Documents with confidential data left unsecured
It arrived at the Vanguard office sometime Monday afternoon, in a brown manila envelope simply marked “Vanguard News Dept.”
Inside the envelope was a 25-page document, dated May 21, 1987; a list of the entire Portland State University faculty, in alphabetical order, listing names, Social Security numbers and salaries. There was also a personnel folder with the employment history of a former accounting assistant. In all, the documents contained confidential information for over 1,000 current and former PSU employees.
How exactly the envelope wound up in the Vanguard office, however, is a mystery.
The only clue: an anonymous note included in the package.
“The following items were found cleaning out a room in the Extended Studies building,” the note read. “As you can see, some confidential information was obviously left unsecured.”
Several administrators could not explain why such documents would be in the Extended Studies building, or, in the case of the faculty list, why it would still exist at all.
If the documents fell into the wrong hands, the information would be enough for an identity thief to open lines of credit, bank accounts or commit other types of identity fraud, according to Sheila Gordon, director of the Victim Assistance Center of the Identity Theft Resource Center, a nonprofit organization in San Diego, Calif.
The faculty members on the list are “definitely at risk at this point,” Gordon said. “All of these people’s identities have been compromised.”
Because the documents are so old and were returned, the university does not plan to attempt to notify the people on the faculty list, according to Lindsay Desrochers, vice president for finance and administration at PSU. The situation is not considered to be serious, Desrochers said, because it is unlikely that the documents would have been discovered by anyone with malicious intentions.
Except for the Social Security numbers, most of the information in the documents is public record anyway, Desrochers said, and the university has not received any identity-theft-related complaints from anyone on the list. Desrochers did say that she would research whether the university has any legal obligation to notify the people on the list of the incident, and the university would do so if required.
Gordon, however, said that the university should make an effort to notify people on the list.
“At a minimum, they should notify those people that their identities have been compromised,” Gordon said. “If someone was on that list they would want to know.”
Faculty on the list should place fraud alerts with the three major credit-reporting agencies – Equifax, Experian and Trans Union – and monitor their credit reports, Gordon said.
Darrell Millner, a professor in the black studies department whose name was on the list, said in a phone message Tuesday that he was “disturbed” to hear that the documents were left unsecured.
“I’m outraged to learn that,” Millner said.
There is no reason why any current administrator would need to review the type of records found in the envelope, Desrochers said.
“There’s just no explanation for it,” she said. “It sounds to me like someone found an old box that someone left out.”
The Extended Studies building contains offices for Finance and Administration, extended studies, summer session and a few other small programs. Apart from regular janitorial service, a few offices have been cleaned out in the past few weeks to make room for new or promoted employees. None of the personnel who previously occupied the offices seem likely to have handled the types of documents in the envelope, however. One office was used by a smattering of student workers, two others by representatives of Eastern Oregon University.
No one knows if the documents came from any of the recently cleared offices. But if they did, it raises the question, where have they been for the past several weeks?
The university keeps hard copies of personnel files ��- the files that include salary information, performance reviews and identity information on employees – in the Human Resources office, located in the University Services Building, but the files are kept in locked filing cabinets, according to Cathy LaTourette, vice president for human resources at Portland State. The cabinets are unlocked in the morning and locked again at night.
Even if an administrator wanted to view the files, they would have to do so in the Human Resources office under the supervision of a staff member.
“As long as I’ve been here, the files never leave,” LaTourette said. “Why [the files] were in Extended Studies in a mystery.”
Also, older documents are either sent to an off-site archiving facility or, if the university is not required to keep them, destroyed.
Salary information is now stored in computer databases, which use PSU ID numbers rather than Social Security numbers to better protect identifying information. The university is much more concerned these days with protecting computer systems from hackers than the security of paper documents, which would be an unlikely target for would-be thieves, Desrochers said.
Breaches of document security are rare at PSU, according to Desrochers, who said she could not recall any other incident of confidential employment documents being misplaced.
In 2001, The Rearguard, PSU’s left-leaning alternative newspaper, acquired a box of confidential student disciplinary files from 1978-1989 that were found in a kitchen on the third floor of Smith Memorial Student Union. After the records were returned, the university arranged for more secure storage of old student records at an off-site warehouse.
| Vanguard Editor in Chief Matt Petrie returned the documents to Rod Diman, special assistant to President Daniel Bernstine, on Tuesday.Diman delivered the documents to the Human Resources office, but allowed Petrie continued access to the documents for the purpose of reporting this story.After this story’s publication, the source documents will be filed securely and the faculty list destroyed. |
