33 posts categorized "Higher Education" Feed

Aggression Detectors: What They Are, Who Uses Them, And Why

Sound Intelligence logo Like most people, you probably have not heard of "aggression detectors." What are these devices? Who makes them? Who uses these devices and why? What consumers are affected?

To answer these questions, ProPublica explained who makes the devices and why:

"In response to mass shootings, some schools and hospitals are installing microphones equipped with algorithms. The devices purport to identify stress and anger before violence erupts... By deploying surveillance technology in public spaces like hallways and cafeterias, device makers and school officials hope to anticipate and prevent everything from mass shootings to underage smoking... Besides Sound Intelligence, South Korea-based Hanwha Techwin, formerly part of Samsung, makes a similar “scream detection” product that’s been installed in American schools. U.K.-based Audio Analytic used to sell its aggression- and gunshot-detection software to customers in Europe and the United States... Sound Intelligence CEO Derek van der Vorst said security cameras made by Sweden-based Axis Communications account for 90% of the detector’s worldwide sales, with privately held Louroe making up the other 10%... Mounted inconspicuously on the ceiling, Louroe’s smoke-detector-sized microphones measure aggression on a scale from zero to one. Users choose threshold settings. Any time they’re exceeded for long enough, the detector alerts the facility’s security apparatus, either through an existing surveillance system or a text message pinpointing the microphone that picked up the sound..."

Louroe Electronics logo The microphone-equipped sensors have been installed in a variety of industries. The Sound Intelligence website listed prisons, schools, public transportation, banks, healthcare institutes, retail stores, public spaces, and more. Louroe Electronics' site included a similar list plus law enforcement.

The ProPublica article also discussed several key issues. First, sensor accuracy and its own tests:

"... ProPublica’s analysis, as well as the experiences of some U.S. schools and hospitals that have used Sound Intelligence’s aggression detector, suggest that it can be less than reliable. At the heart of the device is what the company calls a machine learning algorithm. Our research found that it tends to equate aggression with rough, strained noises in a relatively high pitch, like [a student's] coughing. A 1994 YouTube clip of abrasive-sounding comedian Gilbert Gottfried ("Is it hot in here or am I crazy?") set off the detector, which analyzes sound but doesn’t take words or meaning into account... Sound Intelligence and Louroe said they prefer whenever possible to fine-tune sensors at each new customer’s location over a period of days or weeks..."

Second, accuracy concerns:

"[Sound Intelligence CEO] Van der Vorst acknowledged that the detector is imperfect and confirmed our finding that it registers rougher tones as aggressive. He said he “guarantees 100%” that the system will at times misconstrue innocent behavior. But he’s more concerned about failing to catch indicators of violence, and he said the system gives schools and other facilities a much-needed early warning system..."

This is interesting and troubling. Sound Intelligence's position seems to suggest that it is okay for sensor to miss-identify innocent persons as aggressive in order to avoid failures to identify truly aggressive persons seeking to do harm. That sounds like the old saying: the ends justify the means. Not good. The harms against innocent persons matters, especially when they are young students.

Yesterday's blog post described a far better corporate approach. Based upon current inaccuracies and biases with the technology, a police body camera assembled an ethics board to help guide its decisions regarding the technology; and then followed that board's recommendations not to implement facial recognition in its devices. When the inaccuracies and biases are resolved, then it would implement facial recognition.

What ethics boards have Sound Intelligence, Louroe, and other aggression detector makers utilized?

Third, the use of aggression detectors raises the issue of notice. Are there physical postings on-site at schools, hospitals, healthcare facilities, and other locations? Notice seems appropriate, especially since almost all entities provide notice (e.g., terms of service, privacy policy) for visitors to their websites.

Fourth, privacy concerns:

"Although a Louroe spokesman said the detector doesn’t intrude on student privacy because it only captures sound patterns deemed aggressive, its microphones allow administrators to record, replay and store those snippets of conversation indefinitely..."

I encourage parents of school-age children to read the entire ProPublica article. Concerned parents may demand explanations by school officials about the surveillance activities and devices used within their children's schools. Teachers may also be concerned. Patients at healthcare facilities may also be concerned.

Concerned persons may seek answers to several issues:

  • The vendor selection process, which aggression detector devices were selected, and why
  • Evidence supporting the accuracy of aggression detectors used
  • The school's/hospital's policy, if it has one, covering surveillance devices; plus any posted notices
  • The treatment and rights of wrongly identified persons (e.g., students, patients,, visitors, staff) by aggression detector devices
  • Approaches by the vendor and school to improve device accuracy for both types of errors: a) wrongly identified persons, and b) failures to identify truly aggressive or threatening persons
  • How long the school and/or vendor archive recorded conversations
  • What persons have access to the archived recordings
  • The data security methods used by the school and by the vendor to prevent unauthorized access and abuse of archived recordings
  • All entities, by name, which the school and/or vendor share archived recordings with

What are your opinions of aggression detectors? Of device inaccuracy? Of the privacy concerns?


In The News: Net Neutrality And I've Been Mugged Blog

WERS interview, net neutralityOn Sunday, December 17, 2017, WERS Radio (88.9 FM), a college radio station in Boston, broadcast on Sunday an interview about net neutrality. The persons interviewed included myself and Nina Vyedin, of Indivisible Somerville.

You can listen to the interview on SoundCloud. The interviewer, Jonathon House, and I met during the December 7th demonstration in Boston to save net neutrality protections for consumers.

Related posts:


The Top Complaints About Financial Services. One Complaint Type Grew 325 Percent

Logo for Consumer Financial Protection Bureau After encountering unresolved issues with financial services, many consumers file complaints with the Consumer Financial Protection Bureau (CFPB). After each complain, the CFP works hard to get each consumer a reply within 15 days. This process allows the CFPB to track which issues affect most consumers, and to identify emerging problems.

According to its April Monthly Complaint Report, debt collection issues generated the most complaints on average, and complaints about student loans grew the fastest:

"As of April 1, 2017, the CFPB has handled approximately 1,163,200 complaints, including approximately 28,000 complaints in March 2017... Student loan complaints showed the greatest percentage increase from January - March 2016 (773 complaints) to January - March 2017 (3,284 complaints), representing about a 325 percent increase. Part of this year-to-year increase can be attributed to the CFPB updating its student loan complaint form to accept complaints about Federal student loan servicing in late February 2016. The CFPB also initiated an enforcement action against a student loan servicer during this time period."

