FRATERNITIES MUST NOTIFY MEMBERS AFFECTED BY COMPUTER SECURITY BREACHES

Adam Eckstein

Many states and universities have enacted laws and policies, respectively, requiring computer owners to notify potential victims of identity theft when a security breach occurs.  Student organizations, which oftentimes obtain members’ personal information like credit card numbers for reasons from housing to dues to donations, should be aware of these requirements to better protect themselves from computer security breaches and to reduce the instances of their members suffering from identity theft.

A majority of states—at least thirty-five, according to simple survey of state statutes—have laws requiring computer owners or operators to notify those people whose personal information might have been stolen by a computer breach.  While some statutes apply only to government offices, the statutes more often apply to any entity storing personal information in the state.  California’s statute provides a good example of the requirement: “Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”¹

While at first blush, fraternities and sororities seem exempt from this statute, the notice requirement trickles down to them students via their university’s policies.  Staying with the California example, the state’s university system has implemented the statute by requiring campuses to “notify California residents whose information is reasonably believed to have been acquired by an unauthorized person.”  Each campus, therefore, has policies requiring their computer network users to adhere to the statute.  From the state to the state school to the campuses, the law eventually lands at each campus’s network users, which includes fraternities and sororities.

These state laws have one explicit requirement and one implicit requirement: notice and investigation.  Ohio law provides another good example of the statute: “Any person that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system, following its discovery or notification of the breach of the security of the system, to any resident of this state whose personal information was, or reasonably is believed to have been, accessed and acquired by an unauthorized person if the access and acquisition by the unauthorized person causes or reasonably is believed will cause a material risk of identity theft or other fraud to the resident.”²

The main thrust of the statute requires computer owners to “disclose” security breaches to the people who could most be harmed by the breach.  The implicit requirement of the statute is that those who hold personal information of others on their computers must be on the look out for breaches.

In sum, the law holds computer owners who choose to collect others’ personal information responsible not only for notifying those people of identity theft risk but also for keeping the personal information safe.

Computer security breaches can result in legal action, as universities have discovered.  For instance, two graduate students sued Ohio University over five security intrusions that breached 367,000 files containing personal information on a possible 173,000 people.  The charges were ultimately dismissed as the two plaintiffs failed to prove they suffered compensable damages.  But the case should serve as a warning light for fraternities and sororities with no computer security precautions.

Sororities and fraternities should take these laws’ two instructions to heart.  When collecting members’—or their parents’—personal information, including credit card numbers and social security numbers, exercise forethought and ensure that the information is stored securely.  A small investment in anti-virus and security software, and a short conversation with campus’ IT managers about security, can prevent personal information from being stolen and drastically reduce the risk of identity theft.

Furthermore, preparing a standard notice to have on hand will ensure quick notice in the event security measures are unsuccessful.  Notice to potential identity theft victims should inform the recipient about the risk and—though not legally required—should inform the recipient of how to monitor their credit scores to mitigate any effect of identity theft.  These measures will not only bring fraternities and sororities in line with state law and university policy, they will also help the student organizations protect their members from identity theft and credit card fraud that could devastate the members’ future.

¹  Cal. Civ. Code § 1798.82(a).

²  O.R.C. § 1349.19(B)(1).