many of the new laws require disclosures to victims when there is unauthorized access to systems containing sensitive information. Failure to protect this type of information will inevitably result in public embarrassment and the financial costs associated with managing the response to incidents and may also result in investigations, fines, and other penalties

Adler is a proponent of centralized control and security for this kind of information. (Note, also, that the EDUCAUSE Resource Center on the topic of Cybersecurity.)

Centralized control of anything is a difficult thing to achieve on any college campus, much less on a campus the size and complexity of UCLA. Even folks outside of higher education realize this: “'Universities tend to have a lot of information floating around in a lot of different places,' said Jay Foley, executive director of the Identity Theft Resource Center, a San Diego-based nonprofit. ‘They are places we send our children to share ideas, and it's hard to mix the open sharing of ideas with the need to tighten down on security.'”

But from what we know right now, the information is being reported as having been exposed from a central campus database. According to Rodney Peterson, security task force coordinator for EDUCAUSE, who was contacted by Campus Technology staff, that and the size of the breach are the specifically unique elements of this UCLA incident.

This UCLA story has also reached public attention on a scale not seen before. A pertinent Google News search at 7:55 am on Wednesday, December 13, brings up 362 current news articles related to this. You know the story is in the big time when it is one of the three Top News Stories on National Public Radio's (NPR) front page. It's definitely become a “reputational crisis” for UCLA, and it will be interesting to see how well the institution's IT staff, legal staff, and communications staff handle this.

D'es UCLA have a crisis plan or a crisis management system in place to handle an issue like this, which becomes much more than just an IT problem? A quick Google search d'esn't find me one, and the staff there is way too busy for me to be able to get an answer from a real person on short notice. I sure hope so, though. UCLA Acting Chancellor Norman Abrams says, "We take our responsibility to safeguard personal information very seriously. My primary concern is to make sure this d'es not happen again and to provide to the people whose data is stored in the database important information on how to minimize the risk of potential identity theft and fraud."

Few things are as valuable to the United States as college campuses and what takes place on them and around them. The time has come for college and university campuses to be prepared to handle physical, human, and reputational crises in an integrated fashion. UCLA's pain may end up goading other institutions to be better prepared, whether by the example of being better prepared at UCLA, or not.

If Chancellor Abrams' statement is part of a campus wide crisis communications plan that is itself integrated into a campus wide crisis plan, with a knowledgeable UCLA crisis management team in charge, then we might not be still reading about the UCLA “debacle” in six months. I hope there is such an integrated crisis management system at UCLA. From what I can see from the outside, there very well may be. If not, unless UCLA gets lucky, things could turn down the path that they did last year at Ohio University. Let's hope not.

P.S. My “day job” employer, the Society for College and University Planning (SCUP), is right this moment working with professors Michael Diamond and Ian Mitroff of the University of Southern California, conducting a survey of chief academic officers regarding how prepared their campuses are for major crises. If you can persuade a provost or two to follow the links we've already sent them to our survey, and to complete it (10 minutes) it would be much appreciated. Thanks in advance.

Featured