If you graduated from Berkeley, some identity data about you is now likely in the wrong hands. According to a UC Berkeley press release, someone stole a laptop from the Graduate Division offices that contained information on people who applied to grad school from 2001 to 2004, registered as grad students from 1998 through 2003, received doctoral degrees from 1976 through 1999, and some others. In all, 98,369 people are affected.
This incident points out the problems that can arise from storing identity records on direct attached disks. I doubt very much that the custodian of the data had ever considered the dangers or that University of California has a policy on what data can be stored where. Do you have such a policy? Do you even know what data you have and where it is? Unlikely.
One way to get started is to conduct a privacy audit. In a privacy audit, you answer a series of questions about the data that your organization collects. For example, here are a few of the questions you might ask:
- What kinds of data are you collecting?
- How and where is it stored?
- What software and hardware are used in its storage?
- Who has access to it by authority and by ability?
This is just a start. After you've conducted the the audit, you are obligated to act to correct difficiencies. This isn't a weekend project. In fact, it's an ongoing process. That may sound like too much work, but it's the price of collecting information about people and using it responsibly. My forthcoming book on Digital Identity from O'Reilly Media outlines the entire process that organizations can use to build what I call an identity management architecture.
One side note to this whole affair is that the thieves probably weren't after the identity data. Likely as not, they were stealing a laptop. The irony is that due to California's mandatory notification law, one of the staples of privacy advocates, the thieves have now been notified of what they really walked off with (a SSN is worth $1-2 on the open market). These laws need to be tempered with some common sense. In this case, it's likely that following the law is what put these people's identity data in danger.
Even more troublesome is the question of what to do if you're in one of the categories listed above. It's like getting a call from the police that says "We have information that your name showed up on a hit list. Good luck!" There's not much you can do except to be a little more diligent about checking your bank statements and credit reports.