Save 75% - Only $49.99 for 1 full year! digitalPLUS subscription offer ends 12/1

Data breach at College Park [Editorial]

Laws and LegislationCyber CrimeTheftColleges and Universities

Hackers who stole confidential information on more than 309,000 current and former students and faculty from computers at the University of Maryland College Park last week had to penetrate multiple layers of security to get at the data, and school officials still don't know exactly how they did it or who they were. The sophisticated attack, which compromised Social Security numbers, birth dates, university ID numbers and other personal information, was a stark reminder of how vulnerable the nation's institutions are.

School officials moved quickly to respond to the breach, which apparently took place sometime between 4 a.m. and 5 a.m. Tuesday and was discovered by staffers a few hours later. The next day University President Wallace Loh announced what had happened in an open letter to the campus and notified the state attorney general's office, which posted a list of things consumers could do to protect their information on its website. Mr. Loh also invited federal, state and local law-enforcement agencies to help investigate the incident, offered free credit monitoring for a year to anyone affected by the theft and set up a university task force to recommend further steps the school should take to guard against such crimes in the future.

But although UM officials appear to have done everything right after discovering the breach, that's not always how things turn out. During the holiday season last year, a week elapsed before Target told customers cyber criminals had gained access to personal information on millions of shoppers, and It took Neiman Marcus 10 days to announce that it had fallen victim to a similar attack. Those were just two among a series of large data breaches that recently have targeted financial institutions, schools, employers, retailers and others across the country who collect the kind of data cyber thieves can use to set up phony accounts under victims' names and steal their money.

Experts warn that more such attacks are on the way and that efforts to mitigate their impact are hampered by the current lack of national standards governing what institutions whose data has been breached are required to do, either in terms of notifying customers or in strengthening their defenses against hackers. While no institution is invulnerable to such attacks, the response to them is governed by a confusing and often contradictory patchwork of state laws that are wholly inadequate to protect a national economy.

For example, some states require retailers to disclose a breach within a specified period of time but others exempt companies from that mandate if the data are encrypted. Maryland requires retailers to list contact information for the state attorney general on their websites after a breach, while companies in Oregon must contact the Federal Trade Commission and those in Iowa have to report to police. The lack of uniformity makes it difficult for companies to come up with consistent responses to data breaches. Clearly this is a national issue that demands a federal response.

That's why pressure has been growing in Congress to develop federal standards for how companies handle data thefts. One bill would require companies to safeguard their data, assess the harm a breach might do and notify consumers as well as the appropriate federal agencies of all breaches affecting more than 5,000 customers. Meanwhile, the Securities and Exchange Commission has advised public companies hit with breaches to inform customers of that fact in a timely fashion, though it set no specific timetable.

In addition, the White House has issued guidelines aimed at helping companies that run essential services such as banks, utilities and cellphone towers better protect themselves from cyber attacks. Those guidelines are voluntary, however, and companies are free to ignore them unless Congress enacts them into law.

In the meantime, Maryland can strengthen its own defenses by beefing up the reporting and security requirements for companies and institutions whose systems are hacked. One way to do that might be to simply adopt the president's guidelines in their entirety and incorporate them into state law. We need to recognize that the threat posed by cyber attacks is real and growing, and we don't need to wait for Washington to act in order to better protect Marylanders from such crimes.

To respond to this editorial, send an email to Please include your name and contact information.

Copyright © 2014, The Baltimore Sun
Related Content
Laws and LegislationCyber CrimeTheftColleges and Universities
  • Fracking moves forward
    Fracking moves forward

    A week ago, a failed switch in a home along the shores of Deep Creek Lake caused 1,700 gallons of raw sewage to accidentally spill into the water, enough that health officials had to monitor local water quality and post warning signs nearby after the cleanup. The episode was uncommon, but it...

  • Chuck Hagel leaves Obama's war against war
    Chuck Hagel leaves Obama's war against war

     The surprising decision of Secretary of Defense Chuck Hagel to leave his Pentagon post after only 21 months of service has been widely greeted as a combination of his frustration in the job and a conclusion at the White House that he turned out to be the wrong man...

  • Trees make a city look more beautiful
    Trees make a city look more beautiful

    Years ago, author Alice Walker published a book of poems entitled "Horses Make a Landscape Look More Beautiful." Though the landscape in her verse was rural, she might well have said the same of the urban cityscape and its mature trees. Baltimore's leafy green canopy surely makes the city a...

  • Who's next?
    Who's next?

    What Marylander had the biggest impact on the state in 2014? The Sun is asking for your nominations for the 2014 Marylander of the Year. Please send them to and include "Marylander of the Year" in the subject line. We'll announce the finalists in mid-December and a...

  • Ferguson impact [Poll]
    Ferguson impact [Poll]
  • Report concludes Maryland can safely 'frack'
    Report concludes Maryland can safely 'frack'

    Maryland agencies have concluded that natural gas production from the Marcellus Shale by hydraulic fracturing (fracking) can be accomplished without unacceptable risks, but only if a suite of best practices is required, monitoring and inspections are rigorous, and enforcement is ironclad. The...