IP Addresses as private information?

For my semester project I have decided to focus on exploring if IP addresses are personal information (personally identifiable information) or fair game. Luckily I have chosen a topic which I have not fully made up my mind. So this paper will reflect my own curiosity in the matter and be, at least I hope, very balanced.

At the heart of my paper I am hoping to examing differing opinions on whether or not IP addresses are PI or not. To be followed by a comparitive analysis of US law relating to IP addresses and EU laws.

My searching is progressing, all be it slowly. For some reason now that I am actually looking for information on the topic, I cannot find very many quality works on the topic. How I wish I would have not deleted all those Google feeds.

Personally Identifiable Information

Just this week Oklahoma State University announced a security breach (see here). Though these types of breaches seem to be few, the number of people adversely affected by them is quite large. Unfortunately the laws concerning Personally Identifiable Information are obviously quite lax.

One question that I have not been able to answer is why did the parking office need social security numbers? Why had the office not switched over to student ID's?

The sad fact is that most students are trusting, especially of their universities. That the university will protect the information that students must provide for financial aid and in this case too much information needed to obtain a parking permit rarely enters a student's mind. I know that I never cared until I entered my first graduate program.

The privacy laws are wholly inadequate and in need of desperate revision. Organizations that have such privacy breaches need to be dealt with harshly. The loss of information in these cases is not the fault of the person, but the organization. However the person is left to pick up the pieces of the organization's mistakes.

It would be interesting to know if and how Oklahoma State University has dealt with the persons responsible for data security. Were they reprimanded or released? Or is the university now just determined to 'fix' the problem?