Academic institutions are under cyber attack
Academia’s cyber preparedness (or lack thereof) has received less media attention than that of certain retailers and financial institutions, but nonetheless the cyber risks confronting universities are pervasive and alarming. Consider recent breaches suffered by educational institutions. At the University of Maryland, an outside source gained access to a secure records database that held information dating back to 1998, including names, social security numbers, dates of birth, and university identification numbers for over 300,000 people affiliated with the university on two campuses.
During a data breach of the Maricopa County Community College District, the names, social security numbers, and financial information of more than 2.4 million former and current students, employees, and vendors (from as far back as 30 years ago) were exposed on the internet. These security breaches are not isolated incidents; since 2005, educational institutions have suffered more than 700 reported incidents of security breach.
A majority of recent security breaches result from sophisticated, targeted cyber attacks. The Ponemon Institute, a leading research organization concerned with cyber issues, reported that forty-four percent of this nation’s breaches were caused by malicious or criminal attacks, as opposed to a system glitch or human error, and this percentage has increased in recent years. Indeed, the University of Wisconsin has reported approximately 90,000 to 100,000 attempts per day, from China alone, to penetrate its system. The day-to-day cyber threats facing universities include malicious software (malware), phishing, infrastructure attacks, social networking targeting, and peer-to-peer (P2P) information leakage.
One might postulate that an institution is targeted for cyber mayhem if two criteria are met: data within the institution has value, and the institution’s cyber security is weaker than that of other targets. Universities meet both criteria. First, university systems are treasure troves because, like the information systems of other large institutions, university systems contain vast amounts of information, including social security numbers and other personal, medical, financial, and professional information. Moreover, universities maintain valuable intellectual property, as evidenced by the fact that “[u]niversities and their professors are awarded thousands of patents each year, … in fields as disparate as prescription drugs, computer chips, fuel cells, aircraft and medical devices.”
Second, academic environments typically foster an open environment that promotes the free flow of information. A security analyst who previously worked for Rochester Institute of Technology explained that “academic institutions operate in a culture of open communication and collaboration among the different faculty, staff and research groups in the university” and “[t]his culture of openness makes it very difficult for the IT groups to erect security controls and still have the same user experience with unencumbered access to content and data.” Purdue University’s chief information security officer concurred, explaining that a university is different from a corporation or government agency because “researchers want to collaborate with others, inside and outside the university, and to share their discoveries.” For these reasons, universities may have resisted implementing a “fortress with high digital walls,” which has allowed them to be easy targets.
The high price of a security breach
The actual cost of a security breach may be a heavy hit to a university. “The list of potential expenses is long. It includes forensic consultants, lawyers, call centers, websites, mailings, identity-protection and credit-check services, and litigation.” According to the Ponemon Institute, the education sector has one of the highest per capita data breach costs, at $259 for each lost or stolen record containing sensitive information. This amount exceeds the per capita cost of data breach suffered by companies in the energy, financial services, communications, and pharmaceutical sectors. As seen with many of the recent breaches that have involved the personal information of hundreds of thousands (if not millions) of individuals, the total cost of a breach suffered by an educational institution may be in the multi-million dollar range.
Further, an academic institution faces legal issues and regulatory non-compliance penalties resulting from a breach. Universities must comply with the Family Educational Rights and Privacy Act (requiring the protection of student education records), the Health Insurance Portability and Accountability Act (mandating the protection of medical records), and the Gramm-Leach-Bliley Act (requiring entities offering financial services to safeguard consumer information). Because universities typically enroll students from various jurisdictions, the laws of multiple states may apply in the instance of a breach, adding complexity to an already complicated legal field. And mastering a particular jurisdiction’s rules may not be enough. One seasoned practitioner who frequently receives requests from universities for advice in terms of what they are legally obligated to do, offers this perspective: “The answer is, it depends. … You could pull your hair out trying to comply with every nuance of every state law.”
If the scope and extent of the breach is significant, a university can expect the added blow of civil litigation. For instance, two class action lawsuits have been filed against the Maricopa County Community College District stemming from its security breach that exposed personal information of more than 2.4 million people. In May 2014, the governing board approved the allocation of $2.3 million to its defense counsel. That amount is on top of any potential settlement or judgment of the plaintiffs’ claims, which could be staggering.
Finally, a cyber event may be a “public relations nightmare” for educational institutions because the public, as well as the university’s students, faculty, and alumni network, may lose confidence and trust in the institution.
How may educational institutions protect themselves?
Academic institutions are making strides to safeguard their systems. University officials have described a technology, training and awareness “arms race” to defend against cyber threat, making necessary investments and implementing up-to-date policies concerning security and incident-response. Many universities report to be in frequent contact with the Federal Bureau of Investigation, which has programs to advise universities on safeguarding data. According to one study, the employment of a dedicated Chief Information Security Officer or Director of Information Security, which many institutions are moving towards, increases an institution’s security rating.
One essential but under-utilized component is insurance. Cyber insurance may take the sting out of an attack when it happens, and the underwriting process may assist an institution in becoming better prepared so that an attack is less likely to occur (an insurer will not issue a policy unless the applicant demonstrates a sufficient level of cyber security). Unfortunately, cyber insurance has proven to be a very confusing line of coverage, even more than is usual in an area not typically known for clarity.
