Accellion Data Breach: An Informed Consent Perspective
By Anonymous | May 28, 2021
As many UC students, alumni, and employees are aware, the cybersecurity attack on the Accellion file transfer appliance (FTA) has left many with compromising information sold to the dark web. This leaked information includes social security numbers, bank account information, addresses, and more. (See UC Berkeley’s statement on the attack here.)
With such sensitive information now putting many UC affiliates and their dependents at risk for identity theft, I find myself wondering what I could have done to prevent this. Could I have avoided sharing this data with UC Berkeley? Demanded that they use a different storage system just for me?The answer to each of these questions is, of course, no. Well, not necessarily no, but if I had done either of them I wouldn’t have had any kind of successful outcome.
A demand for a file storage or transfer system of my own choice is obviously not feasible. If students had the option of selecting what kind of storage system each they could opt to use, there would be no consistency or efficiency in data storage. On the other hand, I was not given the real choice to opt out of this system storing or transferring my data at all.
If I had refused sharing this data with UC Berkeley or with Accellion, I essentially would not have been able to attend Berkeley. UC Berkeley requires that information for enrollment, payment, and other mandatory attendance requirements.
The Belmont Report outlines principles for ethical treatment of research subjects. The first principle describes treating people with respect; usually this manifests as requiring informed consent, or ensuring people accept all of the terms of the use of their data and are entirely informed about the extent of its use when they consent.
Given the consequences of denying consent for use of our data, can we really say that the first principle of the Belmont Report was followed?
There are four primary principles of informed consent:
1. You must be able to make the decision.
2. The doctor/researcher must disclose information about the relevant procedure.
3. You must understand that information.
4. Consent must be given without coercion.
This final principle is what one could argue is violated in this situation. If the consequence to refusing consent to submit sensitive personal information like social security numbers is having to withdraw from the university, this can have severe consequences greater than may appear at face value. In modern day, a college degree is virtually essential to success in the post-grad world, and is for many families a way to break the cycle of poverty. Many students may not feel that they realistically have the option to refuse acceptance on the grounds of distrust of the data servers.
However, incidents like the Accellion data breach suggest that such distrust is not unfounded. If given the choice in the future, I would not trust my personal, sensitive data to systems like this. Given that the responses to the Undergraduate Student Experience Survey were also included in the data breach, I have chosen to not respond to the Graduate Student Experience Survey on the basis of my lack of trust that the responses will remain anonymized. I have no such freedom to withhold my consent of other data deemed essential to enrollment and payment.