The University of California (UC) system announced last month that it had been hit with a massive data breach. The locale was a third-party file-transfer application called Accellion. UC was just one of the victims of the international cyberattack, which may have afflicted roughly 100 institutions, also including Stanford Medical School, the Universities of Maryland, Colorado and Miami and Yeshiva University in New York.

How much data was stolen remains unknown. The University of California wrote in a FAQ that the compromised information includes names, addresses, telephone numbers, birth dates, Social Security numbers and bank account information for “employees and their dependents and beneficiaries, retirees and their beneficiaries, students and their families,” and possibly other people with UC connections.

Prior to the November election, we were virtually alone when we wrote on how Section 15 of California Proposition 24 should not have exempted certain school-related businesses from requirements to protect privacy. When it came to certain student information, the section exempted these businesses from complying with parts of the California Consumer Privacy Act. One significant exemption allowed businesses to refuse a student’s “right to be forgotten” under Section 1798.105 of the California Civil Code. Exercising such a right would have allowed students to submit requests for the deletion of their data.