Protecting Your School from Cybercrime and Inadvertant Data Breaches

By Michelle Hon Donivan, Partner, Duane Morris, LLP

Data security breaches are practically a daily occurrence. Indeed, cybersecurity threats have become so prevalent that cyber security experts and U.S. Attorney General, Eric Holder, say that there are two types of companies in America, those that have been hacked and those that do not know they have been hacked. Educational institutes are particularly at risk. As explained by the Department of Education: “Computer systems at colleges and universities have become favored targets because they hold many of the same records as banks but are much easier to access.”¹

Cybersecurity is not simply an information technology (IT) problem. Prevention and detection technologies such as firewalls and antivirus products alone are not sufficient to protect companies from hackers. Additionally, only a small portion of the data breaches experienced by the education sector were the result of hacking or other cyberattacks. Almost half were a result of non-technical issues such as human errors (inadvertent data breaches by sending information to the wrong recipients or failing to properly dispose of sensitive records), insider misuse, and physical theft or loss.² Thus, schools must have comprehensive cybersecurity programs in place that address both cybercrime and inadvertent disclosures.

This article examines the high cost of cybercrime and other data breaches, summarizes the legal landscape and obligations imposed on schools, suggests steps that schools can take to mitigate their risk, and discusses what to do if a breach occurs.

Impact of breach on schools

In the past 10 years there have been over 750 publicly announced breaches at educational institutions, involving more than 14.7 million breached records.³ These numbers understate the problem as they merely reflect the breaches that were publicly reported. The actual number of institutes affected by a breach is significantly higher since only the largest breaches are typically publicized. Moreover, many educational institutions may not even be aware that they have been compromised.

The financial impact for victims of a breach is significant. The average total per-incident cost of a data breach in 2014 was $5.9 million.⁴ Notably, this average excludes the headline-worthy breaches where over 100,000 records were compromised. The average cost per compromised educational record was $294.⁵ In addition to the financial costs, companies suffer harm that is difficult to measure, such as damage to reputation and loss of consumer trust.

Legal obligations

Despite the fact that companies are also victims of cybercrime, state and federal governments continue to put the onus on companies to take reasonable measures to protect consumer data and thwart cybercrime. The laws and regulations vary by state and business sector, but may include obligations to take reasonable measures to protect sensitive information, to properly dispose of records that are no longer needed, and to notify affected students and government agencies in the event of a qualifying breach. These laws apply whether the breach was caused by a cybercrime or an inadvertent disclosure. Specific laws and regulations applicable to schools are discussed below.

FERPA /Department of Education
The Family Educational Rights and Privacy Act (FERPA) applies to all schools receiving Title IV government funding. While FERPA does not expressly address cybersecurity per se, it does prohibit the improper disclosure of personally identifying information obtained from student records without consent (with a few limited exceptions). A breach may be treated as an unauthorized disclosure, particularly if adequate security measures are not being used. In the event that there is a data breach and personally identifying information is disclosed, FERPA requires that the school record such disclosure. The U.S. Department of Education has stated that FERPA does not require a school to issue a direct notice to the affected students; however, the school must record the disclosure so that a parent or student will become aware of the disclosure during an inspection of the student’s record.⁶ Senators Edward J. Markey (D-Mass.) and Orrin Hatch (R-Utah) introduced the Protecting Student Privacy Act of 2014 in July 2014, seeking to amend FERPA to include additional privacy provisions and safeguard requirements. The bill was referred to Committee and seems to have lost momentum. However, we expect to see continued efforts to modernize FERPA to address the growing cybersecurity threats.

Gramm-Leach-Bliley Act (GLBA) and Safeguards Rule
The Gramm-Leach-Bliley Act places an affirmative obligation on financial institutions to explain their information sharing practices and to safeguard sensitive information. The scope of what is considered a financial institution under the GLBA is very broad, and includes businesses that are not typically described as financial institutions. Because “financial institution” is so broadly defined, there is a high likelihood that schools will fall within the definition and be subject to at least some of the provisions of the GLBA. For example, the definition includes any institution that is engaging in financial activities, such as lending, exchanging, transferring, investing for others, or safeguarding money or securities (as well as a litany of other financial activities). The Federal Trade Commission (FTC) has made it very clear that it considers colleges and universities to be “financial institutions” under the GLBA because of their lending activities: “the Commission disagrees with those commentators who suggested colleges and universities are not financial institutions. Many, if not all, such institutions appear to be significantly engaged in lending funds to consumers.”⁷

The FTC issued two sets of regulations under the GLBA that potentially apply to schools: (i) the Financial Privacy Rule⁸ and (ii) the Safeguards Rule⁹. Because educational institutions are prohibited from disclosing personally identifying information without consent, schools are deemed to be in compliance with the Privacy Rule if they are compliant with FERPA.¹⁰

