Higher education’s vulnerability to cyber attacks
Recent highly publicized cyber attacks have spurred a growing public awareness of the risk that sensitive personal information might be accessed by unauthorized third parties. It is not as well-known that the industry sector with the highest number of breaches is higher education: since 2005, higher education institutions have been the victim of 539 breaches involving nearly 13 million known records. This trend may be due, in part, to the sheer number of personal records kept by these institutions, considering their ever-changing student bodies, as well as the valued open, collaborative environment of most colleges and universities.
In 2000, the Federal Trade Commission (the “Commission” or “FTC”) promulgated its “Safeguards Rule.” This rule, above all, directs institutions providing financial products or services to establish a comprehensive written information security program (“WISP”) containing administrative, technical and physical safeguards to protect customers’ personal information. The FTC indicated that colleges and universities are subject to the Safeguards Rule. Reacting to comments on the then-proposed rule, the Commission said it “disagrees with those commenters who suggested that colleges and universities” are not covered entities since “[m]any, if not all, such institutions appear to be significantly engaged in lending funds to consumers.”
Since 2003, the National Association of College and University Attorneys (“NACUA”), the National Association of College and University Business Officers (“NACUBO”) and other associations have construed the FTC’s remarks as requiring that higher education institutions comply with the Safeguards Rule. While institutions frequently implement certain measures to protect the security of personal information in their possession, many have not established a comprehensive WISP as required under the Safeguards Rule. Besides just deflecting scrutiny from the FTC, as discussed below, establishing a WISP containing appropriate data security safeguards can be a critical measure in averting a breach or mitigating its affects.
This article begins by highlighting several recent cyber attacks at higher education institutions and some reasons why higher education might be targeted by hackers. The article then discusses potential consequences of attacks resulting from an entity’s failure to implement a comprehensive WISP or other appropriate data security measures, such as FTC enforcement actions (although, based on the current state of the law, these actions are less likely to be brought against non-profit colleges and universities) and class actions. The article also discusses direct costs and other harm associated with responding to a breach and, lastly, it discusses the required elements for a college or university’s WISP to comply with the Safeguards Rule.
Recent cyber attacks
Recent cyber attacks prove that even the most sophisticated computer systems—like those of major banks, the government, and top retailers—are not impenetrable. Higher education institutions are, unfortunately, no exception. According to a study by the Identity Theft Resource Center, as many as 42 colleges and universities were victims of cyber attacks in 2014 alone, and there have been at least eight in 2015. Examples of some of the more recent or significant breaches include:
- Harvard University and Penn State University: In July 2015, Harvard University announced a data breach that affected as many as eight of its colleges and administrative offices, although it remains unclear what information may have been accessed by the hackers. In May 2015, Penn State announced that there had been two breaches of its computer system, with one of the attacks starting as far as back as 2012, which compromised the information of 18,000 people.
- North Dakota University. In March 2014, a server at the North Dakota University System storing personal information of nearly 300,000 past and present students was hacked. The compromised database included names and Social Security numbers.
- University of Maryland. In February 2014, almost 310,000 students, faculty and staff records were compromised at the University of Maryland. The breach included names, birth dates, university identification numbers and Social Security numbers. The breach was believed to have impacted a database that contained information from everyone who had received a university ID from certain system campuses since 1998.
- University of Indiana. Also, in February 2014, a data breach exposed the personal information of 146,000 current and former students at the University of Indiana. The compromised information included names, addresses, and Social Security numbers.
Colleges and universities are likely targets for hackers due to the vast amount of personal information in their possession, such as the personal information of current students and faculty, applicants, administrative staff, alumni, collaborators, research and project participants, vendors, and even parents. They also may become targets if their research departments are developing intellectual property that might become valuable products, like prescription drugs, or might be used by government agencies. Finally, the networks of many colleges and universities provide online environments for learning and collaboration that are open to countless students and staff members logging in with their own computers; many observers believe that these systems are harder to secure those of major corporations. The University of Maryland’s president, Wallace D. Loh, may have summarized the issue best in his testimony before Congress: “Security in a university is very different than the private sector because we are an open institution. There are many points of access because it is all about the free exchange of information. In the private sector you can centralize cybersecurity. You cannot do that at a university. So we had to find that proper balance between security and access.”
