The recent theft of another faculty member's laptop computer prompted campus officials last week to reiterate the importance of a growing issue on campus — the safekeeping of student information that is stored electronically, and sometimes needlessly, across campus.

On Jan. 14, Academic Senate Chair Bruce Madewell and Vice Provost for Information and Educational Technology John Bruno sent a letter to Senate and Academic Federation members on the subject of preventing identity theft.

During the past six months, two faculty members have reported computer thefts, Madewell and Bruno said in their Jan. 14 letter. The computers contained more than 3,300 student names and Social Security numbers from classes conducted from mid-1990 to the present, they said.

"In each incident, the university sent written communications to the student notifying them of the security lapse — an embarrassing and costly endeavor. No amount of campus regret expressed in these communications can really satisfy the recipient of such a letter," Madewell and Bruno wrote.

Campus information technology security coordinator Robert Ono said there is no evidence that campus breaches have resulted in personal information being misused.

Regardless, Madewell and Bruno asked that faculty remove the names of students and their respective Social Security numbers from personal computers. They recommended transferring the information on removable media — for instance a Zip disk or CD-ROM — and storing that media in a secure place.

"If you cannot remove the information, the first six digits of the Social Security numbers should be obfuscated or the entire files encrypted," they wrote.

The letter also has helped alert faculty members about the need to report missing computers, certainly to the UC Davis Police, but also to Ono. After Madewell and Bruno sent their letter, Ono heard from at least one other faculty member who called to let him know her computer had been stolen, too.

The letter offers good advice for all employees on campus, not just faculty members, Ono said. "For anyone who thinks it can't or won't happen to them, this is valuable information."

"Across the country, not just in higher ed, identity theft has become a huge problem," Ono said.

One of the latest, and perhaps lesser-known, additions to state law says that consumer credit card numbers cannot be printed in their entirety on sales receipts, he noted. That law went into effect this month, but others, with broader implications for the campus, took effect last summer.

These earlier state and federal laws regulate information that include a person's name in tandem with other identifying numbers, for instance a driver's license number, Social Security number or financial account number.

Madewell and Bruno's letter to faculty echoed directives sent to employees in August, just after the more stringent state and federal laws to prevent identity theft were enacted in July. In their respective advisories, Bruno and Provost Virginia Hinshaw addressed a range of issues regarding the prevention of unauthorized access to personal information.

"While major campus computing systems that store this type of information are routinely administered and closely monitored, administrative practices vary among computers used by students, staff and faculty members," Hinshaw wrote in her Aug. 26 directive.

"At a minimum, personal information should be removed from all computers on which it is not required," Hinshaw wrote. If personal information could not be removed from a system, she asked departments to develop a plan specifically outlining how the information and systems will be kept secure.

One of the more visible efforts to protect personal information at UC Davis took place a few years ago. Since fall of 2000, Ono said, all new students have been issued ID identification numbers differing from their social security numbers. Social Security numbers also are no longer used as employee identification numbers.

However, the change for students was not retroactive, Ono noted. So students who arrived on campus prior to 2000, may still have ID numbers that match their Social Security numbers in faculty members' rosters. "So they are still at risk," he said. While students can request to have their ID numbers changed, not all have done so, he said.

Student ID numbers, like Social Security numbers, have nine digits, Ono said. But unlike Social Security numbers, campus ID numbers begin with nines.

Still, to comply with newly-signed state Senate Bill 25, professors have been asked not to publicly post grades, Ono said, because some students' Social Security numbers might be involved.

Though Madewell's and Bruno's Jan. 14 letter specifically referenced the theft of physical property, the threat of specialized viruses and hacking add to the issue of identity security at UC Davis.

"As computer attacks continue to grow in number and increase in complexity, this task becomes particularly critical and challenging," said Bruno in his Aug. 7 directive. "We need to reemphasize the important role each of us plays in maintaining the security and privacy of personal information."

Research conducted by the Federal Trade Commission for the period spring 2002 to spring 2003 estimates that 3.2 million people discovered that identity thieves had opened new accounts in their names during that time. An additional 6.6 million consumers learned of the misuse of an existing account. Overall, nearly 10 million people, or 4.6 percent of the adult population, discovered they were victims of some form of identity theft in 2002-03, the FTC's Dec. 15, 2003, report said. The research indicated nearly a doubling of incidents from one year to the next.

Bruno noted new state law requires organizations, including institutions of higher learning, to notify state residents when a computer security breach has permitted the release of personal information to unauthorized recipients.

The university could be subject to civil court action if it fails on this front, Ono said. "But we don't notify individuals just to avoid going to court, he said. "It's simply the right thing to do."

Ono said a new campus workgroup recently formed and started meeting weekly last Friday to study the possibility of an encryption system that could be used to protect information campuswide — from research to administrative files to student records.

The challenge, Ono said, is to find a system that would work for the wide variety of operating systems and applications used on campus and that would also have a failsafe decryption key, so information could never be lost. "We're just at the beginning of this process of looking at whether this is feasible," Ono said.

The eight-member workgroup represents administrative, student and academic units. "The representation is very broad, because we know this is a very important issue not only to IET, but also to the campus as a whole," Ono said.

He said the group hopes to issue a report with its recommendation in late spring.

IET also has created an extensive identity-theft protection Web site at http://security.ucdavis.edu/id_theft.cfm. Among other features, the site defines the issue at UC Davis, cites federal and state laws, and offers tips on how to best protect information.