Home | Articles & Interviews | Student Privacy and Identity Theft

Student Privacy and Identity Theft: A UT Activist's Perspective

July 2004

When Ben Brummett talks about identity theft, he speaks from experience. In December 2001, Brummett — then a student at the Austin campus of the University of Texas — got a phone call from the fraud office at Capitol One Bank. His first thought was that he must have lost his credit card while shopping downtown. As it turned out, the card in question was a new one — one he knew nothing about.

A brush with catastrophe

“People have to be proactive in protecting their personal information. But businesses and institutions also have to take responsibility for protecting the data we entrust to them.”

Earlier that month, the bank representative told him, someone had applied for a credit card using his name and Social Security number. In retrospect, Brummett now realizes, he was lucky — and in more ways than one. "The return address was for a student housing complex down the street from UT," he explains. "Fortunately, they messed up on my mother's maiden name and my date of birth." Although the bank initially missed the discrepancy, they noticed it in time to ask him about it before the bogus card could be activated — and, unlike many institutions, actually bothered to do so. As a result, the card was cancelled, a police report was filed, and Ben Brummett was saved from what could have been a truly purgatorial ordeal.

The bank's phone call was a wake-up call for Brummett — one that launched the student of government and English on a parallel career as a privacy activist. He was appalled to find boxes of Scantron tests, complete with name, SSN, and date of birth, parked in the hallway outside a professor's door. He was particularly upset about the university's lax handling of Social Security numbers — which, like many institutions, it used as a key identifier for individuals in computer databases throughout the UT system. Brummett took a leading role in the Student Bill of Rights Committee, a group promoting privacy rights for students at Austin. And, to the university's chagrin, he took his case to the news media.

UT in trouble

Unfortunately for the university, Brummett's own brush with identity theft was the least of UT's problems. When the Austin campus discovered that some university computers had been outfitted by identity thieves with software that secretly recorded users' keystrokes, 180 students had to change their university passwords. Then, in UT's worst data breach to date, a student hacked into a database and stole names and Social Security numbers for more than 55,000 current and former students, faculty, and staff — some of which dated back as much as 15 years earlier. The incident prompted the university to double its security staff and retrain its employees in the proper handling of SSNs and other sensitive data.

“As a new student, you don't always see the danger of this sudden flood of credit card offers, or the pressure to get you into marketing databases.”

For Brummett, the lessons to be derived from such incidents are clear. "Obviously, people have to be proactive in protecting their personal information. But businesses and institutions also have to take responsibility for protecting the data we entrust to them. In situations where the university absolutely has to use a Social Security number, it's up to them to make sure they use the most secure system possible. And it's the legislature's responsibility to make sure that there are consistent, effective guidelines in place."

The need for disclosure

Brummett endorses the premise behind laws like California's SB 1386, which requires businesses and institutions with computerized databases that include California residents' personal identifiers to notify them promptly of any possible breach. "If my credit was ruined or in jeopardy," says Brummett, "I wouldn't want to have to wait until I was proactive enough to pull a credit report to find out about it." Brummett offers his own brush with identity theft as an example. "When my identity was stolen, I was able to nip the problem in the bud simply because the bank called me to verify the bogus credit request. If they hadn't, my situation might have been much worse."

In Brummett's view, educating students, faculty, and staff about identity theft is also essential to reducing individual and institutional risk. One positive step would be to include identity theft education as part of new students' orientation. "When it comes to identity theft, most people are reactive, and students are no exception," says Brummett. "The only way they're really going to think about it is if the dangers are made clear to them up front. There should certainly be a proactive approach." The financial inexperience of many college freshman makes that doubly important. "As a new student, you don't always see the danger of this sudden flood of credit card offers, or the pressure to get you into marketing databases. These risks could be brought to the student's attention from the get-go."

Students targeted twice

“Recent studies indicate that this indiscriminate marketing to college students has led to high incidences of fraud and identity theft among this young adult population.”
— Robert Manning, author of Credit Card Nation

Brummett's concerns about the inherent risks created by students' financial inexperience are shared by some experts on the credit card industry. As Robert Manning, a professor at the Rochester Institute of Technology and author of Credit Card Nation, told Congress in June 2003: "What is striking in the acknowledgement of the credit card industry is that college students are a desirable market because of their ignorance of personal finance and their lack of consumer debt." In testimony before the House Financial Services Subcommittee on Consumer Credit, Manning cited a frightening statistic: "Three out of five students with credit cards in our survey had already maxed them out during their freshman year, and three out of five freshmen with multiple credit cards were already using bank cards to pay for other revolving credit accounts."

"Not incidentally," added Manning, "recent studies indicate that this indiscriminate marketing to college students has led to high incidences of fraud and identity theft among this young adult population."

Bringing faculty up to speed

While bringing students up to speed on identity theft is key, proper training of faculty and staff is just as important, Brummett insists. "I think any responsible administration — and I don't just mean colleges and universities, but also secondary schools — would agree that anyone with access to this kind of information needs to know two things: first, why it can be a problem, and, second, how serious the consequences can be. Any time you don't delineate clear guidelines for handling sensitive personal information and clear consequences for overstepping those guidelines, you're going to end up putting people at risk."

“Any time you don't delineate clear guidelines and clear consequences for overstepping them, you're going to end up putting people at risk.”

Busy faculty members are often unaware of the dangers of mishandling students' personal information, says Brummett. For others, it simply isn't a priority. "It's not uncommon for faculty members — almost without thinking about it — to sacrifice privacy for convenience. I don't see anyone doing this with malicious intent. But good intentions don't make the result any less painful."

Progress at UT

Today, despite his undimmed fervor for student privacy, Brummett has good words for UT. "I do applaud efforts by the University of Texas to come to grips with this very complex issue," Brummett readily acknowledges. "It's unfortunate that something bad has to happen to move people in a proactive direction. But the fact is that they have tried — and are still trying — to fix the problem and make students' information more secure."