As if keeping students safe on campus isn’t enough of a task, Pitt administrators have been… As if keeping students safe on campus isn’t enough of a task, Pitt administrators have been working overtime to keep students, alumni, faculty and staff protected in cyberspace.

But data collection is still imprecise at Pitt. Social Security numbers linger in the depths of the University’s central computing network to comply with federal law, and universities face a constant risk of data breaches.

The Computing Services and System Development office, headed by Jinx Walton, works year-round to promote data security on University computers.

CSSD and Pitt administrators have pushed to educate students and faculty on University-wide policies this year. They’ve placed notes on the Pitt portal Web page and redesigned the CSSD Web site to be more user-friendly.

They also offer an arsenal of technological gear to combat data theft.

One tool is called InfoTracker, which scans a hard drive for numbers that look like they could be Social Security or credit card numbers and allows users to wipe them away.

CompuTrace for faculty and LoJack for students are downloadable programs that allow users to delete data from a remote location in the case of a theft.

The Love Your Computer events sponsored by CSSD — the last one occurred in February — serve as the main vehicle the department uses to educate students.

‘Students are not the most security-conscious individuals, so it is not an easy effort with them, and you just have to sort of keep after it,’ said Robert Pack, a vice provost and Pitt’s privacy officer.

Pitt’s brief history with data

Sam Conte, the University registrar, has seen Pitt’s systems evolve from using Social Security numbers to keeping them fairly hidden during the 40 years he’s worked here.

He said he used to stand outside the add-drop room on the ground floor of Thackeray Hall and dig through garbage cans during registration days. He looked for discarded registration forms on which students had written their Social Security numbers. And he had his paper shredder humming to dispose of the papers properly.

The registrar’s office, which processes all registrations in offices in Thackeray Hall, switched from using Social Security numbers to the PeopleSoft system in 2005.

With PeopleSoft, all students, faculty and staff are assigned University pin numbers that become their official ID numbers at Pitt.

The University, like many across the country, used to use Social Security numbers to identify students on class rosters and for submitting grades. Because payroll and financial aid forms still require them, the registrar’s office still collects all students’ Social Security numbers upon their matriculation, though the numbers are so locked down that even Conte, a senior administrator, can only view the last four digits.

The reason the office collects these numbers, Pack explained, is to take advantage of this one unique number that everyone has.

‘If we have 10 students named John Smith, we need a way deep in that file to distinguish students one from the other,’ he said. ‘A Social Security number is the ultimate number that doesn’t duplicate.’

Mistakes happen

The job of keeping more than 20,000 University affiliates’ data safe isn’t easy, particularly in overcoming the sloppy habits of people over whom CSSD’s Jinx Walton has little control. Security measures and policies ultimately amount to the equivalent of a hill of old floppy disks when people don’t use them correctly.

Last August, there was a slip. A staff member at Pitt’s Katz School of Business left a laptop containing hundreds of late-’90s alumni Social Security numbers vulnerable. And someone stole the laptop.

The staff members who collected and stored the data had violated University security policy, said JP Matychak, career development director for the undergraduate business school. Typically, the business college doesn’t collect and keep student records, said Camille Burgess, a student records manager there.

There was nothing the University’s team of privacy experts could do.

The Katz school notified its affected alumni about a month after the incident occurred and established a hotline for them in case of identity theft. According to Pack, the University has heard of no such cases.

This slip amounts to only one of the thousands of security breaches that happen each year in organizations in and out of academia.

There were 365 security incidents where private information was exposed at colleges and universities nationwide last year, according to the Educational Security Incidents’ year in review publication. These types of incidents included information like Social Security numbers, usernames and passwords, and financial, medical and educational information.

That’s 124 percent more incidents in 2008 than the two previous years. Of those incidents, about 33 percent, or 120 incidents, involved the exposure of Social Security numbers, with Pitt’s incident included.

Rodney Petersen, the security task force coordinator for EduCause, a nonprofit group that works with information technology in higher education, said ‘those numbers pale in comparison’ to the total number of information security issues in government organizations and in corporations.

‘If you want to talk about comparison, universities lead the way’ in keeping data secure, he said. ‘But we still need to do a far better job.’

He said that large research universities similar to Pitt are leading the curve toward safe data protection because they have the resources and staff that can put progress in motion.

Out of the more than 4,000 public and private universities in the United States, Petersen estimates that Pitt is in the top third of schools that have moved away from using Social Security numbers as identifiers.

This movement has happened during the past five years at universities nationwide.

But changing a university’s data policy is ‘not something you can turn on or off over night,’ Petersen added, citing a seven-year switch away from Social Security number identification that the University of Michigan recently tackled.

In a world of technology where things change as fast as Pittsburgh weather, schools have a hard time keeping up.

Paul Stephens, the director of policy and advocacy at the Privacy Rights Clearinghouse, another nonprofit group that advocates for information security, doesn’t think universities have done a good job.

‘Colleges and universities seem to be behind the curve,’ said Stephens.

Pack says Pitt is doing all it can.

‘A place like the University is under constant attack by tens of thousands of directions all trying to do malicious things. And so, do you ever feel secure? No,’ he said.

‘You have to work very hard to make sure you’re one step ahead of the bad guys because there are a lot of bad guys out there, and they’re very smart, and they mean you harm.’