Yale administrators admitted error in making a collection of confidential security documents available to over 40,000 people in the Yale community.
Deputy Secretary for the University Martha Highsmith, who oversees Yale’s emergency operations, told the News Wednesday that some of the documents were online by mistake, and attributed their wide availability to an access-code error that allowed any user with a net ID to view the documents.
“It could have been a human error, it could have been a software error,” she said. “We just don’t know.”
Highsmith said Information Technology Services representatives are currently assessing the problem, and determining how to fix it. While some of the documents “clearly should not have been public,” Highsmith said, community members have contacted her in the past week to express relief that the University has emergency plans in place.
Highsmith said the next step is to determine which documents can be put back online for the public to see and whether to post redacted versions of other files.
“I think there is information that would be helpful to everyone in the community,” she said.
Still, Highsmith said the most sensitive information, such as meeting locations for the Emergency Operations Team — the group of administrators charged with coordinating emergency responses — was not included in the leak. The 35-page Emergency Operations Plan labeled “September 2010” did include this information, but Highsmith said that, by February, it was already outdated.
University Secretary Linda Lorimer said the University is exploring ways to securely post the confidential information.
“However,” she added, “if we find we cannot be confident of an online secure site, we will just continue to rely on the old-fashioned way: Hard copies of the Red Emergency Notebook.”
Lorimer called the access-code error an “innocent” but “serious” one.
While Highsmith said that contact information and location-specific details are too sensitive to be online, the most important parts of the plan are unwritten: The essential pieces of Yale’s emergency management lie in the EOT’s preparation and not in any document, she said.
Last Monday afternoon, the News told Highsmith that potentially sensitive information on the Emergency Management website was widely accessible. Highsmith said at the time that at least some of the documents were intentionally available to raise awareness of the University’s level of preparation. The link to the documents was removed from the site the following day.
“I’m sure there was a lot of information that was perfectly okay to be public,” University President Richard Levin said of Yale’s mistake. “Obviously some of it was not appropriate.”
Two outside security analysts concurred with Levin. Dolores Stafford, the president and CEO of D. Stafford and Associates, a consulting firm specializing in campus safety and security, said that the most sensitive information was the contact information for top University officials and instructions for operating the emergency communications system.
Yale’s cache of security documents is not unique. Harvard University maintains a completely public emergency management website, which contains tips for how to handle major incidents such as explosions or flooding. The website also contains links to Harvard’s online Emergency Operations Center, which is only accessible to certain administrators, and a server of emergency planning resources. The latter link, whose online description is analogous to Yale’s collection of formerly available documents, is not accessible to undergraduates.
In addition to contact information and the Emergency Operations Plan, the online server also included Yale’s Facebook and Twitter passwords.
Drew Henderson contributed reporting.