The Safeguards Rule requires institutions to develop, implement, and maintain a written, comprehensive information security program that contains administrative, technical, and physical safeguards that are appropriate to the size and complexity of the company, the nature and scope of its activities, and the sensitivity of any customer information at issue.¹¹ The program must meet the following three objectives: (i) insure the security and confidentiality of consumer information; (ii) protect against any anticipated threats or hazards to the security or integrity of such information; and (iii) protect against unauthorized access to or use of such information. The FTC published guidelines for complying with the Safeguards Rules, which are available on the government website.¹²

State Laws

State cybersecurity laws fall into three categories: (i) breach notification; (ii) reasonable security measures; and (iii) proper destruction of consumer records containing personally identifying information. All but three states have a law that requires a notice be provided to consumers in the event that personally identifying information is disclosed without authorization. The definition of “personally identifying information” varies by state, but typically relates to the disclosure of a person’s first and last name in combination with a Social Security number, driver’s license or state identification card number, or account, credit card or debit card information with the code needed to access the account. Some states require that a risk of harm analysis and only require notice if there is a reasonable likelihood that the information will be misused. In some states, no notice is required if the information was encrypted. In certain states, you may also have to send notice to the Attorney General or other state agency, in addition to the notice to affected consumers. It is important to note that the law of the state where the consumer resides will apply. Thus, multiple and potentially conflicting state laws may apply.

A couple of states have laws that require companies who collect personally identifying information to take reasonable security measures to protect that information from unauthorized disclosures. What is considered “reasonable” is not defined and will depend on the size and complexity of the company, the nature and sensitivity of the information, and the technology that is reasonably available at the time.

Finally, some states also have laws that require that consumer records containing personally identifying information be properly destroyed. This generally means shredding paper documents and ensuring that hard drives, laptops, and other electronic devices are appropriately sanitized or physically destroyed so that the information is no longer accessible.

Cybersecurity recommendations

There is no one-size-fits-all cybersecurity program. Each school needs to go through its own assessment and analysis to develop a program that is appropriate based on its particular situation. Below are a few recommendations to consider.

• Designate an information security officer. This person will be responsible for creating and managing your cybersecurity policies. This generally will be someone from your IT department. If you do not have an in-house IT department, then it should be someone from your organization that has the capacity and knowledge needed to understand your systems and processes.
• Perform an initial assessment. The initial assessment is an important starting point in creating a cybersecurity plan. The assessment typically involves identifying what sensitive information the school possesses, how is it stored, how is it accessed, who has access to the information, who really needs access to the information for valid business purposes and how and to whom the data are transmitted.
• Develop, maintain, and enforce policies and procedures. After the initial assessment, it is time to start developing policies and procedures to protect sensitive information. These policies and procedures should include policies for managing access to the data, physical and technical security measures, and employee training on the policies at all levels of the organization. Each is discussed in greater detail below.
• Access management. The fewer people who have access to the information, the lower your risk of exposure. Access should be limited to necessary personnel. Each person with access should have his or her own unique user ID and password.
• Technical security measures. Again, there are no standard one-size-fits-all technical measures. What may be reasonable for a large, publicly traded school is likely going to be unfeasible for a small, single campus school. Speak with a security professional about which options are right for your school. A nonexclusive, exemplary list of examples of technical solutions are set forth below.
  • Implement firewall and antivirus programs and update them on a regular basis.
  • Install network and computer patches and updates without delay.¹³
  • Change factory default passwords and settings on all Internet-connected devices.
  • Passwords should be strong and changed frequently. Avoid weak passwords such as “password” and “123456.”
  • Encrypt sensitive data on servers and in transit.
  • Restrict USB, CD burner, and printer functions to key personnel to limit misuse by employees.
  • Track and monitor access to the network and student records.
  • Block employee access to high-risk sites such as cloud storage, social media, and personal email sites.
  • Implement intrusion detection systems to detect and deter hacking attempts.
• Physical security. Physical security measures should be applied to the school servers as well as laptops and other mobile devices. This includes limiting physical access to computers and servers. To the extent that you still maintain hardcopy files, be sure that they are also physically secured with limited access to key personnel. Consider limiting use of portable technology to key personnel. These devices pose a security risk if they are lost or stolen.
  

  If portable devices are used to access or store any sensitive information, make sure that such devices are password protected, have updated antivirus software, and consider using GPS and remote disabling technology to ensure that the information will not be accessible if the device is lost or stolen.

• Training/awareness. Cybersecurity needs to be ingrained as part of the school culture. Be sure to train employees on all levels throughout the organization on your cybersecurity policies. Consider implementing a cybersecurity awareness program to train employees on cybersecurity risks and prevention. Sample awareness programs and materials are available from a variety of public sources to get you started.¹⁴
• Create a record retention/destruction policy. Develop and implement a document retention and destruction policy and make sure to properly implement data disposal procedures. The Department of Education has published recommendations for best practices for educational institutes.¹⁵
• Regularly test security systems and procedures. Schedule routine testing to make sure that your technical, physical, and administrative systems and procedures are in place and working properly.
• Develop a data incident response plan. Develop an incidence response plan that outlines the steps needed in the event of a breach. Train all employees on the plan. This will ensure that timely action is taken to address the breach and mitigate damage.

