Flash drive failure at the University of Toledo
10/9/2018If not for a coincidence, Barb Carter would not even know that the her former employer, the University of Toledo, lost her Social Security number and other personal data on a flash drive that was discovered missing in January.
As it is, she does not know much more than that because the university will not answer her questions, says Ms. Carter, a former assistant professor in chemistry who now lives in North Carolina
In May, the university alerted an unknown number of students, faculty, staff, and external research collaborators that their Social Security numbers, names, addresses, and other personal data were on a flash drive lost by a faculty member. Since then, Ms. Carter says she has been frustrated in her efforts to find out anything about the university’s investigation into the matter.
For their part, university officials cite the ongoing nature of the investigation as the reason they cannot release more information about the missing flash drive.
That is not very comforting, particularly to anyone who now is vulnerable to identity theft or other problems caused by their Social Security numbers being compromised.
UT authorities will not answer her questions, Ms. Carter says. And Ms. Carter has some good questions, including why was her personal information on a flash drive at the university 17 years after she left there?
It seems possible — maybe even likely — that some of the people whose information went missing still do not even know.
Ms. Carter’s husband, who also is a former UT employer, got a letter warning him that his data also was lost on the flash drive, which is how she became aware of the problem. A university letter to her was mistakenly sent to a previous address. How many other former employees might be in the same boat?
Any institution — employer, business, school — trusted with troves of personal data has a serious responsibility to protect that data. And when they fail to protect it, the very least they can do is be transparent and apologetic with the people whose data they’ve lost.
Nothing about the way the University of Toledo has handled this case would give people the impression that they will handle the lost data situation responsibly.
At the very least, officials ought to share as much as they can with victims like Ms. Carter. It must be possible to answer her questions and offer some assurances to victims without compromising their investigation into how the flash drive went missing in the first place.
The university owes it to employees, students, and others, to do more to protect personal data. And since UT did not live up to that responsibility, it definitely owes these people better answers.