Educational institutions maintain an extraordinary amount of personally identifiable, health and financial data on students, faculty, donors and employees. Additionally, these institutions (especially K-12) have been traditionally slow to adopt new cyber safeguards. This combination has made the education industry an attractive target for cybercrimes such as phishing attacks, cyber extortion and social engineering schemes. Furthermore, an education institution’s open network structure, which tends to have many entry points, has contributed to the ongoing threat.
Recent Education Data Breaches
Data breaches on organizations of all types are happening at a rate so frequent, it is often hard to keep up. Below are some examples of recent, notable breaches in the education industry:
- The Georgia Institute of Technology (Georgia Tech) experienced a breach from an unknown outsider via a web application. The breach exposed information on up to 1.3 million current and former faculty members, students, staff and student applicants. via WSB-TV.
- Washington State University has agreed to a $4.7 million settlement after a hard-drive containing personal information of more than a million people was stolen. via Seattle Times.
- A phishing attack by an unauthorized user at Augusta University Health may have exposed sensitive health and personal information of about 417,000 people, including patients around Georgia. via the Atlanta Journal-Constitution.
The problem is not limited to higher education. According to the K-12 Cybersecurity Resource Center, there were at least 122 cybersecurity incidents affecting K-12 schools across the nation in 2018, averaging one incident every three days.
Social Media and Cyberbullying
In addition to the exposures that education institutions face within their own IT systems, hackers are utilizing the explosive growth of social media to target student’s personal information. Often, personal data is accessed through malware or phishing attacks generated from social networking sites.
Education institutions are also faced with the growing concern from interactions between students outside of their campus boundaries. Cyberbullying, intentional, aggressive and often anonymous torment via social media and online platforms, is on the rise. In many cases, it has been linked to depression and suicides among students. The failure of these institutions to adequately protect its students and even faculty members may leave the institutions liable and with costly litigation costs.
Compliance and the GDPR
Currently, 47 states and the District of Columbia have enacted data breach notification laws. These laws set forth the timing of notification to affected individuals, whether civil or criminal fines are allowed and in many states whether a private right of action is permitted. Furthermore, many states require notification to the state Attorney General and may even mandate that credit and/or identity monitoring services be provided. To further complicate the matter, one breach could subject an institution to breach notification laws of many different states. With a myriad of notification requirements that an affected institution may have to deal with, it is important for the administration to have a clear understanding of its compliance responsibilities.
Additionally, institutions that engage with any citizens (through enrollment, distance education, alumni or donors, research studies, etc.) of a European Union (EU) nation may be subject to the complex compliance requirements of the General Data Protection Regulation (GDPR).
Addressing Cyber and Privacy Concerns in Education
In light of the risks inherent in this technological age, what can educational institutions do to protect themselves? According to Fred H. Cate, Professor and Director of the Center for Applied Cybersecurity Research at Indiana University, there are several practical steps that a college should take in order to combat the risks that contribute to cyber liability:
- Make an institutional commitment to taking privacy and security seriously.
- Put in place practical tools to achieve this goal.
- Agree that the use, sharing and retention of data will only be done for a clear purpose, consistent with institutional policies.
- Designate appropriate leadership to monitor and enforce the policies implemented.
The management of cyber exposures includes contractual allocation of risk as well as a comprehensive cyber liability insurance policy designed to cover the exposure. A cyber liability insurance policy can be structured to include the costs associated with managing a data breach as well as provide defense costs coverage in the event that a lawsuit is brought by a government agency or a private party. Additionally, these institutions should review the breach response services available to them as policyholders so they can immediately engage those services when an incident occurs. Being ‘Cyber ready’ has never been as important as it is today.
Finally, RCM&D recommends that all organizations take a risk management approach to cyber liability, including developing adequate training programs for faculty and students. Contact a trusted RCM&D advisor to learn more about cyber and privacy insurance and risk management solutions designed specifically for educational institutions.
The issue of Cyber Liability and Privacy was ranked as one of the top risks for education institutions in the RCM&D report 2019 Outlook: Top Risks for Education Institutions. To receive a copy of the full report, please complete the form to the right.
Complete this form to request an email copy of the full 2019 Outlook: Top 10 Risks for Educational Institutions report.
First Name Last Name Email Organization Title Leave this field blank