Colleges and universities are increasingly falling victim to information security breaches and data exposures. According to the Privacy Rights Clearinghouse, more than 1.5 million records were exposed in the 84 breaches disclosed by educational institutions in 2012. In 2013, we saw big data breaches at a range of higher learning organizations, including the University of Maryland, Indiana University and Johns Hopkins University.
No college or university is immune, regardless of size. What was once an occasional problem is now something that happens with startling regularity, and higher learning institutions may soon view privacy breaches as near-certain events. Thoughtful planning and effective resource deployment are crucial to stem the tide.
Each industry faces unique challenges in managing the security and privacy of the information they possess. The open, collaborative environment of most colleges is often counter to the control required for proper treatment of confidential information.
The systems and network assets used by students and faculty often evolve over time-for example, computers and servers used to store enrollment information can be set aside after a class ends. Later, they can be put back into service without being cleaned, exposing legacy data to the entire student and faculty population, or worse, the internet.
Because data assets may be managed by individual students or faculty outside of a records or information management program, colleges have a difficult time keeping track of the type and amount of sensitive data they hold. The range of information collected by and stored within these systems not only encompasses current students and faculty, but also applicants, administrative staff, alumni, collaborators, research and project participants, vendors and even parents.
In many cases, “consumer data” is lurking in the environment without adequate protection. Student applications necessarily contain personally identifiable information as part of the admission process. As students and their parents pay tuition, housing and meal costs, payment card information is processed through the university’s systems. Students who visit a campus health center will have their personal health information stored in their medical records.
Educational institutions housing intellectual property and research projects often produce massive amounts of information, some of which include data on research subjects and participants. Collaborations may bring in datasets that involve commercial partners or government entities. Each type of data should be deliberately managed according to state, local, federal or contractual requirements to avoid the damage caused by a data breach.
Analysis of a Breach
This open-system architecture may have contributed to the data exposure one university discovered in 2012. Unencrypted files containing the personal records of about 1,000 current and former faculty members and 100 students were stored on a public server and accessed outside the university. The server that was compromised was meant for faculty to use for storing and sharing course information. Because the server was designed to distribute information freely, it was not configured with security in mind. Grades, along with names and Social Security numbers, were among the data included on the exposed server. Information on the affected faculty members was similar, but also included birth dates, employment records and compensation data.
This is a classic example of how well-intentioned practices can easily expose sensitive data in an environment that is as open as those found at most educational institutions.
Know What You Have
Because the systems within a college environment are dynamic and inherently open, a thorough audit should be conducted to discover personally identifiable information, personal financial information and payment card information. An inventory of all data assets is integral to the due diligence process. Implementing appropriate information governance, security and data privacy protocols for different datasets is only possible if an institution first knows what information needs to be managed. With the most sensitive data identified, it can then be given the highest levels of protection. Lower-priority information can also be safeguarded appropriately. This task is not as daunting as it sounds, as software tools exist to automate the discovery process. This practical and cost-effective approach enables universities to deploy data risk-mitigation tools to greatest effect.
A formal information management program should exist so that new datasets can be reviewed for sensitivities and managed while they are in use. Equipment that is being decommissioned should be scrubbed of protected information. Sensitive data should have an “owner” who is responsible for protecting the information while it is in use and, when expired, ensuring proper disposal.
Communicate With Users
The number of individuals who access the system presents another challenge for universities. Student, faculty and collaborator turnover is inherently high. Students are not meant to stay in school forever and research or other projects have defined start and stop dates. This makes for a dynamic user base that requires diligent execution of a well-defined protocol for promptly granting and revoking access. Administrators should also conduct periodic audits of network access to catch any errors or oversights that leave access in place after a student, contractor or guest has left the institution.
It is critical to have a thoughtfully designed and well-communicated acceptable-use policy, and to train anyone allowed access to the network. Faculty, administrative staff and students are often well-served by training that begins during onboarding or registration and reinforced with frequent, concise reminders throughout the year to keep expectations “top of mind.”
Vendors or other external partners should also be clear on expectations for maintaining the security of sensitive information. Not only should contractual language formalize the requirements, but training needs to be conducted before issuing network login credentials.
Anyone with access to the university’s systems should get regular refresher courses, and all affected users should attend follow-up training any time a significant change is made to the system, such as the addition of new functionalities or implementation of multi-step authentication.
