The Data Dilemma
Universities are information-rich environments - and not just in the academic sense. Year by year, students apply, attend and graduate, repeatedly filling out exhaustive forms. Their families provide extensive filings to qualify for financial aid. Professors come and go, some staying to earn tenure, others visiting on temporary assignment, providing detailed personal information along the way.
The personal data for all of these people is captured and stored - and all too frequently escapes into the hands of unauthorized users. In fact, the Identity Theft Resources Center found that educational institutions accounted for 20 percent of all reported data breaches in 2008.
In an era of escalating identity theft and fraud, universities need to be proactive, not only about protecting data but also about protecting themselves, staff, faculty and students from the expensive aftermath of breaches. One way to do that is to work closely with insurers, both to take advantage of risk control services and to put in place policies that provide an effective safety net. These can range from sophisticated cyber liability insurance for the university to low-cost, high-value identity fraud expense reimbursement coverage for employees and students.
The threat to data can come from many directions, as the Privacy Rights Clearinghouse chronology of data breaches makes clear. Of the 264 data breaches listed for the first six months of 2010, 33 involved educational institutions. The source of these data breaches ranged from hackers and inadvertent Web postings to employee carelessness and poor contractor oversight.
Among the examples on the Privacy Rights Clearinghouse list was a public university in Georgia, which reported that hackers breached a server that held the personal information of approximately 170,000 students and faculty. Similarly, hackers gained access to a database at an Iowa institution that had 93,000 records for applicants, current and former students, parents, current and former faculty and staff, alumni and donors dating back to 1987. In Pennsylvania, a university notified more than 40,000 people that a computer with access to a database containing their information was found to be communicating with a botnet, malicious software controlled by hackers that takes over computers remotely.
While hackers are top-of-mind for most people when they hear about data breaches, human error is more often the source. A 2007 study by the University of Washington in Seattle of 550 security breaches found that the majority (61 percent) were due to mistakes such as inadvertently allowing access to personal information online, losing equipment loaded with personal data and other types of administrative errors.
A report by the IT Policy Compliance Group ranked human error even higher than the UW study, finding that it contributed to 75 percent of all occurrences. Misplaced or stolen laptops and mobile storage devices were identified as frequent problems.
Samples of education institution security breaches listed by the Privacy Rights Clearinghouse for 2010 illustrate the human error issue. A password-protected laptop was stolen from an employee's office at a Pennsylvania medical school, exposing 21,000 confidential records that were not supposed to be stored on a portable device. In Florida, almost 20,000 students and faculty were notified about an error that made their personal data available on the Internet through a database's external search function.
Sometimes data breaches come from something as simple as folding a letter in a way that exposed private information through an envelope's transparent address window. Both a university in Texas (15,000 students) and one in Missouri (75,000 students) mailed tax forms with potentially visible Social Security numbers. In the case of a Florida university, a contractor included private data on mailing labels by mistake, affecting about 2,000.
Regardless of whether hackers or human error is the cause, the potential for breaches at data-intensive universities is high and needs to be addressed. One approach is to work closely with the university's insurance agent and carrier to create a data-security and breach-response plan.
With the threat of identity theft and fraud coming from so many directions, universities need an effective plan that builds a strong culture of data protection into daily operations. Such a plan should include three layers - a proactive strategy, a reactive blueprint and a safety net for when things go wrong.
Paper records are often involved in identity theft due to simple lack of security of records; binders are often left lying around with highly sensitive data. Other examples of paper theft incidents include: an employee stealing lists of information and discarding un-shredded documents. Another recent example included a bulk mailing, which inadvertently displayed personal information on the outside of envelopes. Document retention and security should be part and parcel of a university's risk management plan. But in today's digital world, more and more data breaches come from electronically stored records that have been inadequately protected.
An effective strategy for protecting electronic information begins with building, maintaining and updating a secure computer network infrastructure. The university's information technology experts should incorporate strong firewalls, install anti-virus programs and apply security patches for all operating platforms and applications as soon as they are released.
