Three weeks after Bowdoin acknowledged a "possible breach of data security" in which student Social Security numbers, health insurance information, and internal employee reviews were left accessible to anyone with a Bowdoin username, the College remains mum on what happened.
"The lawyers are advising us that until we know everything, the information we give out isn't necessarily the truth and so, what we're going to do is?and we promise we'll release everything?to finish the investigation, because it's not done yet," Chief Information Officer (CIO) Mitch Davis said.
"We're not trying to hide anything," he added.
Beth Givens, the director of the Privacy Rights Clearinghouse, a consumer advocacy organization based in San Diego, noted that three weeks was a long time to silently investigate a potentially serious data breach.
"I think enough time has passed for the investigation that the affected students and employees really deserve additional information about the breach," Givens said. "If [student] Social Security numbers were exposed, they will want to take steps to prevent identity theft, such as placing fraud alerts on their credit reports."
After the personal files of Caitlin Gutheil, the former student health program administrator who departed Bowdoin two months ago, were left unsecured on Bowdoin's "Microwave" network drive, the College retained a New York-based computer forensics firm, Stroz Friedberg LLC, to investigate. The firm did not return multiple calls from the Orient requesting more information on its investigation.
An interim report on the breach by Stroz Friedberg, which the College said was going to be ready on April 29, had yet to be released when the Orient went to press.
"I guess it takes a while to do this kind of work," Vice President for Communications and Public Affairs Scott Hood said.
"The investigation continues, with the College working with Stroz Friedberg to understand the scope and extent of the situation," Hood wrote in an e-mail.
"As I have mentioned before, based on preliminary reports, the College does not believe any data was compromised in a manner that is problematic," Hood wrote. "That said, if the ongoing investigation reveals anything different, the College will alert anyone affected as soon as possible in accordance with all applicable laws."
Givens praised the College for bringing in the firm.
"I think the fact that they have retained Stroz Friedberg LLC is a good move. It looks like they are taking this incident seriously by hiring a company that is an expert in computer forensics...to investigate the breach," Givens said.
She also expressed understanding for the College's desire to remain silent until it completed its investigation.
"I know it's frustrating to the affected individuals, but it is standard practice to minimize the amount of information about the breach until an investigation has been completed," Givens said. "You hate to give information to the affected individuals and the press until you know what really happened."
On the other hand, however, after a potentially serious breach, "three weeks seems like a lot [of time] to me, it really does," she said.
As the investigation continues, Davis is already looking toward the future.
The CIO foresees creating a new system for keeping confidential data private that will balance security with the transparency needed in an academic setting.
"We're in a year or two-year process to get the College to the point where it understands that securing this data is important. It's not just IT turning the key and turning everything off, it's IT creating an environment where everybody can still work well and have access to information," Davis said.
Any system "has to have a lot of balance to it," he said. "I don't want to create a technology solution that's so restrictive that no one uses it?there's no value to it then."