UNM Foundation should plug into some cyber reality
The University of New Mexico Foundation should have moved more quickly to notify some 22,000 donors that some of their financial information was potentially compromised when someone hacked its network through an account with its security services provider. Some security.
Instead of a quick response and public announcement, the foundation waited 28 days to send out the breach notification by snail mail.
“Information that may have been available includes names, contact information, donation amount and the checking and routing information displayed on your donation checks,” the letter to one donor stated. It went on to say that while this isn’t typically sufficient “to grant access to your accounts with your financial institutions, we ... wanted to alert you to this incident so that you may be vigilant ... and to monitor your accounts for any suspicious activity.”
But in this age of identity theft, if someone has your bank account number you want to know about it sooner rather than later.
And donors are in good company — foundation officials didn’t alert their own board of trustees for 23 days.
Foundation officials said they needed the time to determine the depth of the breach, secure the system and identify what and whose information might have been affected.
But if anyone thinks cyber thieves need 28-plus days to wreak havoc using personal data and financial information, they’re living in the wrong decade.
Ironically, the foundation has been fighting a lawsuit brought against it under the Inspection of Public Records Act, arguing that it is important to be able to protect the names of donors who want anonymity — a mission clearly compromised by the data breach.
The foundation’s website lists nearly 100 employees, and the breach also could have compromised data on more than 750 employees, annuitants and foundation vendors that includes Social Security numbers, birth dates and bank account information.
Sadly, the foundation’s 28-delay in notifying its donors would conform with the anemic New Mexico Data Breach Notification Act, which was approved this year by the Legislature and takes effect June 16. It gives affected entities 45 days to notify clients of a computer security breach — plenty of time for that Nigerian prince or local addict to drain your account dry. It’s a case of something being worse than nothing because this law makes 45 days acceptable.
The Legislature needs to power that legislation back up and make it meaningful.
Foundation spokeswoman Jennifer Kemp says the foundation will provide a year’s worth of credit reporting and repair services to affected individuals. Aside from implementing the necessary steps to ensure its donor and employee data is as safe as possible, the foundation would do well to reveal what damages, if any, resulted from the breach, how it plans to prevent a recurrence and, if there is a recurrence, how quickly it plans to notify potential victims.
That should put its current donors, as well future ones, more at ease.