Each time a major retailer, credit bureau or healthcare provider experiences a significant data breach, even the experts in cybersecurity circles wonder, “What could be worse than that?” According to the IT security experts at Logicalis US, there’s a simple two-word answer: Higher Education.
“There is an urgency among the CIOs and CISOs of colleges and universities across the country to shore up their IT security measures very quickly,” says Adam Petrovsky, GovEd Practice Leader, Logicalis US. “Because of the sensitive nature of the information universities possess, when they are not adequately protected, it’s like they’re waving a red flag for cybercriminals saying, ‘This is the best data – come and get it.’”
Storing an assortment of data
The chief problem for institutions of higher learning is that they gather and store very diverse kinds of data – including everything from medical information to financial and credit card data – on both the student and their parents. And, of course, there are transcripts and disciplinary records, class schedules and emergency contacts as well.
Colleges are also running bookstores and restaurants and infirmaries, which means they are responsible for complying with at least five major privacy-oriented regulations including the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), the Children’s Online Privacy Protection Act (COPPA), the Payment Card Industry Data Security Standard (PCI DSS), as well as a host of state-by-state regulations regarding data breach notifications. In fact, experts estimate that, through a single incident, a college or university could be forced to contend with as many as 100 different breach notice laws.
Trouble enforcing compliance
Unlike enterprise organizations that can both limit access to sensitive or encrypted data and can often remotely wipe clean a device that provides that access if it is lost or stolen, universities are unable to enforce that level of compliance among their student bodies.
For institutions of higher learning, this presents more than an IT – or even a legal – conundrum. Since colleges and universities attract professors, students and donors based on their reputation, a single breach can also impact the school’s personnel, enrollment and bottom line. Today, Logicalis GovEd and IT security experts agree, the industry is at a tipping point; it’s no longer a question of “if” a university will be breached, it’s a question of “when” – and whether or not the school’s response will be adequate.
And it can happen to any school at any time. UCLA, for example, reported a potential breach of 30,000 student records when a hacker broke into a server containing students’ personal data this year. Last year, at Michigan State University, someone breached a database of approximately 400,000 records containing names, social security numbers, MSU identification numbers and other important personal information; the university determined that 449 records had been accessed before authorities were able to take the files offline just 24 hours after the incident occurred.
Earlier this year, when the IRS discovered a data breach involving its IRS Data Retrieval Tool – an online tool used to complete the Free Application for Federal Student Aid (FAFSA) – it revealed that as many as 100,000 taxpayers may have had their personal information compromised. In the IRS incident alone, the agency suspects that nearly 8,000 fraudulent returns were processed, resulting in a loss of approximately $30 million. A striking 52,000 fraudulent or suspicious returns were flagged by IRS filters and 14,000 illegal refund claims were stopped.
In higher education, data breaches are estimated to cost about $300 per student record. But the costs for colleges and universities is much higher than the actual dollar amount. According to consumer studies, 94 percent believe the organization itself is solely to blame for the breach.
As many as 62 percent of those queried said being notified of a breach would lower their trust and confidence in the college or university. And perhaps most surprising, 39 percent of respondents said they would consider terminating their relationship with the school, while 15 percent said they actually would terminate their relationship with the organization entirely.