Michigan State University's announcement earlier this month that hackers had gained access to a university database of about 400,000 records highlights why colleges and universities are such tempting targets for hackers and just how important it is to prepare for a data breach.
Reports indicate that the university discovered the breach on Nov. 13 when a ransom demand was made for stolen data. This demand allowed the university to identify the breach and quickly take action, limiting the hacker's access to only 449 records. And while those records included the names and social security numbers of students and staff, they did not include full academic, financial, or health records, according to the university.
Affected individuals are being notified and offered credit monitoring and other services. While the number of records involved is small, the cost to the university likely will not be. A recent study sponsored by IBM found that a data breach costs larger-sized organizations nearly $7 million on average.
This is Michigan State's second data breach this year and its third significant incident since 2012, according to cyber security blog Security Affairs. In October hackers stole and posted on the website Pastebin the user names, logins, phone numbers and email addresses for individuals in the university's system.
A similar ransomware breach was announced on Dec. 1 at Carleton University in Canada. Details about that breach are still emerging, but early indications are that the university will be able to restore its systems without paying ransom. According to privacyrights.org, there have been over 800 data breach incidents at educational institutional and 15,000,000 records breached at educational institutions since tracking began.
These events highlight the increasing prominence of ransom demands in cybercrime. Cybercriminals are shifting focus away from mass theft of payment card information and personal data – usually from large retailers and insurers – and are turning their focus to smaller, data-dependent entities where stolen data or entire IT systems can be held hostage.
In light of these trends, educational institutions can expect to see increasing threats from cybercriminals and in turn expect to see increasing legal response obligations. As such, it is critical for colleges and universities have in place detailed data breach response plans developed in consultation with highly qualified cybersecurity professionals, including legal counsel.
An experienced data management and cybersecurity attorney will advise on:
- Creation of a Data Breach Response Team
- Training and table-top exercises for board of directors and other key personnel
- Identifying the organization's statutory data privacy obligations and the notifications required in case of breach
- Identifying and managing the scope of data protection obligations under non-disclosure agreements and other contracts with third parties
- Ensuring that appropriate data protection and cyber security clauses are include in vendor contracts
- Assessing cyber insurance policies, terms and exclusions
- Managing internal investigations of breaches, with an emphasis on maintaining attorney client privilege for communications during those investigation
- Managing investigations by regulatory agencies including the Office of Civil Rights in Department of Health and Human Services (HIPAA), States' attorney generals, and the Family Policy Compliance Office of the U.S. Department of Education (FERPA)
According to privacyrights.org, there have been over 800 data breach incidents at educational institutions and 15,000,000 records breached at educational institutions since tracking began.
Cybercriminal have an unfair advantage over their victims: It takes only one mistake for cybercriminals to get into a system, victims must protect against all vulnerabilities. But thoughtful planning and vigilance can dramatically limit how much damage cybercriminals cause when a breach occurs.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.