The Privacy and Security Policy Vacuum in Higher Education.

I l l u s t r a t i o n b y F r e d r i k B r o d é n , © 2 0 0 6 olleges and universities possess an exceptional volume and variety of personal information. Given this fact—along with their wide range of activities, the often decentralized nature of their operations, and their growing reliance on technologies that collect and centrally store data—these institutions face significant privacy and security challenges. Unfortunately, to date, most colleges and universities in the United States have failed to live up to these challenges. Their stewardship of personal, even sensitive, information is frequently governed by inconsistent and inadequate policies. Higher education institutions often implement new technologies and systems while paying little attention to privacy and security implications. They lag far behind industry in appointing privacy and security officers. Although colleges and universities accounted for more than one-third of the publicly reported information security breaches in 2005 and the first half of 2006, they provide scant training in privacy and security issues, especially outside of the technological arena, and rarely audit for compliance. Perhaps most important, colleges and universities have failed to exercise leadership in the expanding national debate about the appropriate protection for personal data and the proper limits of government access. Higher Education