A couple of weeks ago, I was notified that I can be part of class action settlement against University of Minnesota for a data breach that exposed my personal information. According to the details, In 2021, the University of Minnesota experienced a data breach that exposed personal information of "individuals who submitted information to the university as a prospective student, attended the university as a student, worked at the university as an employee or participated in university programs between 1989 and Aug. 10, 2021." source. I'm an alumnus of this university, so my information was part of that breach.

The university of course as a classical cooperative entity took the easy route that the legal system provides. They refuse to admit any wrongdoing, but they agreed to pay $5 million to settle the class action lawsuit. The settlement is open to anyone who had their personal information exposed in the breach, which includes names, addresses, dates of birth, Social Security numbers, and other sensitive data.

What is more insulting than that the university did not issue a formal apology to the affected individuals, is that they are offering a mere $30 per person as compensation for the breach. Yes to be honest they include this standard 24 months of dark web monitoring and identity theft protection services, but the value of my personal information is set to $30. Which even would be less if the number of people submitting exceeds the funding available for the settlement.

So according the university that sends me two or three emails per week asking me to donate to them, my personal information is worth $30. I understand that my Social Security number and other personal information got exposed in other breaches (Thanks to T-mobile and others). But the current status quo is that it does not matter whether it is a commercial entity or a public one, they will act in the same way. They will not take responsibility for their actions, and they will not compensate you for the damage they caused. They will just offer you a small amount of money and hope that you will forget about it.

The University of Minnesota is not the only one doing this. Many other institutions and companies have been caught in data breaches and have offered similar settlements. But it is still disappointing to see that they are not taking the issue seriously. This same university which promised a life access to email address which they did not honor, is now offering me $30 for my personal information. It is a slap in the face to all of us who have been affected by this breach. So I will not be submitting a claim for the settlement. I will not be accepting their offer of $30. I would have much preferred if they had taken responsibility for their actions and issued a healthy apology. But they did not. This would have been a good start. But they did not. And they will not.

The basic problem is that they do not care about us. They care about their reputation and their bottom line. They do not care about the damage they caused to our personal information. They do not care about the trust they have broken. They just want to move on and forget about it. When this happens from a corporation or a company, I can understand it. But when it happens from a public institution that is supposed to serve the public interest, it is unacceptable. How would I trust anything coming from them in the future? They have shown that they don't care about their alumni or their students.

The regulation is very weak, and the courts/laws are not doing enough to hold these institutions accountable. The fines are too low, and the settlements are too small. The only way to change this is to demand better regulations and stronger penalties for data breaches. We need to hold these institutions accountable for their actions and make them pay for the damage they cause. If the fines and compensation were higher, then the incentives would be aligned, and they would take data security more seriously. And would invest more in protecting our personal information instead of the ever-increasing administrative costs and salaries of the top executives.

US Universities are not only charging high tuition fees for education, but they are charging even researchers with external grants to use their facilities. If you get NSF or NIH grant, you have to pay the university a percentage of the grant as an indirect cost. The percentage varies from one university to another, but it is usually around 50%. This means that if you get a 100,000 USD grant, the university will take out 50,000 USD as indirect costs (NSF or NIH will end up paying 150,000 USD). This is a huge amount of money that could be used for research, but it is going to the university's administrative costs and salaries of the ever-increasing number of administrators.

For what it is worth that the universities is currently under fire for a variety of reasons, mostly politically motivated, but there are many valid reasons to be critical of the way they are run. The way they handle data breaches is just one of them. The amount of disrespect they show to their alumni and students is another. The way they prioritize administrative costs over education and research is yet another. It is time for us to demand better from our universities and hold them accountable for their actions.

After writing this post and trying to proofread it, I realized that I repeated "My personal information is worth $30" multiple times. I guess it is a sign that I am still angry about it. But also realized that if I had written this in Arabic it would have been much more concise. The poetic nature of writing in grievance in Arabic is much more effective than in English. But I will leave that for another time.