The theft of a University of Minnesota professor’s laptop, portable scanner and external hard drive last February resulted in a data breach of the personal information of 119 victims and witnesses of violent crimes.
Law professor Barry Feld and several law students were researching interrogation techniques in violent crimes prosecuted in Hennepin and Ramsey County District Courts during January and February 2005.
The researchers had collected the crime data but hadn’t analyzed it yet, so it took the county attorneys’ offices and the University almost a year to determine whose information was on the stolen devices and where to contact them.
While much of the data was public in police reports and court records, Feld had received permission from the county attorneys’ offices to access the private data, including names, addresses and birthdays of victims and witnesses.
The University sent letters this month notifying the 119 people of the data breach, in accordance with Minnesota law and University policy. The Star Tribune reported on the incident last week after one of the victims contacted them.
“I’m incredibly sorry that this happened. I’m sorry that sending these letters out has reawakened painful memories for the victims of these crimes,” Feld said. “I’m sorry for the burden that this has created for the University, and I’m especially sorry for the impact that it had at the county attorneys’ offices, who had to do a lot of unnecessary work to try to undo the damage that this theft has caused.”
Feld said he thinks the suspect was just a typical thief who had no interest in obtaining the victim and witness information. Mondale Hall, where the theft occurred, was the site of 13 thefts in the past year — eight of which were laptop thefts, according to the University police crime log.
When the student researchers collected the data, they scanned documents into the laptop via the portable scanner and then periodically backed it up on the external hard drive. They stored all three items in the same bag.
University policy requires researchers to protect sensitive data like this with enhanced security measures that include having passwords, using encryption software and keeping portable devices like laptops and hard drives in locked drawers when not in use.
According to the University police report, the bag researchers kept the data in was stored underneath Feld’s assistant’s desk, in an office that many law professors and students share.
“I was not a proper custodian of the data,” Feld said. “I was trying to make it easy for my research assistants and my secretary to have access to the computer, and I put their convenience over maintaining adequate security.”
All University researchers undergo initial training and refresher courses on data security, according to University policy. Feld said he and his students had all taken this training.
The University is offering free credit monitoring for a year to anyone impacted by the breach.
University spokesman Matt Hodson said the University hasn’t disciplined Feld or the other researchers for the data breach, because Feld notified the appropriate offices immediately and took full responsibility for the incident.
Feld, who has been at the University for 41 years and is a leading expert in juvenile justice, said he and the county attorneys agreed that because of the data breach, he wouldn’t continue the research project.
“And that’s really another part of the really unfortunate aspect of this opportunistic theft. … This was really important research — it’s never been done before,” he said. “… And I would expect that the county attorneys would be very gun-shy if anyone else asks them to [do similar research] as well.”