Thanks to Rob Hyndman for sending me this link.
The New York Times has been noticing that universities offer a plentiful supply of privacy incidents, not only related to student information but also information about research subjects. The article does a good job of noticing the problem and thinking about its root cause:
The New York Times > Technology > Some Colleges Falling Short in Security of Computers: "... Data collected by the Office of Privacy Protection in California, for example, showed that universities and colleges accounted for about 28 percent of all security breaches in that state since 2003 - more than any other group, including financial institutions.
'Universities are built on the free flow of information and ideas,' said Stanton S. Gatewood, the chief information security officer at the University of Georgia, which is still investigating a hacking incident there last year that may have exposed records on some 20,000 people.
'They were never meant to be closed, controlled entities. They need that exchange and flow of information, so they built their networks that way.'
In many cases, Mr. Gatewood said, that free flow has translated into a highly decentralized system that has traditionally granted each division within a university a fair amount of autonomy to set up, alter and otherwise maintain its own fleet of networked computers. Various servers that handle mail, Web traffic and classroom activities - 'they're all out in the colleges within the university system,' Mr. Gatewood explained, 'and they don't necessarily report to the central I.T. infrastructure.'..."