Identity theft is big business. The reason is simple: stealing personal information is profitable. Fraud losses from criminals using personal information stolen over the Web totaled $1.5 billion in 2005 alone.

“The numbers are staggering,” says Paul Howell, chief information technology security officer. “As members of the University community, we have to protect ourselves against various scams—such as phishing, viruses and worms—but perhaps even more importantly, we each need to assume responsibility for guarding personal information that is collected and stored by the University for business purposes.”

Howell says more needs to be done to raise awareness about specific risks and how to combat them. To that end, a campaign is planned to educate people how to adopt best practices when it comes to accessing, storing and disposing of electronic files and paper documents that contain sensitive information. Practical actions that individuals can incorporate easily into their daily routines will be outlined and distributed to the University community.

U-M’s decision to conduct business electronically has contributed considerably to the amount of data that is available through institutional resources. Web access has great advantages in terms of working efficiently, but it also increases the risk that personal information can be compromised inadvertently, misused intentionally or even stolen. No system will ever be 100 percent safe, but great strides toward increased security are possible with remarkably little effort, Howell says

He suggests that faculty and staff members take the following first steps toward guarding private personal information:

• Analyze the information you work with and determine what potentially could cause harm if in the wrong hands;

• Assume responsibility for the security of computer accounts, passwords and workstations;

• Ensure that only appropriate persons have access to data under your control.

Even simple actions such as logging off a computer before leaving and placing a shredder next to the printer can have a significant impact on improving security. More information about guarding technology and data, as well as important updates on computer safety, can be found on safecomputing.umich.edu.

Institutional Commitment

Most private enterprise is reliant on technology today, but there is a substantial difference in the University setting. Unlike the tightly guarded corporate world, U-M deliberately promotes an open environment with easy access to information for teaching, research and administrative purposes. People constantly identify new ways to use data, and doing so usually requires making systems and information easily accessible. While the benefits of these innovations and this approach to knowledge and data sharing are undisputed, with them also comes risk and responsibility.

Centralized systems, such as Wolverine Access and departmental files, may contain private personal information, which is defined as specific information—including a credit card or bank account number, a social security number, or a home address—that easily can be connected to an individual.

“A person’s name by itself is not useful to a criminal, but when combined with a second piece of information, an identity can be stolen,” Howell says. “Great harm can be caused very quickly.”

The University remains committed not only to raising awareness about computer security issues, but also to providing necessary support functions to meet the institution’s rapidly expanding needs in the area of IT safety. Created in 2004, Information Technology Security Services facilitates campus-wide security efforts and incident response; provides proactive campus services such as security assessments and consultation, network scans, education and training; manages IT security issues at the University level; and ensures compliance with federal regulations and guidelines.

“The importance of protecting University data really cannot be overstated,” says Laura Patterson, associate vice president of administrative information services. “We have to strike a balance between maintaining a secure IT environment for teaching, learning, research and administrative activities—and at the same time, provide an open infrastructure that supports the University’s mission. By educating ourselves, following best practices and thinking creatively, we all can work together to guard the private personal information that is entrusted to us.”