Hard costs of a data breach
When a school hears from the FBI, the news is not likely to be good. Two years ago, FBI agents informed Maricopa County Community College District administrators that data from the 10-college system in Arizona had been posted on the internet. With a possible data breach underway, the system’s website was shut down immediately and school officials began to investigate.
After identifying a problem with its main web server, officials began the arduous task of notifying 2.3 million current and former students, staff and vendors that their social security numbers and other sensitive data may have been exposed. An extensive repair of the security system was launched, five employees either resigned or were dismissed, and a chief information security officer was hired. Over the next two years, the price tag for the cyberattack would climb to $18 million.
While Maricopa has been able to use insurance reimbursements and reserves to cover a portion of the damage, the costs of recovering from the incident ultimately were borne by taxpayers and student tuition. “The lesson we all learned was that anything that has to do with this is going to cost, and the costs are substantial,” says spokesman Tom Gariepy.
The potential for a major data breach has increased significantly in recent years, and often institutions may not discover a cyberattack until months later. What is driving the increase is the emergence of a new type of cyber criminal intent on stealing personal information and intellectual property from colleges and universities.
At the University of New Brunswick in Canada, for example, security intelligence and monitoring software shows there are now 53 million attempts to breach the university’s network every week, an increase from one million per week in 2013, says David Shipley, director of strategic initiatives for information technology services.
“Individual personal records stolen from a system are bought and sold for pennies, but it’s something that might cost millions of dollars for a university to clean up,” says Shipley, who helped respond to a small-scale data breach at the university in 2012—the only significant cyberattack in the past three years.
How expensive it is to recover from a data breach—which requires working with experts, notifying potential victims and minimizing the reputational impact— depends on the number of people it affects and the type of information that is exposed. Nevertheless, among all industries, the education sector has the second highest per capita cost of cleaning up from a data breach, estimated at $294, according to a 2014 study by the Ponemon Institute, which studies cybersecurity and data protection.
Only the healthcare industry is more costly, at $359 per capita.
Regardless of the number of records exposed, each of the several steps a college or university must take after a cyberattack will contribute to the total damages. Here is a road map of responses and costs:
1. Hire a forensics team.
It’s an immediate must-do for a college that finds its network has been compromised, say data security experts and parties who have been victims. A forensics consulting company will determine how the breach occurred and the steps to repair the system and prevent another attack.
When officials at Lasell College in Massachusetts realized an employee had opened a database that contained social security and college identification numbers in 2008, they immediately hired a consultant from Jacadis, an information security firm in Ohio, to assess how extensive the breach was. The consulting cost was $10,000, says Deborah Gelch, Lasell’s chief information officer.
“The best he could determine, it was fairly contained,” Gelch says. The price tag for the breach, which affected 20,000 records, totaled about $50,000 for the college. In some cases, the forensics investigation can be done in-house, eliminating the expense of an outside consultant. That is what the North Dakota University System did last year when officials discovered that someone had accessed a server containing information on nearly 300,000 former, current and aspiring students and employees.
“One of the things that was unique about this was that the traffic, unless you were looking for something, looked like normal traffic,” says Darin King, the system’s deputy chief information officer, whose staff conducted the investigation. “It wasn’t anything that jumped out. We went back through a lot of different logs for a lot of different parts of the system to start to piece together this particular information.”
2. Contract for legal services.
Lawyers specializing in information security help a college or university navigate the response after a cyberattack and determine how breach laws in each state apply. Forty-seven states (with Alabama, New Mexico and South Dakota as exceptions) have passed laws requiring private or state organizations to notify people when their personal information has been exposed.
In some states, schools may be required to notify credit reporting agencies in addition to individuals who have been affected if a certain threshold of exposed records is reached, says attorney David Katz, head of the privacy and information security practice group at Nelson Mullins Riley & Scarborough LLP in Atlanta.
Barry University in Miami, for example, had to contact the U.S. Department of Health and Human Services and the Florida Attorney General’s Office after discovering a data breach that exposed the medical records of 9,000 patients of its School of Podiatry clinic in 2013, says Hernan Londono, associate chief information officer. The federal government was notified because many of the patients affected are from other states.
Another reason to line up legal services is the potential for litigation. Maricopa County Community College District faces two class-action lawsuits filed by plaintiffs affected by its data security incident and has already paid $9.3 million in legal fees.
3. Notify the potential victims.
Hiring a firm to handle notifications and provide credit protection services can add up to one of the largest expenses. For the North Dakota University System, contracting with AllClear ID, an identity protection company, comprised the total cost of its data breach, which amounted to $200,000.
The company provided a call center that students and staff could contact after they were notified about the breach and offered one year of identity repair service to help people restore their credit if the information had been used. Only a fraction of the people affected—about 1,000—took advantage of the call center, and 50 used the credit repair services, indicating they had concerns about identity theft, says Linda Donlin, a university spokeswoman.
There is no evidence that anyone’s information was used as a result of the data breach, and even if there had been identity theft, it would be impossible to know what caused it, given the number of breaches that have occurred at retailers and other companies, Donlin says. “No one really has a way to know if someone’s identity gets stolen, where it comes from,” she says. “There have been so many breaches, it’s hard to say whether it’s from any particular data breach.”
4. Develop a public relations response.
After the facts of a data breach are determined, the college may well have to take the case public and respond to inquiries from the media. How the disclosure process is conducted can make the difference in whether the school suffers long-term reputational damage from the incident, says Megan Mitchell, a director at LEVICK, a strategic communications firm based in Washington, D.C.
“There is certainly the potential for a brand to suffer after a data breach, whether it’s a university or a retailer,” Mitchell says. “But if handled correctly, there is also the potential to elevate the brand and generate greater trust among the community.”
In a data breach she handled at a small college a few years ago, officials waited until they were certain of the facts, including the number of people and type of information affected, before going public, Mitchell says. Then they moved forward with a consistent message, sending out emails to students and employees, posting a note on the college’s website and contacting parents.
“While speed in getting out information is important, it should never be prioritized over the facts,” Mitchell says. “Too often, brands create more headlines by going public with the wrong information in an attempt to win points on transparency.”
5. Harden your computer system.
One of the key steps to take after a cyber- attack is to hire a security company to evaluate the breached computer system and recommend steps to prevent another intrusion. Schools should look at where sensitive information is stored, how it is transmitted and who can access the data, says Rob Rudloff, who leads the cybersecurity risks services team at RubinBrown, an accounting and consulting firm in Denver.
Also essential are installing software that monitors the system to detect if a breach has occurred and creating procedures to communicate potential problems. “Technology is cool and great, but without people linking it together, it’s just cool and not useful,” Rudloff says.
Protecting the network may require hiring additional staff to coordinate the security effort. Equally important, the institution must educate faculty and staff to learn how to prevent malware and hackers from gaining access to the system. Faculty and staff, for example, should always be on the lookout for phishing attempts that try to get them to reveal passwords and other information.
“Security in an organization is not specifically an IT responsibility,” says Ed Kelty, chief information officer at the Maricopa County Community College District. “It’s everyone’s responsibility.”
Sherrie Negrea is a writer based in Ithaca, New York.