Cyber insurance 101
Once a university decides to purchase cyber coverage (and includes this investment in its risk management budget), its task is not complete. It is imperative that the institution carefully analyzes its specific risks to ensure that it matches the coverage it needs from the wide variety of coverage that is available. Cyber insurance may cover first-party loss, as well as claims brought by third parties (i.e., liability coverage) and regulatory coverage.
First-party cyber coverages are wide-ranging and may include the following:
- Privacy breach notifications – The Ponemon Institute reported the average notification costs in 2014 were $510,000 per breach, but this amount may be significantly higher depending on the severity of the breach and the number of individuals affected.
- Computer fraud (unauthorized transfer of money via entry of data or instructions) – In 2010, thieves stole close to $1 million from the University of Virginia when a virus intercepted online banking credentials for the university’s accounts and initiated a single wire transfer to a bank in China.
- Business interruption arising from computer disruptions – Cyber criminals may use the internet’s infrastructure (through domain name system and border gateway protocol) to re-route all internet requests within a university’s network. A report prepared by the Center for Strategic and International Studies found that the “cost of downtime incurred from a network infrastructure attack on just one organization is more than $6 million a day.”
- Cyber incident preparation and response – A common coverage is for reimbursement and assistance with crisis management expenses. This includes pre-event identification of crisis response and forensic experts. Insurers also can provide cyber assessments to identify vulnerabilities, before they are exploited.
First-party coverage also may include computer disruptions (introduction of viruses or malware that destroy hardware, software or data), physical damage arising from computer disruption, and cyber extortion.
There are typically a variety of liability coverages, which include:
- Privacy liability—loss of personally identifiable information of students and employees.
- Security liability—contribution to loss arising from malware, viruses, hacking, social engineering, employee malfeasance.
- Internet/social media liability—libel, slander, and trademark and copyright infringement in those media.
- Professional liability for technology providers—website designers, data managers, hardware/software consultants.
Most cyber policies do not provide liability coverage for property damage and bodily injury arising from a cyber event; nevertheless, there are a few insurers that do offer that coverage.
Regulatory action is a type of liability coverage that is worthy of separate recognition, especially for educational institutions. The Family Educational Rights and Privacy Act, the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, and other national, state, and local data loss laws may apply, such that a university’s failure to protect private data on its network may result in penalties. Cyber policies can cover the response to regulatory actions, including the expense of fines and penalties.
Once an institution identifies which coverages it needs, it must carefully analyze the coverage offered under a particular policy. Unfortunately, the typical format of the cyber policy usually makes this task difficult. Let’s take a cyber policy issued by a nationally known insurer as an example. This policy includes 10 separate insuring agreements, 59 defined terms, 15 pages of conditions, and exclusions divided into four separate classes of application. This means that if an institution has not purchased all 10 coverages, the policy includes numerous irrelevant provisions that add to the confusion of an already-confusing document. Additionally, in many instances, the “definitions” narrowly describe the events that trigger coverage. Therefore, a plain reading of the coverage grant without sufficient understanding of the defined terms may lead to the incorrect assumption that coverage for a particular risk is provided, when it is not. Further, not all definitions or exclusions apply to all coverages. Therefore, one must take each type of hypothetical loss and trace it through the policy to determine whether there is coverage, and the outcome for one kind of cyber loss may differ from the outcome for another kind of cyber loss.
The university also must consider the relevant time frame of the coverage it needs. Cyber coverage is typically written on a “claims-made” basis, meaning that if no claim is made during the policy year (or during an extended reporting period), there will not be coverage, even if the covered event occurred during that year. If an institution is interested in purchasing coverage for an undiscovered event that occurred prior to the cyber policy’s inception date, the policy must include a “retroactive date,” which means that if an event occurs after the retroactive date, and leads to a claim during the policy year, there will be coverage. However, any event occurring before the retroactive date will not be covered. Additionally, a series of related events occurring over an extended period may be determined under typical policy language to occur at the date of the first event; so if the first event precedes the retroactive date, the insurer likely will argue there is no coverage.
In view of universities’ delays in discovering past security breaches, having a retroactive date that does not go back far enough could be problematic. For example, in October 2010, the University of Wisconsin-Madison learned that a database containing personal information of students was first compromised in 2008 and accessed numerous times thereafter. Using that scenario as an example, if the university’s cyber policy had a policy period of 2010 (when the claim was made), and a retroactive date in 2009, an insurer may argue there is no coverage for the loss because the first of all related events occurred in 2008, prior to the retroactive date.
In conclusion, an academic institution must be deliberate and careful in purchasing cyber coverage. Specific risks must be understood, and the appropriate coverage identified. Because cyber coverages are so varied, and the policy terms, conditions and exclusions often precise, an institution that decides to buy cyber insurance without competent and thorough analysis may discover at an inopportune time that its cyber policy does not cover a loss.
J. Wylie Donald is a partner and Jennifer Black Strutt is an associate in the Insurance Recovery Practice Group at McCarter & English LLP.