FTC’s investigative and enforcement powers vis-a-vis colleges and universities
The FTC was delegated both investigative and enforcement authority under the Federal Trade Commission Act (the “FTC Act”) and it has been fairly aggressive in using these powers to investigate and bring enforcement actions against entities that failed to maintain appropriate data security standards in accordance with the Safeguards Rule. As discussed above, although the common view is that colleges and universities must comply with the Safeguards Rule, the FTC cannot employ its regulatory powers to reach most of these institutions because they are organized as non-profits. To be sure, under the plain language of the FTC Act, the Commission’s authority with respect to an entity only extends to a “corporation” “organized to carry on business for its own profit or that of its members.” In spring 2014, while noting that “a substantial number of reported breaches have involved nonprofit universities,” the FTC chairwoman, Edith Ramirez, twice urged Congress to pass legislation authorizing the Commission to bring enforcement actions against non-profits for failing to maintain proper data security practices. To date, three bills have been introduced in Congress that could, as currently written, grant the requested jurisdiction to the FTC over non-profits for failing to institute reasonable data security safeguards, but each remains in committee.
In other context, however, the Commission has been actively bringing enforcement actions against non-profits. These actions commonly arise where the FTC can argue that a non-profit is using funds for the personal benefit of its officers or employees, its funds benefit private financial, as opposed to tax-exempt, interests, or its tax-exempt status is a sham. For example, in May 2015, the FTC brought a judicial enforcement action against a non-profit charity and its affiliates alleging that the non-profits bilked $187 million from consumers who believed their donations were for charitable purposes when they really benefited the entities’ officers and for-profit fundraisers. As in most instances where a non-profit is facing such an enforcement action, these non-profits stipulated to the facts establishing the FTC’s jurisdiction as part of a resolution. Nonetheless, courts have been split on whether a non-profit’s conduct, or simply its status, determines whether it is outside of the FTC’s jurisdiction when these organizations have challenged the Commission’s authority. In other words, some non-profits have been successful in contesting FTC enforcement actions on jurisdictional grounds.
Non-profit colleges and universities that are carefully observing the requirements of their tax-exempt status are unlikely to face a FTC action for noncompliance with the Safeguards Rule. Where even these colleges and universities may be subject to such an FTC action, however, is if the institution engages in non-exempt activities that generate unrelated business income and collects the personal information of students or others in the course of those activities. True for-profit colleges and universities, unlike non-profits, probably have little chance of avoiding the Commission’s reach if they fail to comply with the Safeguards Rule. That being said, it bears noting that the FTC has no yet brought an enforcement action against non-profit or for-profit college of university for failing to comply with the Safeguards Rule or otherwise implement appropriate data security measures.
Private class actions brought by affected persons or entities
Class action lawsuits following data breaches are now commonplace. But for many years, plaintiffs bringing these lawsuits struggled to survive early dismissal because they could not establish injury-in-fact to support Article III standing. Relying on the Supreme Court’s decision in Clapper v. Amnesty International U.S.A., courts regularly held that the typical injuries alleged by plaintiffs in these actions, i.e., the risk of future identity theft, was insufficient to establish Article III standing. More recently though, plaintiffs have overcome this standing hurdle by purporting to allege immediate injury, such as unlawful payment card charges, restricted access to bank accounts, inability to pay other bills, and late payment charges or new card fees. This recent success by plaintiffs has led to several high-dollar settlements. For instance, after a California federal court concluded that a plaintiff class had standing to assert claims against Adobe Systems, Inc. related to a significant 2013 data breach, in August 2015, Adobe agreed to settle the matter by agreeing to implement considerable data security measures (which likely cost millions of dollars), submitting to an invasive security audit, paying $25,000 to the named plaintiffs, and paying $1,180,000 in attorneys’ fees and expenses.