In addition, data should be categorized by type, with the most sensitive data - Social Security numbers, for example - encrypted and placed under restricted access. Protocols should be created around who can access data and when. Access activity can then be monitored to identify any security lapses.
A security policy that tells employees what activities are allowed and what is forbidden should also be adopted and consistently enforced. This may include a prohibition against visiting file-sharing sites, or placing protected information on portable devices, such as USB drives, that can be carried out of a building. While employees may find some policies inconvenient, they should receive training that helps them understand how important protecting data is and why the security policy is a necessary safeguard for the university in terms of liability and reputation.
No matter how strong the security infrastructure, there is always the possibility that something will go wrong. At that point, a university may need to react quickly, both to comply with state laws and to protect its reputation. Having a blueprint for how to handle a data breach is critical.
Such a blueprint should provide guidance about mandates included in state laws and regulations. The National Conference of State Legislatures reports that by early 2010, 46 states had adopted laws requiring that people be notified if their private data has been exposed to unauthorized users. The states without such laws are Alabama, Kentucky, New Mexico and South Dakota. Laws differ in their stringency; some require notification of all breaches, while others only insist on notification if the data has not been encrypted. Because of the borderless reach of the Internet, universities should be prepared to meet the most stringent requirements, regardless of their location.
In addition, the blueprint can be used to identify which university officials should be involved in deciding on and implementing a response strategy, and under what circumstances they should be brought together to consider action. It can outline timeframes, options and parameters for the types of actions to consider.
This type of pre-planned infrastructure can be invaluable when a university is faced with a situation that demands a fast reaction. In addition, as the blueprint is created, a university can consider the public relations aspect of protecting its reputation if data is breached. An explicit policy of offering protection to those whose data has been exposed can position the institution as caring, rather than careless. Universities can seek assistance in setting up a risk management plan by consulting with an insurance professional or by securing the services of a reputable identity management and breach services firm.
The aftermath of a security breach can involve large mitigation costs, both for the university and the people whose lives are affected. Universities can work with their insurance agents to arrange a safety net with effective protection.
For the university, a cyber liability policy can cover the cost of notifying people, as well as reputation management services, legal defense costs and indemnity for damages claimed by those impacted. In addition, identity fraud expense reimbursement policies are proving to be a low-cost, high value benefit that universities can offer their employees and their “customers” (students and their families) for just dollars or less per year. Identity fraud expense reimbursement insurance policies cover named expenses related to any identity fraud perpetrated against a victim (be it at home, at school or overseas) as well as fraud that occurs in the aftermath of a data breach, such as credit card fraud and passport fraud. Travel expenses, legal fees and document replacement costs can result in thousands of dollars in out-of-pocket expenses if victims are uninsured.
The best identity fraud expense reimbursement policies also provide identity fraud resolution services, with experts helping victims clear their records and replace lost documents. This can be extremely valuable for university employees and students, particularly those studying abroad. The Identity Theft Resource Center recently estimated that victims in 2009 spent 68 hours repairing damage to existing accounts and 141 hours to clear cases that involved new accounts created by criminals. About 30 percent of victims are unable to restore their identities on their own after a year of effort.
As a risk management tool, identity fraud expense reimbursement insurance provides universities with a built-in loss mitigation tool to respond to subsequent frauds when a breach does occur. By proactively offering a remedy when an individual's personal information is compromised and fraud is committed, universities may reduce liability and minimize damages incurred by affected individuals. Be it as an employee benefit, a student incentive, or a risk management tool, this low cost coverage is a high yield option worth considering.
The free flow of information is a critical underpinning of life at universities. No one in the academic world, however, should have to worry that their private data can fall into the hands of those who want to use it for fraud. By tapping into resources through their insurance agent, universities can establish a secure information infrastructure, create a plan to handle the unexpected, and arrange for a safety net to cover the costs of making people whole when things go wrong.
Joe Reynolds is the Identity Fraud Product Manager for Travelers