CFPB Monthly Compalint Report. April, 2017. Table 1. Click to view larger version

The top five categories of complaints about during March, 2017:

  1. Debt collection: 8,711
  2. Credit reporting: 5,498
  3. Mortgages: 3,965
  4. Credit cards: 2,522
  5. Bank account or service: 2,476

Also during March: debt collection complaints represented about 31 percent of complaints; debt collection, credit reporting and mortgage were the top three most-complained-about consumer financial products and services. Together, these three categories represented 65 percent of complaints during March.

The top five categories of complaints since the CFPB began:

  1. Debt collection: 316,810
  2. Mortgages: 272,153
  3. Credit reporting: 195,826
  4. Credit cards: 118,732
  5. Bank account or service: 115,055

The CFPB began accepting complaints for different products and services at different times:

There were regional differences in complaint volume:

"Montana (54 percent), Georgia (46 percent), and Wyoming (45 percent) experienced the greatest complaint volume percentage increase from January - March 2016 to January - March 2017. New Mexico (-20 percent), Iowa (-5 percent), and Kansas (-0.7 percent) experienced the greatest complaint volume percentage decrease... Of the five most populated states, Texas (35 percent) experienced the greatest complaint volume percentage increase and Florida (8 percent) experienced the least complaint volume percentage increase from January - March 2016 to January - March 2017."

The report also tracks complaints by company:

CFPB Monthly Complaint Report. April, 2017. Figure 1. Click to view larger version

The CFPB reported additional details about student loan complaints:

"Approximately 32,700 (or 74 percent) of all student loan complaints handled by the CFPB from July 21, 2011 through March 31, 2017 were sent by the CFPB to companies for review and response. The remaining complaints have been found to be incomplete (7 percent), referred to other regulatory agencies (19 percent), or are pending with the CFPB or the consumer (0.5 percent and 0.4 percent, respectively)... The most common issues identified by consumers are problems dealing with their lenders or servicers (64 percent) and being unable to repay their loans (33 percent)."

"Federal student loan borrowers reported that when contacting their loan servicers regarding financial distress, servicers provided them with information on hardship forbearance or deferment, instead of potentially more beneficial repayment options like income-driven repayment plans... loan borrowers complained of difficulty enrolling in income-driven repayment plans. Borrowers reported lost documentation, extended application processing times, and unclear guidance when seeking to switch from one income-driven repayment plan to another."

Federal student loan borrowers described their experiences when trying to obtain guidance in completing annual income recertification for their income-driven repayment plan. Borrowers reported receiving insufficient information from their servicers to meet recertification deadlines and lengthy processing times. Some federal student loan borrowers stated their payments were misapplied. Borrowers reported overpayments were not applied to specified accounts but rather applied to all accounts managed by the servicer. Additionally, some borrowers’ overpayments—intended to reduce principal balance—were credited to the account as an early payment, resulting in their ac count reflecting a paid ahead status..."

To read more, download the full "April 2017: CFPB Monthly Complaint Report: Vol. 22" (Adobe PDF).


You Gave President Elect Donald Trump a Whale Of A Holiday Gift

Just before the long holiday weekend, the Attorney General (AG) for New York State announced a settlement agreement with President Elect Donald J. Trump regarding his now defunct, educational business Trump University. Reportedly, the $25 million settlement agreement resolves two class-action lawsuits and an action by the New York State AG.

About 7,000 students paid up to $35,000 in tuition and allegedly received little to no education. Terms of the settlement require Mr. Trump to pay $21 million to settle the two class-action lawsuits and $4 million to New York State. The New York Times reported:

"Trump University, which operated from 2004 to 2010, included free introductory seminars across the country, focusing largely on real estate investing and learning Mr. Trump’s secrets... Documents made public through the litigation revealed that some former Trump University managers had given testimony about its unscrupulous and exploitative business practices. One sales executive testified that the operation was “a facade, a total lie.” Another manager called it a “fraudulent scheme.” Other records showed how Mr. Trump had overstated the depth of his involvement in the programs. Despite claims that Mr. Trump had handpicked instructors, he acknowledged in testimony that he had not... the conclusion of the Trump University cases brings vindication to former students, mostly ordinary people across the country who felt they had been robbed of their savings by Mr. Trump..."

The settlement terms did not require Mr. Trump to admit any wrongdoing:

"At a hearing on the case in San Diego on Friday, [Trump's attorney] Daniel Petrocelli said Mr. Trump had settled the case “without an acknowledgment of fault or liability.” "

Why settle now? The Los Angeles Times reported:

"The law firm Zeldes, Haeggquist & Eck, which helped represent the plaintiffs, said in a statement Friday that it was “incredibly painful” to end the legal battle now. “We stand behind their claims 100%,” the firm said, “but there is always risk in taking a case to trial and that was particularly so here, when the defendant was poised to be the next president of the United States.” The lawsuits dogged Trump on the campaign trail, and he denied the allegations many times and said he would not settle the cases."

Some might conclude that not having to admit wrongdoing is a whale of gift. Reportedly, attorneys for the students waived their fees so the students would receive more compensation. Students would received 55 to 100 percent of the money they spent. Some might also say that settling 3 lawsuits for pennies on the dollar is also a whale of a holiday gift. Sadly, there is more.

Much more. Forbes Magazine explained:

"Of course, the real cost to Mr. Trump is after tax, not before it. And most business settlements are fully tax deductible. The only part that arguably may not be here is the $1 million in penalties. But barring express non-deductibility commitments, many penalties can be deducted, too. In general, fines and penalties paid to the government are not deductible. Section 162(f) of the tax code prohibits deducting "any fine or similar penalty paid to a government for the violation of any law."

Despite punitive sounding names, though, some fines and penalties are considered remedial and deductible. That allows some flexibility. Companies often deduct ‘compensatory penalties,’ a maneuver affirmed in a recent Circuit Court ruling. Some defendants insist that their settlement agreement confirms that the payments are not penalties and are remedial. Conversely, some government entities insist on the reverse.  Explicit provisions about taxes in settlement agreements are becoming more common."

You may remember the fines and payments paid by JPMorgan bank in a 2013 settlement agreement. Frobes explained that only $2 billion of the $13 billion was not tax-deductible. So, taxpayers nationwide have given Mr. Trump a whale of a holiday gift similar to gifts given repeatedly to big banks: tax-deductible payments in settlement agreements that allow them to pay less taxes. You'd think that the tax-deductible benefit would come with a price: having to admit wrongdoing.

Is this fair? Is it right? A 2014 survey by the U.S. Public Interest Research Group Education Fund found that most Americans disapprove of tax-deductible payments in settlement agreements, and want more transparency and disclosures about the contents of settlement agreements.

