Top of the Data Breach Class

The loss of private information to hackers and through negligence now extends to educational institutions, which have graduated to the top of the data breach list and are seated alongside health care and retail. Fortunately, there are risk management tools that are available to educational institutions to help minimize the damage caused by a data breach.

When we talk about educational institutions, we are referring to K-12 and higher education. All educational institutions maintain personally identifiable information (PII) and protected health information (PHI), and some may even have sophisticated and valuable intellectual property (IP). Each of these categories are subject to regulatory and/or legal obligations to safeguard information, such as the Health Insurance Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA), Health Information Technology for Economic and Clinical Health (HITECH) Act, Children's Online Privacy Protection Rule (COPPA), Federal Trade Commission (FTC), and Office for Civil Rights (OCR).

PII, PHI, and IP are highly attractive to criminals. PII can be utilized to steal a student’s identity before it reaches financial maturity. PHI can be used fraudulently to obtain health care services. Stolen IP can be used to bypass years of research and development on new technology.

For example, in May 2015, the Penn State College of Engineering reported that it suffered a cyberattack by a threat actor based in China, resulting in the compromise of 18,000 records. A letter from Penn State’s president states, “As we have seen in the news over the past two years, well-funded and highly skilled cybercriminals have become brazen in their attacks on a wide range of businesses and government agencies, likely in search of sensitive information and intellectual property.”

Loss of student data is not limited to cyberattacks. Social engineering fraud causes a person to do something that they would otherwise not willingly do. For example, if you saw a USB stick in the parking lot of your work and it had your institution’s logo on it, would you pick it up and plug it into your computer to find out whose it was? That USB stick might have been left there intentionally in the hopes that someone at the institution would plug it into a computer and release the malware it contained. Another example of social engineering fraud took place on Sept. 10, 2015, when an email phishing scheme at one Kentucky high school resulted in the unauthorized access to a nutrition services computer containing 2,800 student records, including student names, dates of birth, and social security numbers.

While active criminal threats pose a considerable risk for educational institutions, student hackers and simple negligence also are significant contributors to data breach numbers. On Sept. 18, 2015, a school district in New York disclosed that its student management system was improperly accessed. One month later, three students were arrested in connection with the hacking incident. In contrast, a medical student trainee’s loss of an unencrypted portable hard drive containing patients’ private information resulted in a data breach at the University of Texas.

Irrespective of the cause of a data breach, the educational institution must address it properly, but there are costs involved. One industry leading study reported that data breach response costs range from $154-$363 per record. The good news is that educational institutions can help defray the costs by having a data breach response plan in place and maintaining the proper type and level of insurance coverage.

When a data breach is first detected, educational institutions must coordinate their response with experienced legal and technology professionals, or risk making a bad situation worse by failing to do so. A plan, along with insurance coverage, will give the educational institution immediate access to professionals that have been through the nuances involved with responding to a data breach, including the lawyer breach coach, computer forensics team, public relations firm, and a notification and credit monitoring vendor.

Educational institutions are now the No. 2 target of criminals seeking to obtain PII, PHI, and IP. In addition, everyday negligence of those entrusted with private information can never be completely eliminated. As a result, preparing for the inevitable data breach is not only prudent, but necessary given the potential costs that will be incurred by institutions with budgets that already are stretched thin.