A few weeks ago, I was informed that I may be part of a class action settlement against the University of Minnesota for a data breach that exposed my personal information. According to the description, in 2021, the University of Minnesota experienced a data breach that “exposed the personal information of individuals who submitted information to the university as a prospective student, attended the university as a student, worked at the university as an employee or participated in university events between 1989 and August 10, 2021.” Source. I am an alumnus of this university, so my information was part of that breach.
Of course, the university, as a classical co-operative unit, took the easier path offered by the legal system. He refused to admit any wrongdoing, but he agreed to pay $5 million to settle the class action lawsuit. The settlement is open to anyone whose personal information was exposed in the breach, including names, addresses, dates of birth, Social Security numbers and other sensitive data.
What makes it more insulting is that the university did not issue a formal apology to the affected individuals, and is only offering $30 per person as compensation for the breach. Yes, to be fair they do include this standard 24 months of dark web monitoring and identity theft protection services, but my personal information is priced at $30. Which will also be less if the number of people making deposits exceeds the funds available for disposal.
So the university that sends me two or three emails per week asking me to donate to them is worth $30 worth of my personal information. I understand that my Social Security number and other personal information were exposed in other breaches (thank you). T-mobile and others). But the current situation is that it does not matter whether it is a commercial entity or a public one, they will function in the same way. They won’t take responsibility for their actions, and they won’t compensate you for the damage they caused. They will just offer you a small amount of money and hope you will forget about it.
The University of Minnesota is not the only university to do so. Several other institutions and companies have been implicated in data breaches and have offered similar settlements. But it is still disappointing to see that they are not taking this issue seriously. This same university that promised lifetime access to an email address that they did not honor is now offering me $30 for my personal information. This is a slap in the face to all of us who have been affected by this breach. Therefore I will not submit a claim for settlement. I will not accept their offer of $30. I would have felt much better if he took responsibility for his actions and offered a healthy apology. But he did not do so. This would have been a good start. But he did not do so. And they won’t.
The basic problem is that they don’t care about us. They care about their reputation and their bottom line. They don’t care how much damage they have caused to our personal information. They don’t care about the trust they have broken. They just want to move on and forget about it. When this happens from a corporation or company, I can understand it. But when it comes from a public institution that is supposed to serve the public interest, it is unacceptable. How will I trust anything I get from them in the future? They have shown that they do not care about their alumni or students.
Regulation is very weak, and courts/laws are not doing enough to hold these institutions accountable. The fine is very low and the settlement is also very small. The only way to change this is to demand better regulations and stronger penalties for data breaches. We must hold these institutions accountable for their actions and compensate them for the harm they cause. If fines and compensation were higher, incentives would align, and they would take data security more seriously. And invest more in the security of our personal information rather than in the ever-increasing administrative costs and salaries of top executives.
American universities are not only charging high tuition fees for education, but they are also taking external grants from researchers to use their facilities. If you receive an NSF or NIH grant, you must pay a percentage of the grant as indirect costs to the university. The percentage varies from university to university, but it is usually around 50%. This means that if you get a grant of US$100,000, the university will take on US$50,000 as indirect costs (NSF or NIH will ultimately pay US$150,000). This is a huge amount of money that could be used for research, but it is being spent on administrative costs of the university and the salaries of an increasing number of administrators.
It is noteworthy that universities are currently under criticism for many reasons, most of which are politically motivated, but there are also many legitimate reasons for criticizing the way they are run. The way they handle data breaches is one of them. The amount of disrespect they show towards their alumni and students is unique. The way they prioritize administrative costs over education and research is a different approach. Now is the time to demand better from our universities and hold them accountable for their actions.
After writing this post and attempting to proofread it, I realized I repeated “my personal information is worth $30” too many times. I guess that’s a sign that I’m still angry about it. But also realized that if I had written it in Arabic it would have been more concise. The poetic nature of complaint writing in Arabic is much more effective than in English. But I’ll leave that for another time.