It is infuriating to this taxpayer. Hopefully it infuriates you, too. It seems that often payments and fines to resolve and penalize a defendant for wrongdoing are anything but. What are your opinions?


University of Rochester Medical Center Settles With New York State Attorney General For Data Breach

University of Rochester Medical Center logo Earlier this month, the New York State Attorney General announced a settlement agreement with the University of Rochester Medical Center (URMC) about a data breach earlier this year. URMC will pay a $15,000 find and is required to train its staff on proper data security procedures for protected health information.

The settlement agreement was dated November 20, 2015. The April 2015 events surrounding the data breach:

"... a URMC nurse practitioner gave a list containing 3,403 patient names, addresses, and diagnoses to her future employer, Greater Rochester Neurology (“GRN”), without first obtaining authorization from the patients.  On April 21, 2015, GRN used the information to mail letters to the patients on the list informing them that the nurse practitioner would be joining the practice and advising them of how to switch to GRN. URMC learned of the breach three days later, when calls began coming in from patients who were upset about the letter. The nurse practitioner was subsequently terminated, notification letters were sent to the affected patients... GRN has attested that all health information transmitted by URMC has been returned or deleted."

State attorney generals were empowered by law in 2009 to enforce Health Insurance Portability and Accountability Act (HIPAA) violations. Hospitals are required by law to provide patients with a Notice of Privacy Practices document, which patients and their families should read. Read the URMC NPP (Adobe PDF).

This is not the first data breach at URMC. There were three prior data breaches with the latest in 2013. HIPAA requires health care organizations to report data breaches affecting 500 or more persons. The URMC settlement agreement (Adobe PDF) contains more stringent reporting requirements for URMC to the New York State Office of Attorney General (OAG):

"For a period of three (3) years, commencing from the execution of this Agreement, if URMC determines that a member of the workforce has breached unsecured protected health information, consistent with the HIPAA Breach Notification Rule, URMC is to notify the OAG of the breach within sixty (60) days of the breach if the number of individuals affected by the breach is fifteen (15) or more (for beaches of fourteen (14) or fewer URMC to notify the OAG annually), in addition to the existing notification responsibilities."

A survey earlier this year found that 45 percent of patients were “very” or “moderately concerned” about the security of their medical records, including access by unauthorized persons which would lead to identity theft and fraud. A breach earlier this year at electronic records vendor Medical Informatics Engineering highlighted the fact that data breaches at health care organizations expose patients to both medical and financial fraud.

While the fine in this case is tiny compared to the multi-billion fines paid recently by several big banks, it is still important because people expect health care organizations to properly secure and protect sensitive patient information. Experts have warned resolving medical identity fraud can be costly, time, consuming and require plenty of effort and expertise since the victim's medical records have often been corrupted with the thief's medical and health information.

If URMC experiences more data breaches, steeper fines and a longer period of more stringent breach reporting would seem applicable, given URMC's breach history. What are your opinions of the settlement agreement?

[Editor's note: In the interest of full disclosure, I have no relationship with URMC except that I am a graduate and alum of the University of Rochester.]


Corinthian Colleges Students Loan Repayment Strike. Is This A Revolt?

Logo for Corinthian Colleges, Inc. In a news article titled, "A Revolt Is Growing As More People Refuse to Pay Back Student Loans," the Washington Post reported about a loan repayment strike by students of Corinthian Colleges:

"Remember those 15 people who refused to repay their federal student loans? Their “debt strike” has picked up 85 more disgruntled borrowers..."

What led up to the strike by students:

"... they would not pay a dime of their student loans because the school broke the law. Corinthian, which runs Everest Institute, Wyotech and Heald College, has become the poster child for the worst practices in the for-profit education sector... Clouded by allegations of deceptive marketing and lying to the government about its graduation rates, Corinthian lost its access to federal funds last year, forcing the company to sell or close its schools."

The California Attorney General's office filed a lawsuit in 2013 against the school, and then stepped up its deceptive marketing allegations in July, 2014.

The students organized into a group called Debt Collective. They already approached the U.S. Department of Education (DOE). The Washington Post reported that some of the striking students met today with the Consumer Financial Protection Bureau (CFPB) seeking cancellation of their student loans:

"Although the CFPB doesn’t have the power to grant that request, the agency’s overture shows that the strike is being taken seriously."

The strike should be taken seriously. Students are future human capital for businesses. They are future leaders and workers. There seem to be four distinct issues, all of which are important and must be addressed:

  1. Deceptive advertising by for-profit schools,
  2. Holding schools and their executives accountable when they violate deceptive marketing laws without penalizing students who had no role in the violations,
  3. The increasing delinquency rate on repayments of student loans (which threatens the economy), and
  4. How appropriate it is to treat student loan debt differently than other types of consumer debt.

Last month, Forbes reported about student loan debt:

"... the New York Federal Reserve released its Quarterly Report on Household Debt and Credit for the fourth quarter of 2014... While most forms of household debt saw improvements in borrowers making on-time payments, a big exception was student loan debt. Student loan debt saw delinquencies (debt that has not had a payment made in 90+ days) rise to 11.3% of outstanding debt. The report also shows that student loan debt has the highest amount of delinquent debt compared to all other forms of household debt (mortgages, auto loans, and credit cards)."

Why student loan delinquency rate is increasing:

"While most other forms of household debt can be discharged in bankruptcy, student loan debt cannot – which means that past delinquencies compound onto new delinquencies, and until borrowers as a whole start bringing their loans current, the delinquency rate will continue to rise. What many student loan borrowers forget is that student loan debt is basically a secured debt – it’s secured on the borrowers future earnings... recent graduates who have struggled to make even their first payment on their student loan debt, or who simply don’t know how to go about making their student repayment plan affordable given their current situation."

False and deceptive advertising by for-profit schools is also a problem. It robs students of the educational benefits they are paying for, and expect to use both to land future jobs and pay off their loans. When deceptive marketing happens, taxpayer money (federal and state) is wasted for students and for veterans' education. According to the Center For Investigative Reporting:

"... $600 million dollars in GI bill money had gone to hundreds of for-profit schools in California with low graduation rates and high rates of student loan default."

And, that's just the State of California. The students' frustration is understandable. They rightly feel deceived by the school, and didn't get the education they paid for.

It will be interesting to watch what happens. What are your opinions of the strike? Is it a revolt?


