Personally Identifiable Information

Just this week Oklahoma State University announced a security breach (see here). Though these types of breaches seem to be few, the number of people adversely affected by them is quite large. Unfortunately the laws concerning Personally Identifiable Information are obviously quite lax.

One question that I have not been able to answer is why did the parking office need social security numbers? Why had the office not switched over to student ID's?

The sad fact is that most students are trusting, especially of their universities. That the university will protect the information that students must provide for financial aid and in this case too much information needed to obtain a parking permit rarely enters a student's mind. I know that I never cared until I entered my first graduate program.

The privacy laws are wholly inadequate and in need of desperate revision. Organizations that have such privacy breaches need to be dealt with harshly. The loss of information in these cases is not the fault of the person, but the organization. However the person is left to pick up the pieces of the organization's mistakes.

It would be interesting to know if and how Oklahoma State University has dealt with the persons responsible for data security. Were they reprimanded or released? Or is the university now just determined to 'fix' the problem?