Initially, there was a lot of hand-wringing and finger-pointing over the theft of a laptop from a restricted area of a UC Berkeley campus office. The laptop contained some 98,000 records of graduate students, alumni, and past applicants, including Social Security numbers and other sensitive information.
Not only has the outcry died down to less than a whisper in less than two weeks, but US Berkeley has been assigned the lead role in a $19-million government-funded cybersecurity research project titled TRUST.
The Team for Research in Ubiquitous Secure Technology was assembled by the National Science Foundation, which decided Berkeley should lead the effort that involves several other universities, including Carnegie Mellon University, Cornell University, Mills College, San Jose State University, Smith College, Stanford University and Vanderbilt University. The project is funded by Silicon Valley heavy-hitters like Microsoft, Cisco, and HP, to name a few.
Sure, the irony just drips off the announcement that the university that let someone walk off with nearly 100,000 confidential records will be guiding an effort to develop, in the words of a UC Berkeley press release, "new technologies that will radically transform the ability of organizations – from private software vendors to local and federal agencies – to design, build and operate trustworthy information systems that control critical infrastructure. They will go beyond research into how to protect networks from attacks and develop ways to keep systems running properly even when intrusions occur – a concept known as “degrading gracefully under attack.”
Still, despite a few posts that point out the irony to anybody who may have missed it, mostly there’s a lot of yawning coming from the blogosphere.
That’s an interesting reaction, considering how slow the university was to react to the theft. The laptop vanished on March 11; the University reported it on March 28 in order to comply with a California law requiring notification of consumers if their Social Security numbers or other confidential information has been compromised.
Fortunately, the letter sent under the signature of University Chancellor Robert J. Birgeneau also includes details about steps the university is taking, including mandatory adoption of an encryption policy for all computers housing personal information. (You can read the letter here".)
That seemed to be enough for a lot of people, including one blogger who wrote that the letter was “a good example of damage control and worth reading.” He also said “I have to applaud them for taking the initiative” to adopt the encryption policy. The blogger in question, David T.S. Fraser, writes about privacy.
Another reason the furor has died down may be that the Berkeley case is just one of many reported recently. For example, Lexis-Nexis . And Berkeley isn’t the only university to suffer such thefts. Others (listed, of course, on a blog) include the University of Mississippi, Northwestern, and Tufts University.
Still another reason: Apparently, the thief who took the laptop hasn’t done anything with the data. Campus police think he was just looking for a laptop, not data.
One blogger, writing on March 29, expressed some cynicism when he said, “Gee, thanks for only waiting 18 days to tell us.” But in the end, he concludes, “Okay, just assure me that someone’s going to be fired over this.”
There’s no question, given the initial uproar in the blogosphere and the unwanted publicity it generated, that the university should have reacted faster. Having a crisis plan in place to address such possibilities would have helped. One hopes such a plan is under development now.
But on the other hand, the theft turned out to be no communication crisis at all. One definition (that I happen to like) says a crisis is “any situation that threatens the integrity or reputation of your company.” The lax security that permitted the laptop theft certainly threatened to compromise UC Berkeley’s integrity. But in the end, there was no compromise. In fact, the NSF was so nonplussed by the incident that they awarded Berkeley the lead in the cybersecurity TEAM project. And the total number of blog postings dealing with the issue was fewer than about 500. Compare that to the thousands of posts covering the Kryptonite bicycle lock incident.
It’s one more example in a lesson all communicators need to learn: Not every emergency is a crisis.
