RCC creates taskforce in response to data breach incident

Photo by Luis Solis | Photo Editor

Photo Illustration by Luis Solis | Photo Editor

Josa Lamont | Features Editor

Sept. 18 2014

Michael Simmons is feeling cautiously optimistic in the aftermath of a Riverside Community College District data incident in May. After pursuing every expert recommended action, the head of the risk management department feels confident they’ve taken every precaution to keep students safe.
An immediate remediation process began after an email with student data including social security numbers and birthdates, accidentally went to an external address May 30. The first task was to notify students.

RCCD immediately hired expert Lynn Sessions to manage the leak. By her recommendation, a call center was set up to answer any questions from students. In addition, emails, letters and notifications were sent out and posted on WebAdvisor.

Also by recommendation of Sessions, the district did a forensic investigation to attempt to reach the email recipient to no avail.

Emails to the recipient have gone unanswered and Google refuses to give out the information of the email account holder.

“I don’t think we could have done anything else beyond this,” Simmons said.

The Data Access and Security Taskforce set up to handle the breach will be made into a permanent committee that will work with the Board of Trustees and the new chancellor, Michael Burke, to ensure the safety of all students.

DAST will be responsible for updating district policy, training procedures, software, internal technical controls and other safety concerns.

As a standing committee, DAST will review standing policies and procedures, and make changes to outdated bylaws.

The committee has already implemented protective measures for sensitive data, according to Rick Herman, the DAST Chairman and head of the Information Technology and Learning Services Department. In one measure, the six classified staff responsible for mass amounts of data have been trained in encrypting their communications.

To protect students from identity theft, DAST has set up an Experian credit monitoring system for the 35,212 affected.

The expiration to enroll in the credit monitoring was Sept. 16 and only about 3,800 students have enrolled, totaling almost 11 percent of those affected.

According to Simmons, students may not want to enroll in the free monitoring for any number of reasons, and that many students are likely not interested in credit monitoring. Only 8 percent of the consumer reviews  on http://www.customerservicescoreboard.com for Experian are positive, and Experian is ranked overall with a 3/5 star rating on other consumer review sites.

To this date, there are no reports by Experian or from any students of the leaked data being misused. If a student is not enrolled in the credit monitoring but is a victim of identity theft, they are still encouraged to contact the district so that forensic investigations can determine if it is an effect of the data incident.

The district will continue to treat what they are calling “a data incident” as a data breach until the threat status level is reduced at the end of one year. At that time the Experian credit monitoring service will expire and the threat level will go back to normal.

The cost of monitoring students with Experian services is $15.20 per student, which is paid by the district and will be covered by an insurance policy after a $100,000 retention (or deductible). The district will be reimbursed any money exceeding the retention by the insurance company when the total cost is calculated.

In another measure, that training is extending to the 35 people outside of that who handle smaller amounts of data, with a goal of enrolling everyone in the department in a training course to understand and use encryption for their communications and data transfers by the end of the fall semester. By the end of the term the ITLS department hopes to expand encryption from electronic data to include documents being scanned and filing cabinets. Data stored in the data warehouse is already encrypted, so RCCD students unaffected by the incident in May are safe from breaches of data.