Communicating effectively to address a data breach | The Triangle

Communicating effectively to address a data breach

When the Office of the Provost sent an email the morning of Feb. 17 to the 5,379 students whose information was inadvertently disclosed in an email from the Steinbright Career Development Center to 479 students, news of the incident spread like wildfire. Students were understandably appalled that the University failed to safeguard their personal information and also annoyed that their student ID numbers would be changed. As inconvenient as that may be, we’re fortunate that more sensitive information was not disclosed. We can only hope that the corrective action Drexel is taking in response to the incident will be effective. From what we’ve seen so far, it’s been handled very professionally, so we should show the same professional respect to the University in response.

First of all, we’d like to remind students not to let their anger or confusion get the best of them. Make sure you have the facts before you start throwing around blame. The person responsible for sending the email is just that — a person — we all make mistakes. Yes, this one admittedly affects a lot of us, but we’ve all sent emails with the wrong attachment, with no attachment, accidentally hit reply-all instead of reply, the list goes on. The responsible party presumably feels awful, understanding the gravity of his or her mistake. And he or she is probably under a lot of pressure from the higher-ups in the University. By all means, be concerned and ask questions about what happened and about what’s being done to fix it. But don’t ignorantly call for someone you don’t know to be fired just because she or he made a mistake we’ve all made before.

At The Triangle, we acknowledge that mistakes happen. We make them ourselves. We’re also worried that a spreadsheet containing thousands of student records was sent to hundreds of other students. Sure, the information contained on this particular spreadsheet is relatively harmless, but what if it wasn’t? What if the spreadsheet contained Social Security numbers and birthdays? What about addresses and phone numbers? The details of this incident make it kind of innocuous, but the implications it carries about the care — or lack thereof — taken when dealing with student information are undeniable. It’s also a difficult issue because just as human error can’t be ignored, it also can’t really be improved. A representative from the SCDC said that the office would be increasing training to stop similar incidents from happening in the future, but you can’t make humans perfect. It seems perhaps that the solution is not that simple.

Another worrying aspect of this situation is that students who received the original email received a notification soon after notifying them that the first email had been recalled. This recall notice was sent Feb. 11. Students whose information was included in the Excel sheet in question were not notified of the incident until Feb. 17. Sure, there was a weekend between those two dates, but it’s also hard to believe that it could’ve taken the administration six days to write up an email announcing the disclosure to students. Why the delay?

As we all continue to learn more about what happened and how it’s being addressed, the best thing we can do is keep communicating openly about the whole situation. Students, faculty and staff should all listen to each other actively and offer feedback to each other that will help to foster a community with high information security and high confidence in that security. Many student leaders and student employees also have access to significant amounts of student information similar to what was disclosed last week, so we have just as much of a responsibility as the professional staff to make sure we’re handling that information with the utmost care.