Getting Ahead of a University Data Breach

Getting Ahead of a University Data Breach

Breaches and attempted hacks into university systems are now commonplace: the number of reported incidents at postsecondary schools has steadily increased; the education sector had the third highest number of breaches in 2014. Some of the largest breaches of 2016 occurred at colleges, such as at UC Berkeley where 80,000 financial records were exposed.

Universities must collect a range of sensitive data, including social security numbers, bank account and payment card information, loan details, minors’ information, and physical and mental health history. They hold troves of highly personal information often belonging to young adults with little credit or tax history – which makes these records desirable targets for identity thieves.

It can take universities months to contain a breach, identify what data, if any, was compromised, and notify affected individuals. Breach response is difficult in higher education: most university members are transient and use personal devices when accessing the network, and university data protection practices are regulated by a number of federal agencies – the Department of Education (via FERPA), Health and Human Services (via HIPAA), the Federal Trade Commission (via GLBA) – as well as state authorities with varying data protection requirements. Therefore, it can take educational institutions more time than companies to identify the source of a breach and comply with the many different notification standards.

University data breaches also raise unique reputational issues. They can damage the institution’s status in the research community, make students hesitant to use campus health or emergency services, and discourage professors’ use of technologies to enhance lectures.

Despite many schools’ efforts to shore up data security, breaches appear to be an inevitable tradeoff for a connected campus. However, there are practical steps all universities (even those that haven’t been breached) can take now to streamline response and reduce reputational damage in the event of a data breach.

Create a university incident response team. Similar to an IT-specific incident response or crisis management team, there should be an organization-wide incident response team (IRT) that consists of a representative from IT, as well as representatives from legal, communications, finance, student services, research, admissions, human resources, and other critical departments. The IRT should lead implementation of the university’s organization-wide incident response plan (IRP).

Select outside legal, cybersecurity, and crisis communications counsel now. Don’t wait for a breach to occur before deciding which external advisors the university will work with during the incident and negotiating a service agreement. Not knowing who your counsel(s) will be will unnecessarily delay the breach investigatory and notification period and could subject the university to more legal risk. Advisors should be interviewed and selected early on so that they are familiar with the university’s needs and pressure points when an incident hits. Ideally, these advisors will help develop the university IRP and measure the IRT’s preparation for an incident through tabletop exercises and simulations.

Develop a data narrative. A university should be able to articulate what data it collects and why, where and how the data is stored, and who has access to this data. This “data narrative” helps build trust between the university and those whose data it collects. It can also be used to develop messaging materials – notification letters, talking points, press releases, etc. – for notifying affected individuals and regulators of a breach and communicating with media.

Conduct a data risk assessment. Work with an outside cybersecurity advisor to evaluate the university’s data systems and test network vulnerabilities. It’s critical that the university understands the value of its data and has guidelines for protecting this data from intrusion and securing data post-intrusion. A risk assessment and accompanying cyber insurance helps address this.

Good cybersecurity is more than just compliance with state and federal law. Universities must develop a culture of data security and privacy, and planning ahead is a critical first step.

***

Alex Bradshaw is a senior privacy and cybersecurity advisor at Brunswick Group, a global advisory firm specializing in data breach response and other business-critical issues. She can be reached at abradshaw@brunswickgroup.com.

Image: “Computer Security – Padlock” by Blue Coat Photos  is licensed under CC BY-SA 2.0. The original picture was cut to 1200×545 for this blog.

Related Resources

  • Blog

    New Title IX Rule Defines Deepfakes as Sexual Harassment

    Aug 14, 2024Chloe Altieri

    On April 19, 2024, the U.S. Department of Education released updated Title IX Regulations that clarified schools’ ability to raise incidents of harassment usin…

    Learn More
  • Blog

    FERPA Exceptions: A Study in Studies

    Aug 5, 2024Alexa Mooney

    The Family Educational Rights and Privacy Act, or FERPA, protects personally identifiable information from education records from unauthorized disclosure. The …

    Learn More
  • EdTech Perspectives

    Demystifying the Consumer Privacy Patchwork

    Jan 18, 2024Randy Cantz

    What should edtech companies know about consumer privacy laws?As states continue to pass new consumer privacy laws, edtech companies may be left wondering what…

    Learn More