Study: Researchers Find Online Price Discrimination Exists. Some Discrimination Methods May Surprise You

We all use the Internet to find things: products, services, travel deals, air fare, hotel tickets, and more. Are you getting the best price? Several sites, like Trivago, claim to help provide the best prices. How are consumers to tell? Do the search terms you use affect the prices you find?

Researchers at Northeastern University in Boston announced the results of a study about personalization by websites and the prices displayed to consumers. The study included two types of e-commerce sites:

  1. General retail sites: Best Buy, Home Depot, Sears, Walmart, etc.
  2. Travel sites to find air, cars, and hotels: CheapTickets, Expedia, Hotels.com, Orbitz, Priceline, Travelocity

E-commerce sites currently collect a wide variety of data about online users, including your Internet history, (cookie files saved to your web browser, pages and products viewed, products purchased, products rated), search terms, device (brand, operating system, screen size, etc.), IP address, geo-location data, and more. Sites and marketers usually justify the data collection as necessary to display relevant content and advertisements. Readers of the blog are familiar with historical privacy abuses where marketers and advertisers used a variety of technologies to track consumers online: browser cookies, supercookies, Flash cookies, zombie e-tags, and zombie cookies, and zombie databases.

The Northeastern University researchers analyzed the prices displayed and the factors that affected those displays. They found:

"... that several e-commerce sites implement price discrimination and steering. Closer examination reveals that a small fraction of users receive personalized results across many sites, indicating that these users are being specifically targeted."

The researchers compared results between users with and without Internet histories by using the same search terms. The researchers found that users with an Internet history could see higher prices online, and presented the example below with two images showing a higher price for a user with an Internet history compared to a user without:

Click to view larger image of price comparison between users with and without Internet history. From the Northeastern Online Personalization Study

In this example, the price difference for a hotel in Paris is $68 per night, a substantial difference. Also, the researchers found that e-commerce sites implement different types of personalization:

Cheaptickets and Orbitz implement price discrimination by offering reduced prices on hotels to "members." Expedia and Orbitz engage in A/B testing that steers a subset of users towards more expensive hotel rooms. Home Depot and Travelocity both personalize search results for users on Android and iOS devices. Priceline personalizes search results based on a user's history of clicks and purchases on the site.

About "price steering" and A/B testing:

"Hotels.com and Expedia are also owned by a single company, and our analysis reveals that they both implement the same personalization strategy: randomized A/B tests on users. A/B testing is a common practice among large websites, and is used to test specific features of a site (for example: do people click a blue button more often than a red button?). In this case, Hotels.com and Expedia appear to be randomly dividing users among three "buckets" based on their [browser] cookie. The graph below shows that users in different buckets see different hotel rooms in a different order... users in two of the buckets are shown higher priced hotels towards the top of the page, which is an example of price steering."

About personalization by device type:

"For Travelocity, we discovered that they alter hotel search results for users who browse from [Apple] iOS devices. The graphs below show that users browsing with Safari on iOS receive slightly different hotels, and in a much different order, than users browsing from Chrome on Android, Safari on OS X, or other desktop browsers. The takeaway from the grpahs below is that we observe evidence consistent with price discrimination in favor of iOS users on Travelocity. Unlike Cheaptickets and Orbitz, which clearly mark sale price “Members Only” deals, there is no visual cue on Travelocity’s results that indicates prices have been changed for iOS users."

There is more:

"Similar to our findings on Travelocity, Home Depot personalizes results for users with mobile browsers... Strangely, Home Depot serves 24 search results per page to desktop browsers and Android, but serves 48 products per page to iOS users. We discovered the pool of results served to mobile browsers contains more expensive products overall... Thus, Home Depot is effectively steering users on mobile devices towards more expensive products. In addition to steering, Home Depot also discriminates against Android users. We discovered that Android users consistently see differences on about 6% of prices..."

Overall, the researchers concluded:

"... we find evidence for price steering and price discrimination on four general retailers and six travel sites. Overall, travel sites show price inconsistencies in a higher percentage of cases... users experience personalization across multiple sites... we are able to isolate specific user attributes that trigger personalization on seven e-commerce sites. This includes logging-in to an account on Cheaptickets and Orbitz, using a mobile device with Travelocity and Home Depot, purchase history on Priceline, and A/B testing on Expedia and Hotels.com."

Read the full study titled, "Measuring Price Discrimination and Steering on E-Commerce Web Sites."

What can consumers do about this? The researchers didn't provide firm recommendations because e-commerce sites can change their personalization methods at any time. One suggestion is for consumers to become members at sites that show lower prices for members. However,, there is no guarantee that this preference will remain so.

Another suggestion is for consumers to try using different devices, including a desktop without any saved browser cookies. You might find lower prices with a specific device. This seems a huge pain, as it defeats the whole purpose of convenience with mobile devices.

I can understand lower prices displayed to members. That encourages repeat business. It's a standard marketing technique.

As a usability professional, I understand and have performed A/B testing with websites; specifically, a portion of a site where users were invited to a separate test session, paid for their time, and asked several questions. A test plan was written to clearly state the test objectives and testing program. The testing had a defined beginning and end; and was separate from the live site. Then, the live site was adjusted based upon the test findings. This approach avoids ethical issues.

When sites perform A/B testing contiuously with the live site, and without notice to users, then ethical issues arise. It becomes impossible to tell of the "test" prices are indeed new prices applied arbitrarily to users. That helps nobody and erodes consumers' trust. These ethical issues were highlighted recently with with the OKCupid dating site. Marketers often claim that "everyone is doing it," but that does not make it right.

Did you expect sites to display higher prices to users with certain device types? I didn't, and I bet you didn't either. Now you know that can and does happen. Is it right? Should there be warnings on sites that do this? What do you think of the study? Share your opinions below.


California AG Steps Up Actions To Stop Alleged False Advertising By For-Profit College

Logo for Corinthian Colleges, Inc. Just before the July 4th holiday weekend, the State of California Office of the Attorney General filed a motion in its lawsuit against Corinthian Colleges, Inc. (CCI):

"... asking San Francisco Superior Court for permission to move on an expedited basis to file a supplemental complaint enhancing the original complaint Harris filed against CCI in October 2013, which accused the company of false and predatory advertising, intentional misrepresentations to students, securities fraud, and unlawful use of military seals in advertisements. Wednesday’s motion also indicates Attorney General Harris’ intention to subsequently move for a temporary restraining order and/or preliminary injunction against CCI to force the company to immediately cease its misleading advertisements and inform prospective students about its dire finances."

