Integrity, Safety and Compliance - Data Exposure Follow-Up

Dear %%First Name%%,

Thank you for contacting us about this issue and offering the possible action items. The privacy and protection of our students’ information is a matter we take very seriously and we deeply regret the anxiety and inconvenience this may have caused you. We are reviewing our policies and practices to mitigate the potential for this human error in the future. 

After investigating, here is what has been confirmed:

  • More than 150 records have potentially been exposed between the two incidents, the first on April 21, 2020, and the second on June 29, 2020. Some of the data that was shared is what CU Boulder considers “highly confidential.”
  • It appears that the issue was that the data should have been sent to the address chemgrad@colorado.edu, but it was instead sent to chemgraduate@lists.colorado.edu
  • Several attempts were made to recall the email, but they were only partially effective. An email was sent to the listserv explaining the mistake and a request was made to have those who received the information delete it. 

The incident was promptly reported to CU Board of Regents, CU President, CU Boulder Chancellor and the United States Department of Education.

Some have asked to release the names of the students on the listserv so that the affected students will know who received their information. Unfortunately, we are not able to do that for privacy reasons. The use of a listserv inherently prevents recipients’ email address from being viewable by other recipients.  We do know that the data exposed included the 139 current Chemistry graduate students, as well as 19 recently graduated students that were still on the listserv.

Some have asked the University to issue new student ID numbers to affected students if they desire.

This is not being pursued at this time. The Registrar and Counsel have offered assurances that there is no potential for misuse associated with these internal ID numbers and that re-issuing an ID number has the potential to cause negative downstream complications that outweigh any benefit.

FERPA, The Family Educational Rights and Privacy Act of 1974, affords students who have attended a post-secondary institution the following rights related to their education records:

  • Inspect and review information in your education record
  • Request amendment of your education record
  • Consent to disclosure of personally identifiable information in your education record
  • File a complaint with the U.S. Department of Education (Family Policy Compliance Office, U.S. Department of Education, 400 Maryland Avenue, SW, Washington, DC 20202)

In accordance with CU Boulder policy, the Office of Information Security has formed a data breach response team. This team is made up of people from across campus and members of the System Administration office to manage the response and possible remediation that may be necessary.

Based on the initial information we have, here are the remediation steps currently ongoing:

  • Require a password for documents that contain confidential information.
  • Provide FERPA and IT Security training for department staff and faculty;
  • Provide guidance and training on secure remote work practices for department staff and faculty;
  • Change one or both of the email addresses so that they are no longer similar; and
  • The university offered identity monitoring services for those who were directly impacted by this issue as part of the notification letter that was sent on July 24, 2020.

Please know that we believe that this was an unfortunate mistake and the data breach response team is working with the Chemistry Department and the College of Arts and Sciences to continue to implement the remediation steps. 

Sincerely,

Dan Jones
Chief Information Security Officer

James White
Interim Dean of the College of Arts and Sciences

David Jonas
Chemistry Chair