Higher education too has been subject to class actions. These actions have been brought under a variety of legal theories, and, as can be seen from the examples below, all of the actions have resulted in significant expenditures in time and resources and may have had reputational impact on the subject institutions.
- University of Hawaii. Between April 2009 and June 2011, several campuses of the University of Hawaii had multiple data breaches compromising the information of 90,000 individuals, such as names, Social Security numbers, addresses, phone numbers and credit card information. Some of the affected individuals filed a class action against the university, which the university settled in 2012. The settlement required the university to provide credit monitoring and fraud restoration services to affected individuals. The cost of providing those services was approximately $550,000, and the university was also required to pay an undisclosed amount of attorneys’ fees and costs.
- Maricopa County Community College District (“MCCCD”). In 2013, MCCCD had a data breach that affected the records of 2.4 million current and former students, and staff, including Social Security numbers, driver’s license numbers, bank account information, and student information. This is still the largest breach at an institution of higher education. In April 2014, affected individuals filed a class action. The case is still pending, although a notice of conditional settlement was filed in April 2015, and the court issued a stay in May 2015.
- Stanford University Hospital and Clinics. Stanford University Hospital and Clinics experienced a data breach when a business associate’s subcontractor posted the health information of 20,000 patients treated by the hospital on a website. This information included patient names, medical records, hospital account numbers, emergency room dates, and medical codes. The affected individuals brought a class action suit against Stanford and two associates relating to the breach. In March 2014, the suit settled for $4 million, including attorneys’ fees, with part of the settlement ($500,000) being donated to create an educational project managed by the California HealthCare Foundation.
The financial impact of cyber attacks
A data breach can take a tremendous financial toll on an organization. According to the 2015 Cost of Data Breach Study conducted by Ponemon Institute, the average cost of a data breach for US companies is $217 for each compromised record ($225 for higher education) and the total average cost is $6.5 million. The total costs of a breach can vary depending on the severity of an incident, but the types of costs incurred across breaches are fairly consistent.
For instance, entities are often required by law to provide notice to affected individuals following a breach. This single task may include the costs of “IT activities associated with the creation of contact databases, determination of all regulatory requirements, engagement of outside experts, postal expenditures, secondary contacts to mail or email bounce-backs and inbound communication set-up.” Other direct costs that companies might incur following a breach include forensic examination to determine the scope of the breach; remediation to resolve the issue that led to the breach; information call centers; free credit and identity monitoring for affected individuals; a public relations company to mitigate reputational harm; legal expenses; and possibly regulatory fines or penalties. There are also indirect costs associated with data breaches. Mostly notably for higher education, the reputational losses and diminished goodwill after a breach could lead to lower student enrollment and reduced donations.
Certain higher education institutions recently involved in breaches serve as examples of the significant costs of these incidents. Following the attack at the University of Maryland, Loh said that credit monitoring provided by the university could cost up to $6.2 million, acquiring encryption to make university data more secure could cost $30 million, and hiring consultants to prevent attacks could increase the costs even more. It is reported that Indiana University spent about $75,000 on an information call center following its breach. The university also spent $6,200 mailing notifications to 6,200 affected people for whom it did not have email addresses. Lastly, MCCCD has been transparent about the dollar figures surrounding its attack: about $16.6 million as of late 2014 and the MCCCD governing board approved contracts for $26 million. These costs include:
- $9.3 million for current and future legal fees.
- $7.5 million are reserved for IT consulting and repair.
- $7 million was set aside for notification and credit monitoring services.
- $2.2 million are going to “services” such as records management and public relations.
Insurers have only covered $867,000 of these costs.
It is axiomatic that designing and implementing a comprehensive WISP can help prevent thwart a cyber attack. But research shows that a WISP can help reduce the cost of a cyber attack. The Ponemon Institute, for instance, found that common elements of a WISP, such as “incident response plan and team in place, extensive use of encryption, [business continuity management] involvement, [chief information security officer] leadership, employee training, board-level involvement and insurance protection,” can help reduce the cost of a breach. In particular, the institute found that “[a]n incident response team can decrease the average cost of [a] data breach from $217 to $193.20.” Kroll, Inc., a corporate investigations and risk consulting firm, similarly reported that entities with elements typically incorporated in a WISP, such as “a strong security posture or a formal incident response plan,” can “reduce the average cost of a breach as much as $21 and $17 per record, respectively.”