The California AG office had filed a lawsuit against CCI in October 2013. In a document filed with the U.S. Securities and Exchange Commission on June 19th, CCI informed investors of its serious financial troubles and plans to close or sell its campuses. During the last week of June, CCI signed an agreement with the U.S. Department of Education to close or sell its campuses.

On Monday of this week, the Denver Post reported that the company will sell 85 campuses:

"... including three Everest College campuses in Colorado and WyoTech in Laramie... Corinthian spokesman Kent Jenkins Jr. said WyoTech and Everest College campuses in Colorado Springs, Aurora and Thornton continue to enroll new students and hold classes for those seeking associate's degrees or diploma certifications. A fourth Everest Campus, in North Aurora, was put up for sale in September and stopped enrolling students in February. Corinthian enrolls 72,000 students nationwide, who receive $1.4 billion of federal financial aid annually..."

False and deceptive advertising by for-profit schools is a problem. Consumers don't get the benefits they paid for and taxpayer money (federal and state) is wasted for veterans' education. According to the Center For Investigative Reporting:

"... $600 million dollars in GI bill money had gone to hundreds of for-profit schools in California with low graduation rates and high rates of student loan default."

California AG Kamala D. Harris said in a statement:

"It is unacceptable yet not surprising that Corinthian Colleges continues to illegally target vulnerable Californians—including low income individuals, single mothers and veterans returning from combat—by lying about its dire finances and failing to tell prospective students that the schools to which they apply will all be sold or closed... My office is seeking expedited action to force Corinthian Colleges to put the interests of its students above its rapidly shrinking profits.”

It is a stark and sad reminder that for-profit entities, by design, will put their interests in profit-making ahead of all other interests.

[Editor's Note: Corinthian spokesperson Kent Jenkins, Jr. and I are not related.]


Google Revises Its Terms To Reflect Scanning Of Inbound And Outbound Email Contents

On Monday, Google revised its Terms of Service to better reflect the fact that it scans the contents of all e-mail messages sent and received via Google Mail (Gmail). Ars Technica reported:

"The change comes as Google undergoes a lawsuit over its e-mail scanning, with the plaintiffs complaining that Google violated their privacy. E-mail users brought the lawsuit against Google in 2013, alleging that the company was violating wiretapping laws by scanning the content of e-mails. The plaintiffs' complaints vary, but some of the cases include people who sent their e-mails to Gmail users from non-Gmail accounts and nonetheless had their content scanned."

So, Gmail users should read the revised terms of service. Consumers who don't use Gmail should be aware that their e-mail messages are scanned when they send nessages to or received messages from friends, family, colleagues, and classmates who use Gmail. Is it right for people who don't use Gmail to have their e-mail messages scanned? Many people believe it isn't right, and that's one reason for the lawsuit.

It's important to note that you can't always tell when somebody you know uses Gmail. The Gmail.com domain in e-mail addresses is an indicator, but it isn't 100 percent accurate. Why? Gmail provides custom e-mail services to many schools and colleges. Last fall, I experienced this first hand when I took a class last fall at a local community college. During registration, the college required me to sign up for its e-mail service, a custom e-mail service provided by Gmail. My college e-mail address had the standard .EDU extension.

This is not new since Google and Microsoft have provided custom e-mail services for years, which saves money for cash-strapped schools. What's new is that you, or the students in your family, probably don't realize all of the instances when you communicate with somebody who uses Gmail.

The community college where I took my classes went a step further and provided this in its Computer Use Policy:

"7. Users of the College's Computer Network for electronic mail purposes should have no expectation of privacy. The College reserves the right to access or interrupt e-mail communications or transmissions for routine system maintenance, technical problems, criminal investigations, or in response to, and in compliance with, a request made under the Commonwealth's Public Records Laws."

Throughout most of my class, I used my personal e-mail address instead of my school e-mail address. Students and staff using custom e-mail services should closely read the terms and privacy policies provided by their education institution and e-mail vendor.

The tradeoff should be clear: give up all of your privacy and in return receive free e-mail services and relevant targeted ads based upon the contents of your e-mail messages. Is that a fair trade? What's your opinion of custom e-mail services? Of the lawsuit against Gmail?


Giving Voice to Values Announces Venture With Business Expert Press

Logo for Babson College and Giving Voice To Values The Giving Voice To Values initiative (GVV) announced recently a joint venture with Business Expert Press (BEP) to produce a series of books on Business Ethics and Corporate Social Responsibility. According to the The announcement (Adobe PDF), the goal of the book collection is to provide:

"... practical, solutions-oriented, skill-building approach to the salient questions of values-driven leadership... [and] emphasize research-based practical examples and guidance on how to positively enact values-driven leadership positions, rather than to focus solely or primarily upon ethical debate."

GVV includes both research and a curriculum taught worldwide in higher-education schools worldwide.  GVV is:

"... designed to transform the foundational assumptions upon which the teaching of business ethics is based, and importantly, to equip future business leaders to not only know what is right — but how to make it happen."

The joint venture seeks concise business education books of about 150 pages that target undergraduate, MBA, and executive education students:

"Books may be focused upon a functional area (e.g., Accounting Ethics); an industry (e.g., Ethics in the Financial Sector); a regional area (e.g., Practical Ethics in India); or some combination of the above. Although it is fully expected that some manuscripts may well include a focus upon the theory and analysis of ethical questions, or the history and benchmarks of Corporate Social Responsibility as it has evolved..."

I look forward to hearing more about the GVV/BEP joint venture and the books it publishes. Improved ethics by executives are sorely needed. One doesn't have to look far to find examples of unethical executive behavior, fines, and wrongdoing: JPMorgan Bank, Johnson & Johnson, Moneygram, CVS, government contractors, companies with data breachesemployers that commit wage theft, companies that produce leaky mobile apps, and companies that publish fake online reviews. A 2013 study found that junior banking executives consider wrongdoing an accepted way to advance in their careers.

Logo for Business Expert Press BEP is a leading resource in business education. The company publishes collections of concise, academically sound, and applied books for undergraduate, MBA and executive business education. Books are available in both print and e-book formats.

Interested authors can discuss book ideas with Mary C. Gentile, Director of Giving Voice To Values initiative, Senior Research Scholar at Babson College, and Editor of the GVV/BEP book collection.


