[speak]

Thurman Speaks About MCCCD Should Say NO To NelNet

Too many company's issue the following junk when they lose customer data.

   "Although not legally required to do this, as a courtesy 
    to you we are notifying you that we have lost your data."

And, in those infamous words of Maxwell Smart, the company's press release will continue with...

   "Sorry about that and we pray you don't become a victim 
    of Identity Theft as a result of this unfortunate event."

The press release usually ends with something like the following...

   "We are re-examining our business practices to help ensure 
    we don't lose your data again; however, we offer zero 
    guarantees that we won't lose your data again."

The following was sent as a "Letter to the Editor" of the Arizona Republic.

   "Loan firm's security breach concerns college district"
   by Laura Houston on 22 July 2006.

   ---

   First, clarification is required.

   "Maricopa Community Colleges is taking a second
    look at a contract with a national loan company
    to provide student tuition services after the
    company lost information on 188,000 customers."

   "The district's governing board is slated to approve
    a contract with NelNet at its Tuesday meeting without
    discussion."

   Is the word "is" used in paragraph two suppose to be
   the word "was?"

   Next, the Republic's story said the Maricopa County Community 
   Colleges District (MCCCD) "were wanting to see how much responsibility 
   NelNet bore in the loss of the data."  From a MCCCD perspective, 
   NelNet must "bare" all the responsibility for the data loss.  
   Just like if the lost data included information about MCCCD
   students, the MCCCD would have to "bare" 100% of the responsibility
   for that data loss. 

   I can't imagine why the MCCCD would consider exposing their students 
   (i.e. customers) to a company that losses customer data and then 
   says they are notifying customers of this data loss as a 
   "courtesy" and not because they were "technically required" 
   to do so.  When a company loses customer data, it is their 
   ethical duty to notify customer's of the data loss.

   The Republic reported that NelNet "stressed that the
   magnetic tape on which data is stored is secure because 
   it requires sophisticated equipment to be read and used."  
   This is called "security by obscurity" and "security by 
   obscurity" does NOT work.  MCCCD should know that the equipment 
   needed to read these tapes is not "sophisticated"  

   I hope MCCCD finds out if the data on these tapes was encrypted, 
   if it wasn't, then I don't know why MCCCD would expose their 
   students to such shoddy business practices.

   The associate vice chancellor of Information Technology
   was quoted as saying the way NelNet was transporting sensitive
   data was "relatively historic and archaic."  The IT guy
   should not have used the "relatively" because NelNet 
   computing practices are 100 percent "historic and archaic."

   I can't imagine why MCCCD would consider exposing their students 
   to the inept business practices of a company like NelNet.

One thing I didn't put in my "Letter to the Editor" is that the MCCCD is probably likes NelNet because it makes it easier for MCCCD's historic and archaic system to interface with NelNet's "historic and archaic" system.

Update::2006.07.23

I did a quick review of the NelNet.com website and encountered the following when attempting to "apply for a private loan."

   Browser Error

   We're sorry. The section of the Web site you are attempting 
   to access requires Internet Explorer version 5.5 or newer. 
   You can get the latest version of Internet Explorer by visiting:

       http://www.microsoft.com/windows/ie/default.mspx

A student of a publically-funded institution should not be required to be a Microsoft customer.


Creator: Gerald D. Thurman [gthurman@gmail.com]
Created: 22 July 2006