What to do when your school experiences a cybercrime or other breach

Act quickly but cautiously. Time is of the essence when it comes to data breaches. It is important to immediately contain the incident and mitigate the harm. Additionally, state notification laws typically require that notice to consumers be sent out within a short period of time after discovering the breach. At the same time, you have to ensure that the evidence is preserved and that all legal requirements have been satisfied. Below are steps to consider when a breach occurs.

• Engage legal counsel. Contact your attorney immediately in the event of a breach. It is important to hire legal counsel to handle data security breaches in order to protect the confidentiality of the resulting internal and forensic investigation through the attorney/client privilege, to assure compliance with the myriad of state breach notification laws, and handle any resulting litigation and/or regulatory scrutiny.
• Contain the incident and mitigate the threat. With the help of legal counsel and an information technology expert, contain the incident to ensure that additional records are not breached.
• Safeguard evidence. It is important to preserve the evidence of the breach incident. Do not destroy evidence or try to fix anything without consulting an expert.
• Conduct an investigation. Assemble your team and determine the cause of the data breach. The team members will vary based on the nature of the breach (technical versus employee misuse, etc.). Your team may include your attorney, a security consultant, one or more company officers or directors, a representative from IT, a representative from human resources, and/or a communications coordinator.
• Notify law enforcement (if appropriate). It may be prudent to contact law enforcement in the event that there has been a crime committed. Consult with your attorney to determine who should be notified (if anyone).
• Send notifications (if appropriate).
  

  If the breach constitutes a notifying event, you may need to send written notice to the affected consumers, attorneys general, and/or other agencies. The requirements of the notice vary by state.

  Consult with your attorney to determine whether notice is required, and if so to determine the required contents of the notice and to whom the notice should be sent.

• Take corrective action. Finally, take corrective measures to ensure that the cause of the breach has been addressed and corrected. This may include additional technical measures, change in policy or procedure, and/or additional education and training.

Conclusion

When it comes to data breaches, security experts universally say that it is a matter of when a breach will occur, not if it will occur. Schools need to have a robust cybersecurity program in place to address this eventuality and in some cases, to comply with the law.

References
¹ Family Educational Rights and Privacy; Final Rule, 73 Fed. Reg. 74806, 74843 (December 9, 2008).
² 2015 Data Breach Investigations Report (DBIR). (n.d.). http://www.verizonenterprise.com/DBIR/2015/
³ Chronology of Data Breaches | Privacy Rights Clearinghouse. (n.d.). http://www.privacyrights.org/data-breach
⁴ Cost of Data Breach Study. (2014). Ponemon Institute.
⁵ Cost of Data Breach Study. (2014). Ponemon Institute.
⁶ 34 C.F.R. § 99.32(a)(1).
⁷ Privacy of Consumer Financial Information; Final Rule, 65 Fed. Reg. 101, 33648, May 24, 2000.
⁸ Officially titled Privacy of Consumer Financial Information, 16 C.F.R. § 313.
⁹ Officially titled Standards for Safeguarding Customer Information, 16 C.F.R. § 314.
¹⁰ Privacy of Consumer Financial Information; Final Rule, 65 Fed. Reg. 101, 33648, May 24, 2000.
¹¹ 16 C.F.R. § 314.
¹² Federal Trade Commission | Protecting America’s Consumers. (n.d.). www.ftc.gov.
¹³ In 2014, 99.9 percent of the exploited vulnerabilities had been compromised more than a year after the vulnerability was published. Patches and updates address these known vulnerabilities.
¹⁴ Center for Internet Security – Multi-State Information Sharing and Analysis Center. (n.d.). https://msisac.cisecurity.org/resources/toolkit/; Homeland Security. (n.d.) http://www.dhs.gov/stopthinkconnect-toolkit; Awareness, Training, & Education (ATE). (n.d.). http://csrc.nist.gov/groups/SMA/ate/
¹⁵ Best Practices for Data Destruction. (n.d.). http://ptac.ed.gov/document/best-practices-data-destruction.

Michelle Hon Donovan is a Partner at Duane Morris, LLP. She has a national practice in the areas of intellectual property law, cyber law, and technology transactions. Ms. Donovan’s practice is largely focused on the career college sector and the specialized legal issues that arise for schools in the sector, including issues related to the protection of student records, privacy, online marketing and lead generation, trademarks, copyrights and domain names.

Contact Information: Michelle Hon Donovan // Partner Duane Morris LLP // 750 B Street, Suite 2900 San Diego, CA 92101 // Phone: 619-744-2219 // Fax: 619-923-2967 // MHDonovan@duanemorris.com