Study: Princeton Researchers Predict Facebook Will Lose Millions of Users Within Three Years

In an attempt to predict the changing popularity of existing social networking websites, researchers from the Department of Mechanical and Aerospace Engineering at Princeton University predicted that Facebook will undergo a massive decline during the next few years. The researchers, John Cannarella and Joshua Spochler, analyzed the popularity of specific "online social networks" (OSNs) by using mathematical models of the spread of infectious diseases:

"The application of disease-like dynamics to OSN adoption follows intuitively, since users typically join OSNs because their friends have already joined. The precedent for applying epidemiological models to non-disease applications has previously been set by research focused on modeling the spread of less-tangible applications such as ideas..."

With about 1.19 billion users worldwide, Facebook definitely qualifies as a large social networking website. Anyone active on Internet knows that social networking websites (Who remembers Friendster?) come and go:

"Despite the recent success of Facebook and Twitter, the last decade also provides numerous examples of OSNs that have risen and fallen in popularity, most notably MySpace. MySpace, founded in 2003, reached its peak in 2008 with 75.9 million unique monthly visits in the US before subsequently decaying to obscurity by 2011."

Accurately predictions of changes in the popularity of specific social networking websites can help investors with financial decisions. the researchers used Google search data to specific social networking websites:

"The epidemiological models presented in this study are used to analyze publicly available Google search query data for different OSNs, which can be obtained from Google’s "Google Trends” service. Google search query data has been used in a range of studies, including the monitoring of disease outbreak, economic forecasting, and the prediction of financial trading behavior..."

The researchers adapted and validated their mathematical model using the adoption and decline data from the Myspace OSN. The researchers concluded:

"Extrapolating the best fit model into the future suggests that Facebook will undergo a rapid decline in the coming years, losing 80% of its peak user base between 2015 and 2017."

The Los Angeles Times reported:

"... Myspace is not the best social network with which to compare Facebook. At its peak, Myspace had 75.9 million monthly active users. Facebook, meanwhile, said it had 1.19 billion active members in September. Facebook has reached levels Myspace never hit... Although search queries -- not active users -- for Facebook did decline in 2013, the company has only seen its monthly active user base grow since it launched in 2004. Seeing a drop as big as the one the researchers predict would be more than surprising -- it'd be the first time Facebook sees a decline in users."

The Motley Fool reported that teens are leaving Facebook in substantial numbers, but it may not matter:

"... Facebook's teen base had fallen 25% in the past three years. Facebook CFO David Ebersman confirmed that the issue is real during a recent earnings call... the iStrategy Labs study draws from Facebook's Social Advertising platform... Facebook has 4,292,080 fewer high-school aged users and 6,948,848 college-aged users than it did in 2011... it definitely shows that Facebook is not as hot with teens as it once was... According to the same iStrategy Labs Study, the number of users 55+ has exploded with 80.4% growth in the past three years. These older users may not be as desirable as teenagers, but they are more stable and less likely to leave..."

While the researchers analyzed search data, there are more metrics that describe social networking website popularity. Some metrics that come to mind include:

  • Active users
  • Average time and $ on site per user by demographics (e.g., age, country, income, etc.)
  • Average time and $ spent on site by platform (e.g., smart phone, tablets, etc.) by user
  • Average profile completion percentage per user (e.g., work history, residential history,  education history, basic information, relationship and family information, etc.)
  • Average number of connection types (e.g., groups, fan pages, pages Liked, events, etc.) per user
  • Average data usage per user (e.g., megabytes of photos, videos uploaded)
  • Gaming $ spent per user
  • Advertising $ spent per user

Then, you would want to see which of those metrics most accurately precede subscription terminations.

The OSN study has not been peer reviewed. Download the Princeton study: "Epidemiological Modeling of Online Social Network Dynamic" report (Adobe PDF). It is also available here (Adobe PDF, 436.3K bytes).


California Attorney General Files Suit Against For-Profit College

Logo for Corinthian Colleges, Inc. The Attorney General's office for the State of California announced last week that it had filed a lawsuit against Corinthian Colleges, Inc. (CCI). The complaint alleged that the company performed:

"... false and predatory advertising, intentional misrepresentations to students, securities fraud and unlawful use of military seals in advertisements... CCI intentionally targeted low-income, vulnerable Californians through deceptive and false advertisements and aggressive marketing campaigns that misrepresented job placement rates and school programs. CCI deployed these advertisements through persistent internet, telemarketing and television ad campaigns... Corinthian executives knowingly misrepresented job placement rates..."

The complaint also named as defendants Everest, Heald and WyoTech colleges. The announcement said that the complaint cited internal company documents obtained by the Department of Justice. which described the consumers targeted by CCI's marketing activities:

"... as “isolated,” “impatient,” individuals with “low self-esteem,” who have “few people in their lives who care about them” and who are “stuck” and “unable to see and plan well for future.” "

CCI describes itself in its website as:

"... one of the largest for-profit, post-secondary education companies in North America, with more than 81,300 students at over 111 U.S. and Canadian campuses. Our campuses offer short-term diploma and/or degree programs in a variety of popular career fields..."

The complaint alleged that CCI advertised placement rates for its graduates of 100 percent when the reality was the rate was about zero. California Attorney General Harris said:

"The predatory scheme devised by executives at Corinthian Colleges, Inc. is unconscionable. Designed to rake in profits and mislead investors, they targeted some of our state’s most particularly vulnerable people—including low income, single mothers and veterans returning from combat... My office will continue our investigation into the for-profit college industry and will hold accountable those responsible for these illegal, exploitative practices.”

Current or former CCI students should contact the California Attorney General's Office to file a complaint.

It is good to see an attorney general pursue this type of alleged corporate behavior. I hope that stiff fines and punishments result with specific executives named, and not a weak settlement agreement where the company does not admit any wrongdoing. In my opinion, the company should pay the entire debts of its graduates it promised 100 percent placement rates in jobs, and who haven't found work.


Health Information Data Breach At OHSU Affects More Than 3,000 Patients

Oregon Health and Sciences University logo Healthcare IT News reported that Oregon Health & Sciences University has experienced another data breach exposing patients' sensitive medical information. In this latest data breach:

"... protected health information has been compromised after several residents and physicians-in-training inappropriately used Google cloud services to maintain a spreadsheet of patient data. The Google cloud Internet-based service provider is not an OHSU business associate with a contractual agreement to use or store OHSU patient health information..."

