Faculty, staff salary information requires Net ID login

Andrew Henderson

Previously, faculty salaries were available on WKU’s website for anyone to see. Now those who wish to look at them must enter their Net ID and password.

Stacy Garrett, assistant director of the budget, said the link to view faculty salaries was password protected due to the recent Anthem hack.

“We did add that password because of concerns about the Anthem,” she said. “We added that layer of protection to make it a little harder to reach.”

Gordon Johnson, chief information technology officer, said the IT division received an official request from the division of finance and administration to place faculty salary information behind the Net ID login. 

To access this information, students, faculty and staff can go to the WKU webpage for the 2015-2016 Operating Budget, www.wku.edu/finadmin/budget/budget2015_16.php, click on the Budgeted Salary Information link at the bottom of the Expenditure Summary and enter their information. 

Johnson said the Anthem hack, which occurred in February of this year, sparked conversation on what information the university had made publicly available and whether it was prudent to make certain types of information available for anyone in the world to search and find instantly. 

“Was that a prudent thing for us to be doing, to make it so easy for anyone to gather what amounts to personal financial information on our constituents?” Johnson recalls questioning.

Anthem, the second-largest healthcare provider in the U.S., announced its systems were hacked on Feb. 4. Kara Brandeisky of Time said the hack affected an estimated 80 million customers and employees. This means 80 million customers’ personal information — birthdays, names, medical IDs, employment information and social security numbers — could have been stolen. 

Anthem’s role at WKU was as a third-party administrator of the university’s self-insured Employee Health since the beginning of 2003. 

Johnson said the decision to implement the new security login was discussed and made at the presidential administrative council level. The council decided it wasn’t prudent to make faculty salary information available to everyone with no control over who was looking at it.

“The decision was made to lock that down a little more and make it available to faculty, staff and students with a login,” he said. 

This information, however, is not removed from the public. Johnson said because the salaries are public records, someone can file an open records request with the general counsel’s office to obtain copies. 

Deborah Wilkins, general counsel, agreed with Johnson that after the Anthem breach, administration considered why salary information should be left on the WKU website for any person to access. 

“While salary alone probably won’t result in identity theft, it could play a role in someone filing a fraudulent income tax return,” Wilkins said in an email. “The public has the right to know the compensation paid to a state employee, so we will produce information to an [open records request].” 

Wilkins said WKU is under no legal obligation to post this information to the website, and removing it was within its discretion. She said as long as the university continues to respond to open records requests, they are legally compliant.

Despite the Anthem hack being the main reason new protocols affect access to salary information, both Johnson and Tony Glisson, the human resources director, said there has never been any proof that WKU employee information has been stolen as a result of the hack. 

“We have no proof. Anthem has not provided any proof; there’s been no proof that the Anthem hack was directly connected to any of our information being stolen and used,” Johnson said. 

Glisson also said there was no link between the Anthem hack and the WKU employees who reported that their 2014 tax returns has been filed fraudulently. 

“We established no linkage. I think just maybe personally and as an institution we maybe suspected that just because of timing, but we have no reliable data or information on which to base that perception,” he said. 

While no link between the hack and loss of employee information was ever established, Johnson said the university is not trying to hide information from people who have a legitimate reason to see it. Rather, it is trying to make browsing less easy for someone who may try to abuse the information after they access it. 

“In this day and age, the general consensus … the general line of thought among the administrative council was we need to be conscious of protecting any personal information that could be used by hackers or by criminals for whatever purpose,” Johnson said.