Texas State University Exposes 2,215 Employee's Employment InfoFOR IMMEDIATE RELEASE: January 24, 2008 UPDATED: February 7, 2008
Media Contact: Aaron Titus
SAN MARCOS, Texas. The Texas State University Computer Science Department website posted the names, birth dates, hire dates, salary and employment information for 2,215 Southwest Texas State University (SWT) Faculty and Administrators in fiscal years 1998 thru 2003. According to the Excel file meta data, the file was created on February 18, 2003, and has been online since at least March 2006. According to the file, the data source is the employee profile (PEXXEMPF) file of the SWT database.
Many states have passed laws stating that government employee salary information is public. In a letter to the Liberty Coalition (republished below), Texas State University has asserted that Texas State law requires that they make certain types of personally identifiable information available to the public, such as names, dates of birth, and EEO status of state employees. Since the Liberty Coalition does not take positions on local, state or Federal law, SSNBreach.org does not report "violations" of the law, per se. Instead, we report instances of personal information exposure which may reasonably be of interest or concern to those affected. Admittedly, a person's name, date of birth, sex, ethnicity, and other information are all uniquely personal, and which a reasonable person may be interested to know has been exposed online. In addition, a name and birth date can be objectively sensitive under several circumstances, regardless of local law or custom.
The text of the letter follows:
Texas State University-San Marcos presents the following additional facts to provide a broader context and a more comprehensive perspective of the risk presented by this disclosure.The Liberty Coalition encouraged the university to re-evaluate the need to post all of the information.
First, under the Texas Public Information Act, every piece of disclosed information was and is considered public information - information that the University cannot legally withhold from the public. The public nature of employee birth dates (arguably the most sensitive piece of disclosed information) was recently re-affirmed in a ruling by the Texas Attorney General (OR2006-01938). That ruling was then upheld in January, 2008, by the Texas Court of Appeals (Texas Comptroller of Public Accounts v. Attorney General of Texas, 2008 WL 160173 (2008)).
Second, it is noteworthy that to comply with Texas law, the University has released this same information to anyone who has requested it in the past. Unless the law is changed, the University will continue to release this information in the future. For that reason, the University believes that this specific disclosure did not materially increase the risk of identity theft for the individuals included in the disclosure.
Finally, irrespective of the legal status of the information, the University responded in a sensitive and expedient manner to the Liberty Coalition's email notice. Upon receipt of the notice, the information was immediately placed behind authentication (user login required) to restrict access to authorized individuals. Shortly thereafter, as an added precaution against any unintentional subsequent disclosure, the information was totally removed from the web site. Finally, the University contacted web.archive.org and successfully obtained removal of the information from its Wayback Machine. Thus, despite the fact that the information is freely available to the public under the law, the University took rapid steps to eliminate the possibility of its continued direct availability via the Internet.
The University hopes that the above additional information will assist readers in fully assessing the risk of identity theft attributable to this disclosure.
Individuals affected by this exposure should immediately visit www.nationalidwatch.org and search for their names, to confirm what types of personal information were exposed. NationalIDWatch.org has a list of recommended steps victims should take.
National ID Watch is a search engine for personal information breaches. Sponsored by the Washington, DC non-profit Liberty Coalition, NationalIDWatch.org provides more than a million free personalized Identity Exposure Reports™ as a public service.
Each Identity Exposure Report (IXR) documents what types of personal information were exposed (such as Social Security Numbers, Birth Dates, Addresses, etc.), without revealing them. Each IXR also details the situation surrounding each exposure, and contact information of those responsible for the breach. Armed with this information, victims can further investigate, take action, or correct harm.