U law prof calls data theft “disaster” but doubts data is being used

The theft of research data from a prominent University of Minnesota law professor has put almost 300 people at risk of identity theft, university officials said today.

Professor Barry Feld said the February 2013 theft of a laptop, hard drive and scanner from under his secretary's desk involved information such as names, dates of birth, and in some cases Social Security numbers of crime victims and witnesses.

Feld has notified 119 people that their information is among the data stolen. A university spokesman said U personnel are still trying to track down another 175 potential victims.

Feld, who spoke on the phone while on vacation in California, said the probability was "minimal" that thieves have used the data, but called the incident a "disaster."

"It was a disaster," he said, "because all of these people who received these letters have anxiety both about [the theft] and [the] reawakening all of their memories of criminal victimization of a decade ago."

Feld apologized for the theft, saying "how incredibly sorry I am -- for the impact on the victims, the impact on the county attorneys offices, for the impact on the university, for the impact on my research, and the impact on my reputation."

He said he has terminated his research, and fears his mistake may cost access for other researchers.

In December 2012, Feld said, a handful of research assistants began compiling data on felony interrogations in cases -- all closed --that Hennepin and Ramsey county attorneys had prosecuted in January and February 2005.

The cases involved murder, criminal sexual conduct and aggravated robbery.

Under a confidentiality agreement with the county attorneys, research assistants would visit the attorneys' offices and scan case documents into a laptop.

They had no access to an internet connection at those offices to send the documents back to the U, Feld said. So they loaded them onto an unencrypted external hard drive, which they kept in the same computer bag.

The students left the bag with Feld's secretary, he said. She kept the bag unsecured under her desk, which is located in an office "shared by many professors and students within the law school," according to a police report.

She notified police of the theft on Feb. 14, 2013.

Feld claimed responsibility for the security lapse, saying, "I should have made sure that my [secretary] understood the importance of securing the bag at all times when it wasn't in the custody of my research assistants."

According to the police report, the secretary told police that as she was leaving the office on the afternoon of Feb. 8, she saw someone leave the office with the laptop, but could not see the person's face. She told officers she could not tell whether it was one of the students authorized to take it.

Feld said the U had trained him how to keep sensitive data secure. He should have used an encrypted hard drive, he said, and should have ensured the equipment was locked up.

"Unfortunately," he said, "I could not follow the protocols that were in place. I was trying to make it easy for my research assistants and secretary to do the data collection process ... without adding the additional overlays of security that in retrospect I know I should have."

Feld said both the university and county attorneys' offices were notified. The researchers hadn't gone through the scanned data yet, he said, so didn't know who from the cases was affected.

Feld said the U offered to help the county attorneys go through the data, but both offices declined. He said it took staffers there months to identify potential victims.

Feld said the laptop was password-protected. He said he believes the data in it was never accessed, because connecting it to the internet would have alerted authorities.

He said he also believes the thief had no idea what he or she was taking.

"If they actually looked at the contents of the hard drive," Feld said, "all they would have seen is a bunch of files of criminal cases, and most likely would have just deleted them -- either for themselves or to whomever they wanted to sell the hardware afterward."

Still, he emphasized: "Any data breach is serious. I don't want to minimize it."

Feld said no punitive action has been taken against him or his secretary.

University spokesman Matt Hodson wrote in an email, "Prof. Feld immediately reported the breach and has taken full responsibility for it; therefore, he has not been disciplined."

Chief Deputy Hennepin County Attorney David Brown called the case "very disappointing," but said no action is being taken against Feld or the U.

He said the U could be held liable if victims file claims against it.

Hodson of the U wrote, "While the University deeply regrets this incident, we do not have any information at this time that the data was accessed or that anybody was harmed. In all probability, the thief was looking for an opportunity to steal computer hardware and had no interest in any data on the hardware. If the University receives any claims, we will certainly address them."

Representatives for the Hennepin and Ramsey county attorneys said they were not closing the door on working with researches, but said restrictions may increase.

Brown said, "It may prohibit us from giving them access to the kinds of very sensitive data that was here."

A spokesman forwarded this message from First Assistant Ramsey County Attorney John Kelly:

“Our written agreement with the University of Minnesota contains explicit security requirements and obligations that if properly followed should have prevented this incident from occurring. That said, we are currently reviewing our policies and procedures for any opportunities to further strengthen those requirements.”

• How Augsburg is going all Mark Twain
• How past U of M presidents view higher-ed today
• Metro State data breach affected 160,000 students