Getting Ahead of a University Data Breach

Breaches and attempted hacks into university systems are now commonplace: the number of reported incidents at postsecondary schools has steadily increased; the education sector had the third highest number of breaches in 2014. Some of the largest breaches of 2016 occurred at colleges, such as at UC Berkeley where 80,000 financial records were exposed.

Universities must collect a range of sensitive data, including social security numbers, bank account and payment card information, loan details, minors’ information, and physical and mental health history. They hold troves of highly personal information often belonging to young adults with little credit or tax history – which makes these records desirable targets for identity thieves.

It can take universities months to contain a breach, identify what data, if any, was compromised, and notify affected individuals. Breach response is difficult in higher education: most university members are transient and use personal devices when accessing the network, and university data protection practices are regulated by a number of federal agencies – the Department of Education (via FERPA), Health and Human Services (via HIPAA), the Federal Trade Commission (via GLBA) – as well as state authorities with varying data protection requirements. Therefore, it can take educational institutions more time than companies to identify the source of a breach and comply with the many different notification standards.

University data breaches also raise unique reputational issues. They can damage the institution’s status in the research community, make students hesitant to use campus health or emergency services, and discourage professors’ use of technologies to enhance lectures.

Despite many schools’ efforts to shore up data security, breaches appear to be an inevitable tradeoff for a connected campus. However, there are practical steps all universities (even those that haven’t been breached) can take now to streamline response and reduce reputational damage in the event of a data breach.

Create a university incident response team. Similar to an IT-specific incident response or crisis management team, there should be an organization-wide incident response team (IRT) that consists of a representative from IT, as well as representatives from legal, communications, finance, student services, research, admissions, human resources, and other critical departments. The IRT should lead implementation of the university’s organization-wide incident response plan (IRP).

Select outside legal, cybersecurity, and crisis communications counsel now. Don’t wait for a breach to occur before deciding which external advisors the university will work with during the incident and negotiating a service agreement. Not knowing who your counsel(s) will be will unnecessarily delay the breach investigatory and notification period and could subject the university to more legal risk. Advisors should be interviewed and selected early on so that they are familiar with the university’s needs and pressure points when an incident hits. Ideally, these advisors will help develop the university IRP and measure the IRT’s preparation for an incident through tabletop exercises and simulations.

Develop a data narrative. A university should be able to articulate what data it collects and why, where and how the data is stored, and who has access to this data. This “data narrative” helps build trust between the university and those whose data it collects. It can also be used to develop messaging materials – notification letters, talking points, press releases, etc. – for notifying affected individuals and regulators of a breach and communicating with media.

Conduct a data risk assessment. Work with an outside cybersecurity advisor to evaluate the university’s data systems and test network vulnerabilities. It’s critical that the university understands the value of its data and has guidelines for protecting this data from intrusion and securing data post-intrusion. A risk assessment and accompanying cyber insurance helps address this.

Good cybersecurity is more than just compliance with state and federal law. Universities must develop a culture of data security and privacy, and planning ahead is a critical first step.

***

Alex Bradshaw is a senior privacy and cybersecurity advisor at Brunswick Group, a global advisory firm specializing in data breach response and other business-critical issues. She can be reached at [email protected]

Image: “Computer Security – Padlock” by Blue Coat Photos  is licensed under CC BY-SA 2.0. The original picture was cut to 1200×545 for this blog.