Too many company's issue the following junk when they lose customer data."Although not legally required to do this, as a courtesy to you we are notifying you that we have lost your data."
And, in those infamous words of Maxwell Smart, the company's press release will continue with..."Sorry about that and we pray you don't become a victim of Identity Theft as a result of this unfortunate event."
The press release usually ends with something like the following..."We are re-examining our business practices to help ensure we don't lose your data again; however, we offer zero guarantees that we won't lose your data again."
The following was sent as a "Letter to the Editor" of the Arizona Republic."Loan firm's security breach concerns college district" by Laura Houston on 22 July 2006. --- First, clarification is required. "Maricopa Community Colleges is taking a second look at a contract with a national loan company to provide student tuition services after the company lost information on 188,000 customers." "The district's governing board is slated to approve a contract with NelNet at its Tuesday meeting without discussion." Is the word "is" used in paragraph two suppose to be the word "was?" Next, the Republic's story said the Maricopa County Community Colleges District (MCCCD) "were wanting to see how much responsibility NelNet bore in the loss of the data." From a MCCCD perspective, NelNet must "bare" all the responsibility for the data loss. Just like if the lost data included information about MCCCD students, the MCCCD would have to "bare" 100% of the responsibility for that data loss. I can't imagine why the MCCCD would consider exposing their students (i.e. customers) to a company that losses customer data and then says they are notifying customers of this data loss as a "courtesy" and not because they were "technically required" to do so. When a company loses customer data, it is their ethical duty to notify customer's of the data loss. The Republic reported that NelNet "stressed that the magnetic tape on which data is stored is secure because it requires sophisticated equipment to be read and used." This is called "security by obscurity" and "security by obscurity" does NOT work. MCCCD should know that the equipment needed to read these tapes is not "sophisticated" I hope MCCCD finds out if the data on these tapes was encrypted, if it wasn't, then I don't know why MCCCD would expose their students to such shoddy business practices. The associate vice chancellor of Information Technology was quoted as saying the way NelNet was transporting sensitive data was "relatively historic and archaic." The IT guy should not have used the "relatively" because NelNet computing practices are 100 percent "historic and archaic." I can't imagine why MCCCD would consider exposing their students to the inept business practices of a company like NelNet.
One thing I didn't put in my "Letter to the Editor" is that the MCCCD is probably likes NelNet because it makes it easier for MCCCD's historic and archaic system to interface with NelNet's "historic and archaic" system.
I did a quick review of the NelNet.com website and encountered the following when attempting to "apply for a private loan."Browser Error We're sorry. The section of the Web site you are attempting to access requires Internet Explorer version 5.5 or newer. You can get the latest version of Internet Explorer by visiting: http://www.microsoft.com/windows/ie/default.mspx
A student of a publically-funded institution should not be required to be a Microsoft customer.
Creator: Gerald D. Thurman
Created: 22 July 2006