What IHEs must do to comply
While the Safeguards Rule sets forth a short list of administrative requirements for a WISP, it does not enumerate specific technical or physical safeguards that must be implemented. Thus, it has become customary for entities to establish a WISP that satisfies the required administrative elements of the Safeguards Rule and implement industry-standard technical and physical safeguards, without considering the unique aspects of their business that may dictate special or heightened security protocols or infrastructure. We caution against this “check-the-box” approach. Instead, as the Safeguards Rule require, entities should focus on creating a WISP that contains the proper administrative, technical and physical safeguards that reflect the distinctive nature of their enterprises; at a minimum, the WISP should include the required elements under the Safeguards Rule.
With this background in mind, a higher education institution’s WISP must contain and reflect the following elements:
- designate an employee to coordinate the entity’s WISP.
- identify reasonably foreseeable internal and external risks to the security of personal information and assess the adequacy of safeguards already in place to control these risks.
- conduct a risk assessment that, at a minimum, considers the adequacy of employee training and management; information systems, including network software design, as well as information processing, storage, transmission and disposal; and detection, prevention and response plans to attacks, intrusions, or other system failures.
- design and implement information safeguards to control the identified risks.
- regularly test or monitor the effectiveness of the key controls, systems, and procedures.
- oversee service providers by taking reasonable steps to select and retain providers that are capable of maintaining appropriate safeguards for personal information and requiring service providers by contract to implement and maintain such safeguards.
- evaluate, adjust and update the WISP in light of the results of the testing and monitoring; any material changes to operations; or any other circumstances that may materially impact information security.
- establish procedures to properly dispose of personal information such as the burning, pulverizing or shredding of papers containing personal information and destroying or erasing electronic media containing such information.
- The FTC has also published guidelines stating that the institutions should consider implementing some of the following common practices contained in a WISP:
- developing an employee management program, including background checks before hiring employees who will have access to personal information, and developing policies for appropriate use and protection of laptops, PDAs, cell phones, or other mobile devices.
- training employees to take steps to maintain the security, confidentiality, and integrity of customer information, including locking rooms and file cabinets where records are kept, encrypting sensitive customer information when it is transmitted electronically via public networks, and not collecting unnecessary personal information.
- knowing where personal information is stored and store it securely, e.g., when transmitting payment card information or other sensitive financial data, use a Secure Sockets Layer (SSL) or other secure connection to protect the information in transit.
- monitoring the websites of software vendors and reading relevant industry publications for news about emerging threats and available defenses.
- maintaining up-to-date and appropriate programs and controls to prevent unauthorized access to customer information.
- ·using appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information.
- designing and implementing a response plan containing steps to preserve the security, confidentiality, and integrity of customer information in the event of a breach, including immediate action to secure any compromised information, preservation and review of files or programs that may reveal how the breach occurred and, if appropriate, engaging security professionals to help assess the breach as soon as possible.
- notifying consumers, law enforcement, and/or businesses in the event of a data breach when appropriate.
The FTC has also provided guidance on the three areas of operation that it thinks present special challenges and risks to information security and that it mandates entities to pay special attention to: “employee training and management; information systems, including network and software design, and information processing, storage, transmission and retrieval, and security management, including detection and response to attacks, intrusions or other system failures."
Higher education institutions, in particular, should consider focusing on developing and implementing a comprehensive WISP, given the industry’s current statistics for data breaches. Establishing a comprehensive WISP, however, is not a simple task. It requires the involvement of stakeholders at all levels of the institution, including trustees, senior administrators, internal information security and IT professionals, and in-house counsel, as well as outside legal counsel and information security professionals. In addition, once the WISP is implemented, colleges and universities will need to carefully monitor and manage the effectiveness of its program. In any event, establishing a comprehensive WISP is a critical and necessary investment.
—Charles Harris and Laura Hammargren are partners in the Mayer Brown law firm.