Data Security and Higher Education

Historically, educational institutions have been responsible for a large portion of all data breaches, creating astronomical losses. Taking steps to prevent these losses is essential. The complexity of academic culture and the importance of the exchange of information and ideas means institutions of higher education are faced with a more complicated situation than corporations when it comes to data security.

While enterprise data security systems are designed to protect the needs of businesses, colleges and universities must uphold the value of the free exchange of ideas while keeping students’ private information secure and complying with many state and federals laws, including the Family Educational Rights Privacy Act (FERPA), the Health Information Portability and Accessibility Act (HIPAA), the Gramm Leach Bliley Act (GLBA), the Fair Credit Reporting Act, the Sarbanes-Oxley (SOX), the Federal Privacy Act and others.

Risk Factors

Several common characteristics of university information systems put your institution at risk of data breach:

• To maximize usability, university network systems are often configured to allow multiple points of access.
• Outsourced IT entities and other service providers (e.g., e-mail systems, financial aid disbursement or ID card management) may have direct access to the network, increasing potential exposures.
• Decentralized departments disconnected with central IT operate independently and abide by loosely defined privacy and security practices, increasing the risk of the parent organization.
• Ubiquitous use of social networks by students leads some institutions to monitor behavior, which could create a duty of care to protect students from dangerous or criminal behavior.
• Limited resources to secure networks, which leads to widespread use of open source security software that could be less effective than a customized solution.
• Research universities often have highly confidential or sensitive information stored on their systems, which could be a lucrative target for cyber attacks.
• Universities that host clinical trials or any human subject research must also comply with Health Information Portability and Accessibility Act (HIPAA) privacy and security rules.

Designing Reasonable Security

IT departments can take several steps to maximize the security of university information systems. Unfortunately, increased security generally means inconvenience and less utility given the need to freely exchange information within the academic community. To maintain this balance educational institutions should proactively take the following actions:

• Establish a baseline for security and benchmark progress against it.
• Be cognizant of how different departments are sharing information.
• Verify network behavior of students, researchers, visiting professors and other administration professionals via permissions, access control, defined roles and real-time monitoring
• Identify existing system vulnerabilities and prioritize eliminating these vulnerabilities.
• Monitor and maintain systems continuously.
• Automate security processes, and schedule routine tasks and reports to stay informed on performance.
• Ensure that patches are implemented in a timely manner.
• Conduct regular audits to ensure that policies are on track and identify irregularities or potential breaches.
• Support auditing activities with real-time intrusion detection to critical systems.

In the Event of a Breach

While federal legislation under FERPA, FACTA and HIPAA does not contain provisions mandating consumer notification in the event of a data breach, many institutions of higher education may be subject to state breach notification statutes, most of which require swift public disclosure of any potential breach of personally identifiable information. Consult with an attorney to identify which statutes may apply to your institution.

Potential lawsuits claiming negligence must demonstrate that accepted standards of performance were not met, and that the plaintiff suffered some sort of direct harm as a result of the negligence.

Contractual Allocation of Risk

Since a large portion of reported breaches are attributed to external partners, consultants, outsourcers and contractors, it is critical to determine the boundaries of liability when sharing confidential information for business purposes. Even commonplace outsourcing arrangements can lead to complicated chains of liability dealing with subcontractors. Take the following steps to mitigate risk:

• Clearly define responsibility
• Ensure proper precautions are taken when information is out of the control of the educational institution
• Limit the contractual liability of the organization in the event of a data breach
• Work closely with legal counsel and INSURICA to ensure that insurance requirements, contractual indemnities and your institution’s insurance policies work harmoniously

Your Insurance Policy

It is important to review your general liability and property policies to determine the extent of coverage for data breaches. Exclusions are common as general liability carriers offer standalone network security and privacy policies. INSURICA can help you determine what, if any, additional coverage is needed to effectively protect your institution from data breach liability exposures.

This article is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice. © 2011 Zywave, Inc. All rights reserved.