Bentley College-Watchfire Survey of Online Privacy Practices in Higher Education Reveals Risk Management Issues for U.S. Colleges and Universities

Business Wire, April 24, 2006

WALTHAM, Mass. -- A first-of-its-kind national survey of online privacy practices in higher education, conducted by Bentley College and Watchfire, reveals that while most schools engage in e-commerce, only 65 of 236 schools surveyed have privacy notices linked from their home page while nearly all schools surveyed engage in practices that potentially pose a privacy risk. The 236 institutions surveyed were top-ranked doctoral universities and national liberal arts colleges from the 2004 U.S. News and World Report list of America's Best Colleges.

The benchmark study comes at a time when most schools are using the Internet to process electronic applications and other types of e-commerce transactions, ranging from online alumni donations to the sale of athletic tickets, clothing and textbooks. These are the same types of commercial activities that raise privacy concerns in the private sector. And with an increasing number of colleges and universities across the U.S. falling victim to data breaches, online privacy has emerged as an important risk management issue in higher education.

"Higher education is not immune from concerns about online privacy," says Mary J. Culnan, Bentley Slade Professor of Management and Information Technology, who conducted the research with Thomas J. Carlin, a Bentley MBA candidate. "Privacy breaches potentially undermine consumer trust and confidence and make people less willing to disclose personal information online; this benchmark survey should be a wake-up call for all institutions of higher education."

Similar to the surveys of online privacy notices posted by .com websites, initiated by the Federal Trade Commission in 1998, the Bentley-Watchfire survey is based on a content analysis of online privacy notices. But it goes one step further than the prior surveys with an automated scan of the websites to measure whether or not these sites also engaged in practices that may pose privacy risks to users such as pages without a link to a privacy notice or non-secure pages with data collection forms. Watchfire, a company specializing in online risk management software and services to help ensure the security and compliance of websites, conducted the automated portion of the survey for Bentley using the Privacy Module of its WebXM(TM) software.

"This year's litany of stories about security breaches shouldn't be construed as a gloom and doom scenario but a wake-up call for higher education, parents, students and alumni," said Traci Logan, Bentley's vice provost and vice president for information technology, who helped design the study. "For many, the college application process represents the first plunge into the deep end of the pool when it comes to voluntary release of confidential personal data. While most CIO's in higher education identify information privacy and security as a critical challenge, too often this view doesn't permeate organizational culture and spending. But it's clear that with the millennial generation becoming more cavalier about sharing information on sites like Facebook.com and MySpace, we have a deepening obligation not only to protect personal information but to better communicate how it might be used once it leaves the fingertips. The very best strategies integrate that philosophy into institutional culture."

Key findings of the automated portion of the survey include:

--Nearly 100% of both doctoral universities and liberal arts colleges had at least one data collection form on a page without a link to a privacy notice

--Nearly 100% of both doctoral universities and liberal arts colleges had at least one data collection form that used the GET method to submit the data, posing the risk of identity theft because sensitive information is stored in web server log files that may be accessed by hackers

--100% of both doctoral universities and liberal arts colleges had at least one non-secure page with a data collection form

For the manual survey, the authors analyzed content for the 65 privacy notices that were linked from the home page of the schools in the sample. They analyzed each notice to determine to what extent it reflected the basic elements of fair information practices. The authors found:

For all 65 privacy notices:

--63 % contained a statement defining the scope of the privacy notice

--66 % contained contact information for privacy concerns

--20 % contained a statement about how changes to the notice are handled

--85 % described whether or not the site collects personal information

--None of these websites displayed a privacy seal

For the 51 schools that disclosed in the notice that they collect personal information:

--49 % disclosed what personal information is collected

--90 % reported how they use personal information

--59% described in the privacy notice how their sites use cookies or web bugs

--53% said whether or not the school shares personal information when required by law

--53% reported in the privacy notice whether or not the school shares personal information with third party affiliates