Cyber Liability: Combating Data Breaches at Educational Institutions
Several high-profile data breaches at universities have made headlines in the last couple of months. There was a large breach at the University of Maryland where the records of 309,079 staff, student and graduate records were compromised. Indiana University also reported that a staff error had left information on 146,000 students exposed for 11 months. A week later, the North Dakota University system reported that a server containing the information of 291,465 former, current, and aspiring students and 784 employees had been hacked. And at the University of Northern Iowa, an investigation was underway of a possible data breach after some employees reported being the victims of tax fraud.
These examples represent but several of the hundreds of educational institutions across the country that have experienced security breaches over the past few years. According to the Identity Theft Resource Center, a non-profit based in California, there were more than 50 data breaches at universities, colleges, and K-12 schools in 2013 alone that involved names, Social Security numbers, driver’s license numbers, medical records, or a financial record or credit card information. Furthermore, data breaches in higher education cost colleges an average of $111 per record—a figure that calculates in the damage to the institution’s reputation—according to a 2013 study published by the Ponemon Institute, which studies cybersecurity and data protection.
Why are educational institutions at greater risks of cyber attacks? One reason is the open information technology architecture found at universities. A July 2013 study conducted by Halock Security Systems indicates that of the 162 institutions investigated, including Big Ten, Ivy League, community colleges and technical institutes, more than 50% allow for the transmission of sensitive information over unencrypted, unprotected email. Moreover, according to Halock, smaller community colleges are at a greater risk, as they have less capacity to store data well and a lot of students. And while smaller colleges have more instances of breaches, the bigger colleges tend to get more detrimentally hit, says Halock.
What’s more alarming is that few institutions budget in advance for data breaches, according to college officials and data-security professionals cited in an article in The Chronicle of Higher Education, an on-line publication. Cyber liability insurance in higher education, says the article, remains a rarity, despite a consensus among those working in the field that the likelihood of such a breach involves “when,” not “if.” Yet without the appropriate coverage the cost to an institution can be staggering financially and damaging to its reputation.
Cyber liability insurance is designed to provide cover for expenses related to a breach. This can include the costs for forensics consultants to pinpoint the cause of the breach, call centers and mailings to contact affected parties, identity-protection and credit-check services, and litigation. According to the Chronicle, Indiana University has spent about $75,000 on an information call center since officials announced its security lapse in February. The university also spent about $6,200 mailing notifications to 6,200 affected people for whom it did not have email addresses. The North Dakota University system says it’s spending about $200,000 on identity-theft protection services and a call center. Moreover, costs related to data-security lapses dating to 2011 at the Maricopa County Community College District, in Arizona, could climb to $17.1 million, according to Tom Gariepy, a district spokesman. The Chronicle article cites that trustees for Maricopa County Community College have approved contracts including $2.25-million for Oracle to repair the network, up to $2.7-million in legal expenses, and up to $7-million for notification and credit-monitoring services, among other costs. The district has also received notice of a class-action lawsuit.
Cyber attacks at educational institutions don’t only involve data breaches. Intellectual property and proprietary research is at risk as well, furthering underscoring the need for insurance and strong risk management strategies. Caitlin Morgan specializes in providing educational institutions with a comprehensive insurance program, and can help you offer a solution to address the various exposures universities, colleges, private and public schools face. Give us a call at: 877.226.1027.
Sources: Identity Theft Resource Center, Ponemon Institute, The Chronicle of Higher Education