Author Archives: Michael Froomkin

This popped into the inbox:

A Message from President Shalala

April 17, 2008

To the University Community:

I wanted to let all of you know that we recently learned that a case containing computer back-up tapes with patient information and employee health benefit information was stolen from an outside storage company vehicle. The truck was on its way to an off-site storage facility. Local law enforcement is investigating the theft. Unfortunately, our employees' basic health information was on those tapes.

Shortly after learning of the incident, the University determined it would be unlikely that a thief would be able to access the back-up tapes because of the highly secured format in which they were written. Even so, we engaged the leading computer security experts in the U.S. to attempt to hack into the data from a similar back-up tape. All of their attempts over a lengthy process were unsuccessful. Based on this information, we believe misuse of the information on the tapes is unlikely.

The tapes were in a transport case that was stolen from a storage company vehicle on March 17 in downtown Coral Gables. The Coral Gables police have told us this is one of a series of vehicle thefts in the same area.

Because accessing the tapes is highly unlikely, we are not required by Florida law to disclose information about the theft, and we are confident that everyone's data is safe, we felt that it was in the best interest of our patients to be completely transparent in this matter. Also, it is the ethical thing to do.

Anyone who has been a patient of a University of Miami physician or visited a UM facility since January 1, 1999, is likely to have their basic information included on the tapes. The data on the tapes included names, addresses, Social Security numbers, or health information. The University will be notifying by mail the 47,000 patients whose data may have included credit card or other financial information regarding bill payment.

Off-site storage is standard practice and is particularly critical in areas susceptible to severe weather. I want you to know the University's permanent records are not affected; all your information remains current, safe, and appropriately available on UM systems.

We have created a Web site to serve as the principal source of information about this incident: www.dataincident.miami.edu. As a back-up for this Web site, we have established a call center at 1-866-628-4492. If you receive any calls asking about the incident, please encourage callers to visit the Web site.

I deeply regret any concern this event may cause, and you have my assurance that everything possible is being done to make UM the safest place for our patients' health information.

There's an online FAQ with a tiny bit more info, including this teaser:

Q: Is my personal information at risk?
A: After consulting with computer security professionals, the University has determined that it is unlikely that the data on the tapes could be accessed by an unauthorized user. Attempts by a leading Miami-based computer security firm to access the information on identical tapes were unsuccessful. Therefore, we believe misuse of the information on these tapes is unlikely.

There's a phone number to call if you want more info. I called it to find out the name of the “leading Miami-based computer security firm” as I'm always interested to know about local folks who do computer security. The call center person referred me to the web site from which I got her phone number.

Update: A kindly correspondent points me to this UM press release which says a lot more about the security issue than the official web site:

the University engaged leading computer security experts at Terremark Worldwide to independently ascertain the feasibility of accessing and extracting data from a similar set of backup tapes.

“For more than a week my team devised a number of methods to extract readable data from the tapes,” said Christopher Day, senior vice president of the Secure Information Services group at Terremark. “Because of the highly proprietary compression and encoding used in writing the tapes, we were unable to extract any usable data.”

Day said that his team also determined that even in the unlikely event that a thief had a copy of the same software used to write the tapes, “It would require certain key data which is not stored on the tapes before the software would make the data readable.”

Alan Brill, senior managing director at Kroll Ontrack, who was asked by the University to review the testing that had been done, said: “While the report shows it is not impossible to access the data, in this case there are many barriers that stand between a thief and being able to actually get usable data from the tapes. If the thief cannot cross all of those barriers simultaneously, they can’t access the data.”

On of the things I have to do as a result of serving as Director of Faculty Development for the law school is act as head cheerleader for the faculty's scholarly activities (another is to nag folks to put their writing on SSRN – an uphill struggle). We had our annual 'Celebration of Faculty Scholarship' reception yesterday, and I was told I would have to give a speech. Here's more or less what I said:

I'd like to thank Raquel Matas, Amy Leitman, and especially Robin Schard for all their work in making this event, and this brochure, possible.

The Dean Search Committee members can't be here as they have yet another meeting – just another example of the many demands on people's time that might draw them away from writing, conflicts that each of you listed here have overcome.

It's worth looking at this list of publications: it includes many things you might otherwise not know about – indeed a very substantial number of things that are not on SSRN…you know who you are, and you'll be hearing from me.

I mourn the death of our former custom of putting every offprint in every faculty mailbox – I understand why, for environmental reasons, this practice went out of fashion, but I wish people would more frequently at least put the abstract, or the intro, in a memo so we wouldn't have to wait until this list comes out to see what so many people have been up to.

More generally, as long as I'm wishing for stuff, I think that we as a community could probably stand to do more celebrating of achievements. But if we are still celebrating too few things, too infrequently, I am glad that this is one of the things we do celebrate: today we are celebrating our community's scholarship, which has a very special, very central place in our collective enterprise.

This afternoon, I was talking to Ben Depoorter, who's at that Dean Search meeting right now. I was urging him to drop by later if the meeting breaks up in time. Economist that he is, Ben went straight to the point: “At what time do they give out the prizes?”

I had to confess that, as far as I know, we will not be giving out prizes today.

But that's because those of you who are writing have in some sense already had the prizes: I mean of course the 50 free offprints.

No, more seriously, you have already had the prizes:

• the time to think,
• the time to write,
• the chance to speak truth to power (or, as the case may be, to shout “power” to truth),
• the chance to take part in a national or a global conversation,
• the chance make a difference in the world

You do this by your contributions to doctrine, to discourse, to law reform, to clarity of understanding and, yes, to truth, and in so doing you justify our claim to be in a university rather than a trade school, and to take our place in the great invisible college of thoughtful citizens and intellectuals.

I leave you with the immortal words of Oliver Twist, “More, please”.

I much prefer giving academic papers – it's so much easier.