By Kyeland Jackson —
On April 6, U of L revealed employee information was hacked by scammers filing fake tax returns. But the university first received news of a hack March 1, established a pattern March 30 and issued a public statement a week later. The university implemented more security measures, notified Equifax and gathered a planned response to the situation.
By then, the university reiterated it values reputation above faculty.
Waiting to ensure the university looked good handling the situation only further endangered the nearly 750 faculty members whose information was compromised. Whether it be a month or a week spent prepping a response, that’s more time criminals could access social security numbers and W-2 information without employees knowing.
It’s not the first time saving face trumped constituents at the university. When the Cardinal broke the story of racial tensions within Threlkeld hall, the university treated the incident as common practice; another day hushing students and keeping hints of controversy out the ears of concerned parents.
Regardless of how bad it looks, the university should own up to bad information when it’s obvious there are people at risk. The university has handled troubling information well before, but has a track record of hiding as much as it discloses.
Perhaps I’m mistaken and simply don’t understand the process or motivations behind U of L’s decision. Regardless, the situation reeks of posturing. Worse, I doubt university administrators would have disclosed the breach if they didn’t realize the situation was out of their control.
Even without the law it should be common practice to warn employees of a breach. Identity Theft Resource Center Director of Research and Publications Karen Barney looked at U of L’s response and said it may have been timely, but she values entities who notify those affected with or without a law because: “it’s the right thing to do for consumers.”
If the university wants to demonstrate it cares about its constituents, it needs to re-evaluate priorities. It will look bad revealing condemning information like hacked servers without a plan yet in place. But it’s the right thing to do. Otherwise, the university continues to be a disillusioned entity thinking it knows what’s best for the university without consulting those within it.
Otherwise, it becomes another James Ramsey.