3,044 patients admitted to the hospital between January 1, 2011 and July 3, 2013 were affected by this breach. Breach notification letters were sent to affect patients on July 26, 2013. OHSU stated in its breach notice:

"In May 2013, an OHSU School of Medicine faculty member discovered residents, or physicians-in-training, in the Division of Plastic and Reconstructive Surgery were using Internet-based services to maintain a spreadsheet of patients... OHSU Information Privacy and Security experts undertook an extensive investigation to determine what information was stored on the Internet-based service... This investigation led to the discovery of a similar practice in the Department of Urology and in Kidney Transplant Services... The data stored with the Internet service provider included the patient’s name, medical record number, dates of service, age, provider’s name and diagnosis/prognosis. For 731 patients, the data also included an address. For 617 patients, neither the reason for hospital stay, or diagnosis, nor the patient’s prognosis, or projected outcome, was among the stored data."

Concerned patients can call OHSU via a toll-free phone number (877 819-9774) from Monday through Friday from 6:00 am to 6:00 pm.

Reportedly, this is the fourth data breach at OHSU. According to the HIPAA Privacy Rule, Protected Health Information (PHI) is:

"... individually identifiable health information. Individually identifiable health information is that which can be linked to a particular person..."

PHI includes past or present medical conditions and illnesses, treatments for the person, and payment methods by the person for the healthcare treatments. The companies and organizations that must comply with the HIPAA Privacy Rule:

"... apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form... Health plans include health, dental, vision, and prescription drug insurers, health maintenance organizations (“HMOs”), Medicare, Medicaid, Medicare+Choice and Medicare supplement insurers, and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans... Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards... "

The term "business associate" is important because the Privacy Rule applies specifically to vendors or subcontractors used by health plans:

"When a covered entity uses a contractor or other non-workforce member to perform "business associate" services or activities, the Rule requires that the covered entity include certain protections for the information in a business associate agreement... In the business associate contract, a covered entity must impose specified written safeguards on the individually identifiable health information used or disclosed by its business associates. Moreover, a covered entity may not contractually authorize its business associate to make any use or disclosure of protected health information that would violate the Rule..."

This breach highlights the need for adequate training of employees about cloud services, the data security risks, and what information can/cannot be stored in cloud services. This is also why I am very, very careful and reluctant to share any medical or health information in cloud-based service or in mobile-device apps. Many developers of cloud-based services and mobile-device apps are not HIPAA PHI compliant.


What You Post Online Could Be Used To Determine Your Mental State

Elizabeth Martin, a researches in the Psychological Science department at the University of Missouri recently completed a study of social networking usage. Martin concluded:

"Therapists could possibly use social media activity to create a more complete clinical picture of a patient... The beauty of social media activity as a tool in psychological diagnosis is that it removes some of the problems associated with patients’ self-reporting. For example, questionnaires often depend on a person’s memory, which may or may not be accurate. By asking patients to share their Facebook activity, we were able to see how they expressed themselves naturally. Even the parts of their Facebook activities that they chose to conceal exposed information about their psychological state.”

Martin had study participants -- about 200 college students -- print out their Facebook activity, and then:

"... correlated aspects of that activity with the degree to which those individuals exhibited schizotypy, a range of symptoms including social withdrawal to odd beliefs. Some study participants showed signs of the schizotypy condition known as social anhedonia, or the inability to experience pleasure from usually enjoyable activities, such as communicating and interacting with others. In the study, people with social anhedonia tended to have fewer friends on Facebook, communicated with friends less frequently and shared fewer photos."

According to Mashable:

"The idea for the study came through a conversation between Martin and the second author, Drew Bailey, who doesn't have a Facebook profile. A discussion arose about profile content and its correlation to psychology."

If therapists and psychologists believe that can tell a person's mental state from their posts on social networking websites, then it is appropriate to assume that other professionals (e.g., insurance, human resource professionals) will also want access to social networking profiles. In other words, some social networking websites may view this as a potnetial, new revenue stream. Credit reporting agencies already want access to consumers' social networking profiles to enhance credit decisions. And in some instances, courts have ruled that your social networking activity can be accessible during a lawsuit.

 


Massive Data Breach At Northwest Florida State College Affects About 300,000 Persons

Last week, officials at Northwest Florida State College (NWFSC) announced a data breach that affected more than 275,00 persons. The affected persons include about 76,500 current and former students, 200,000 Bright Futures scholars, and 3,200 employees.

The breach occurred between May 21 and September 24, 2012, and included the unauthorized access of one of the school's computer servers.The sensitive personal data exposed/stolen includes full names, addresses, birth dates, and Social Security numbers. The Bright Futures persons affected include students during the 2005-06 and 2006-07 academic years. The data exposed/stolen about Bright Futures students includes full names, birth dates, Social Security numbers, ethnicity and gender. NWFSC announced that no student academic files were compromised.

The data exposed/stolen about employees included full names, Social Security numbers, birth dates, banking direct-deposit account numbers, addresses, phone numbers, and college email addresses. A breach investigation is ongoing, where NWFSC has hired an unnamed technology consultant, and is working with local law enforcement. According to a press release:

"The college is coordinating its efforts with the Division of Florida Colleges in the Department of Education to formally notify all students impacted by the data breach."

Northwest Florida State College has contracted with an external consultant, to ensure the college’s data remains safe and secure. Further, the Okaloosa County Sheriff’s Office cybercrimes unit continues to investigate the matter with assistance from the Florida Department of Law Enforcement.

NWFSC advises affected persons:

"... individuals who notice improper use of their Social Security number and believe they may be the victim of identity theft should contact the Federal Trade Commission at www.ftc.gov/idtheft or at 1-877-ID-THEFT (438-4338). Affected persons may also call the local sheriff’s office and file a police report of identity theft, keeping a copy of the police report."

In an Oct. 8, 2012 memo to employees (Adobe PDF), NWFSC said:

"... one or more hackers accessed one folder on our main server. This folder had multiple files on it. No one file had a complete set of personal information regarding individuals. However, by working between files, the hacker(s) have been able to piece together enough information to be able to engage in the theft of identity of at least 50 employees..."

The memo to employees outlined three specific identity theft and fraud actions by the thieves:

"The first is to use PayDayMax, Inc. as a conduit for taking out a personal loan which is repaid by debiting your bank account. The second is the same process using Discount Advance Loans. The third is to apply for a Home Depot Credit Card in an employee’s name and then use that card..."

Given this active identity fraud, both students and employees should take the threat seriously, and take immediate actions to check their credit reports at the three major credit-reporting agencies; and place a Fraud Alert or Security Freeze if appropriate. Plus, NWFSC should offer breach victims free credit monitoring and resolution services for at least two years.


PlaceRaider: Part Of The New Class Of 'Visual Malware'

You may remember news stories during past years where thieves used the Google Earth service to find buildings with valuables on the outside -- roofs made with precious metals, so they could return at night to steal the metal and resell the stolen goods for a profit. Now, imagine a scenario where thieves take over the camera in your smart phone (or tablet) to find valuable items inside homes, to return later when you are away or at work to steal the items they remotely recorded on video.

