Crime victims’ and witnesses’ sensitive information on devices stolen from researcher’s university office

Brian Bakst of AP reports:

A University of Minnesota law professor has apologized to violent crime victims and witnesses after a computer with sensitive information of nearly 300 people was stolen from his office, but he said Friday that there’s no indication the thief has accessed the data.

Criminologist Barry Feld, a prominent juvenile justice scholar, was collecting data from closed case records for a study on law enforcement interrogation techniques when the laptop, a scanner and external hard drive were taken last February. His research, which required his team to sign confidentiality agreements before obtaining the data, has since been terminated.

Read more on Pioneer Press. Maura Lerner of the Star Tribune, who broke the story yesterday, noted the sensitivity and background of the individuals whose data were on the stolen devices:

All had been witnesses or victims in cases that were prosecuted in early 2005 in Hennepin and Ramsey County courts.

One victim, who had been raped as an 11-year-old, received Feld’s letter last week. Her mother told the Star Tribune that she was shocked by the data theft, and that she had no idea that her daughter’s information had been shared with a researcher. “I was aghast,” she said. It was particularly galling, she said, because the family had been unable to get some of that same information, such as witness testimony, when they requested it.

Feld admitted that the data were not properly secured:

“I did not properly protect the data,” Feld told The Associated Press in a phone interview Friday. The incident was first reported by the Minneapolis Star Tribune.

A police report said the equipment wasn’t locked and was stolen from under a desk in the office Feld shares with several research assistants. University police made no arrests in the case nor have they had any leads, according to a school spokesman.

Not only were the data not properly secured, it would appear that there was no backup or master index, as it took from last February until now for them to reconstruct a list of who needed to be notified.

All in all, this sounds like a total failure. I would love to see the contract or agreement the professor signed with the county to gain access to the research materials. Did the agreement require him to not just maintain confidentiality but to actually deploy reasonable and commercially available security protocols? If not, why not? Perhaps some enterprising reporter in Minnesota might want to investigate whether the state and county are requiring adequate security for access to personal and sensitive information.

About the author: Dissent