Fortunately, most colleges do not require elaborate security measures to protect the majority of sensitive data. The most effective components of an information security program are baseline measures that can be easily understood. It is a common best practice to require strong passwords that must be changed at least twice per year and that, if guessed incorrectly more than a few times, lock the account. Two-factor authentication and encryption tools-which are often free and do not require advanced technology skills-add another level of protection.
The IT department does not read every document on the server, so they cannot possibly be expected to prevent data exposures single-handedly. Those who create, receive, use and store such information must be engaged in a program that inventories and manages the use of and access to sensitive data.
Create a Written Information Security Plan
Part of a proactive approach to data risk management is the creation of a written information security plan (WISP), a document that outlines data security methodologies for the organization and gives users insight into their role in data protection.
The methods of data intake, storage, access and disposal are all considered in developing a WISP that addresses how, at each point, sensitive, protected or confidential information is identified and secured. Permissions for access to each dataset are defined along with the technology safeguards employed. It is important to note that a WISP addresses technological, physical and administrative measures. Information security is not only IT’s responsibility. IT certainly plays a significant role in securing information and managing the privacy of protected information, but a proper program must also include policy and procedural controls that address legal requirements, physical security requirements, training and information governance.
Because new threats emerge and protective strategies evolve, the set of defenses in use at a particular institution will change over time. The WISP should be updated regularly to ensure it remains effective. It is one tool of many to help higher education organizations document philosophies and expectations around data protection.
Have an Incident Response Plan
Complementing the WISP is the incident response plan, a document that outlines steps to take if a data breach is suspected or occurs. It clearly states who is responsible-an individual, department or team-for each action. Dependencies among teams are outlined, and the full plan is communicated and practiced so every person can operate calmly and decisively in the event of a data breach.
An incident response plan should also include a list of vendors likely to be needed or involved in a breach, along with contact information and pertinent contract details, such as response times or responsibilities in the event of an incident. This enables the university to engage external support as quickly as possible. Ideally, vendors should be involved in incident response drills and negotiate contracts or retainers for resources such as forensics, data breach notification and resolution. You do not want your team to meet for the first time on “game day.”
While some activities and resources will be unique to the college and the type of exposure, all organizations share some common requirements. Letters are often necessary to notify impacted individuals, and media releases are typically beyond the capabilities of internal resources. To the extent possible, these elements should be prepared ahead of time, and incident response drills need to be practiced to allow a quick and effective response should a breach be reported.
Effective Breach Response
In the previous example, data was stored in an insecure location for a number of years before the college became aware of the situation. This is surprisingly common. Research conducted by Verizon revealed that two-thirds of data exposures exist for months or even years before being discovered. It is critical to spot and address a breach quickly.
An effective breach response is crucial in mitigating potential harm for those affected by the exposure, as well as for the organization. A college may sustain significant reputation damage from a breach. First, the factors that allowed the breach to occur must be identified and resolved as quickly as possible. Compliance with breach notification laws and any requirements for insurance coverage should be attended to immediately. Care must be taken so that incomplete or inaccurate information is not communicated prematurely. After resolution, review existing security protocols in light of what was learned during the event, and update the WISP accordingly. Faculty, staff, students, collaborators and vendors may need updated training, and ongoing education around cybersecurity issues is one of the best ways to raise awareness of the issues and risks on campus.
Another vital facet of any breach response is the mitigation of harm. Assistance will vary depending on the type of data compromised, but may come in the form of credit monitoring, access to fraud resolution experts, and other tools that help individuals limit potential identity theft or resolve identity theft that occurs as a result of the exposure. Universities that experience a breach should also consider using a call center for victims to contact to ask questions or seek additional information. A letter may meet a legal requirement for notification, but human beings often feel more comforted talking to a knowledgeable, empathetic person. Additionally, the technical language mandated by a notification law is often unclear to recipients who are unfamiliar with legal terms, data breach impact and the risk of identity theft.
A mixture of thoughtful data protection methodologies and proactive response planning can enable higher learning institutions to better identify and secure data and mitigate damage from a breach. The process of forming the WISP and incident response plan is a key exercise, and proves far more educational and valuable than simply creating a document from a template and posting it on an intranet. The WISP and incident response plan are like a fire safety plan: they need to be developed by someone with experience who is working with the institution to customize, communicate and practice the plans. This helps ensure that, in an emergency, decisions are not born of panic. It will also reduce the immediate impact and the risk of reputational harm, litigation, fines and other financial damages.