This sounds like science fiction, eh? Or maybe a fictional episode of NCIS?

Well, it's not science fiction. It's science fact, and the software is available today.

A reader alerted me to an article in Technology Review about PlaceRaider, an Android app already created to secretly record via the victims' mobile devices their personal spaces. With the secretly recorded video, the user can create a three-dimension virtual model of the recorded space:

"... Robert Templeman at the Naval Surface Warfare Center in Crane, Indiana, and a few pals at Indiana University reveal an entirely new class of 'visual malware' capable of recording and reconstructing a user's environment in 3D. This then allows the theft of virtual objects such as financial information, data on computer screens and identity-related information... the malware would be embedded in a camera app that the [victim] would download and run..."

The military applications of this are obvious. It's a stealth method to gather intelligence by recording the battlefield (or urban landscape) before the battle by using malware installed in the enemy's mobile devices. An accurate 3-D virtual model, complete with tools and papers lying about, would enable military officials to plan a more effective and efficient attack -- and know ahead of time what documents to look for and to capture.

An app like this in the hands of identity criminals would be equally devastating. It could secretly record a victim's home office, small business office, doctor's medical records storage area, or similar sensitive interior space. Did you leave credit- or debit cards lying about on your desk or bedroom dresser? PlaceRaider could record the account numbers lying exposed. Did you leave your online banking screen open on your desktop computer monitor? PlaceRaider could record that, too.

Meanwhile, what's a consumer to do? All of the usualy steps:

  • Be carefult about the apps you download. Look for trustworthy apps with privacy policies that they comply with
  • Install and maintain anti-virus apps on your mobile device(s)
  • Password protect your mobile device(s)
  • Be careful about which WiFi hotspots you use your mobile device at, just as you would with any other computing device
  • Use a mobile VPN connection when appropriate
  • Use strong passwords, and change them every 90 or 120 days
  • Don't use the same password for all of your online accounts and devices
  • Place masking tape over your mobile device's camera lense when not using it for long periods.

Maybe some time soon, mobile device manufacturers will get smart and build lens covers into their mobile devices.


Ashesi University, Ethics, Africa, And I've Been Mugged Blog

I was very pleased to learn that while Ashesi University began teaching to its students in 2010 the ethics curriculum "Giving Voice To Values" (GVV) developed by Mary Gentile, the university also uses the I've Been Mugged interview with Gentile. Ashesi University, located in Ghana, is a private, secular liberal arts institution that offers bachelor degree programs in Computer Science, Management Information Systems and Business Administration. All students perform community service before graduation.

In July 2012, the university and the MasterCard Foundation jointly hosted the first-ever robotics competition in Ghana to encourage high school students to study computer science, engineering, and other technical fields. The Ashesi University Foundation, located in Seattle, Washington (USA) helps donors around the world support the school.

The school was founded in 2002 by Patrick Awuah, a graduate of Swarthmore College. Watch this June 2007 speech by Awuah at the Ted (Technology, Entertainment, and Design) Global Conference held in Arusha, Tanzania. The New York Times reported in January 2011:

"Africa has reached an inflection point with the march of democracy across the continent,” said Mr. Awuah, speaking at the World Innovation Summit for Education in Doha in November... We can bring change in one generation. How we train our leaders will make all the difference. According to Mr. Awuah, the goal of Ashesi, whose name means “beginning” in Akan, the local language of Ghana, is to train a new ethically responsible educated elite to break the cycle of corruption on the continent."

To find all schools (including Ashesi University) that offer the GVV ethics curriculum, browse the list of GVV pilot sites (Adobe PDF) maintained by Babson College, and its curriculum information. Visit the GVV book website to learn more about and the book, available to the public.

If you know of a school that uses the I've Been Mugged blog as part of an ethics or Interent-related curriculum, let me know or share it below.


Researchers At MIT Document Privacy Abuses By Smart Phone Apps

This week, the Boston Globe reported the findings of a study by a group of researchers at the Massachusetts Institute Of Technology. The research discovered that several Android apps track consumers' activities without notice and without consent. Researchers Frances Zhang and Fuming Shih investigated 36 apps that run on smart phones with the Android operating system:

"... some popular apps for phones running Google Inc.’s Android operating system are continually collecting information without informing the phone’s owner. The popular game Angry Birds uses the phone’s GPS and Wi-Fi wireless networking features to track the owner’s location, even when he’s not playing the game... Another game, Bowman, collects information from the phone’s Internet browser, including what websites the owner has been visiting..."

The researchers hope to patent their app-testing process so it can be used to test a wider range of mobile device apps. The researchers did not test Apple mobile devices.

While improved software will help consumers monitor apps for compliance with privacy policies, a survey earlier this year documented sporadic and inconsistent access to privacy policies for mobile device apps across all major brands.


Data Breach At University Of South Carolina Affects 34,000 People

The University of South Carolina experienced a data breach on an Internet-connected computer in its College of Education. The university is notifying 34,000 people, whose sensitive personal information has been exposed. The breach was discovered on June 6.

The University's breach announcement did not list the specific types of sensitive personal information exposed/stolen:

"Files on the server contained confidential, personally identifiable information of approximately 34,000 individuals."

McClatchy news service reported that the sensitive personal information exposed/stolen included the names, addresses and Social Security numbers of staff, researchers, and student at the College of Education since 2005.

The university advised breach victims to check their credit reports at the three major credit reporting agencies (e.g., Experian, Equifax, and TransUnion), and to place a fraud alert on their credit reports. The university did not name the credit monitoring/resolution service it has retained to assist breach victims, nor if it will provide that service freely to breach victims.

Organizations usualyy provide a couple years of free credit monitoring services after data breaches like this. This is the sixth breach at the University of South Carolina. Prior breaches:

  • March 2011: 31,000 records exposed/stolen on 8 campuses affecting faculty, staff, retirees, and students
  • June 2008: 7,000 records exposed/stolen during an office theft at the Moore School of Business
  • September 2007: 1,482 students' files, including Social Security numbers, test scores, and grades, were exposed on an Internet-connect computer
  • August 2006: 6,000 current and former students' sensitive information was exposed/stolen
  • April 2006: 1,400 students' sensitive information, including Social Security numbers, was attached to and distributed in an email message by a faculty member

Given this poor history, the university's chief security officer and IT staff need to step up faculty/staff training and data security procedures at the school.