Educational institutions are known for their openness and sharing of information… no surprise here, as this is inherently what they’re all about. However, even when it comes to their own databases, they tend to have an open information technology architecture, which leaves the “door” open to cyber attacks, security breaches and theft of intellectual property and proprietary research.
This type of open access to information is so prevalent that in a study conducted by a national cyber security firm, more than 50% of educational institutions investigated allow for the transmission of sensitive information over unencrypted, unprotected email. This includes Big Ten, Ivy League, community colleges and technical institutes.
You don’t have to look very far to see how exposed schools are to privacy risks. There have been several high-profile cases making headlines over the last several years. In 2010, there was a cyber attack on Ohio State’s systems that affected 760,000 people, and a breach in 2011 at the University of Wisconsin, Milwaukee compromised 75,000 student and staff Social Security numbers. More recently in February 2014, there was massive cyber attack at the University of Maryland, which put personal student, faculty and staff information at risk. In fact, officials at the school estimate that 309,079 student, faculty and staff records were compromised, including names, birth dates, university ID numbers and Social Security numbers. The database that was accessed contained information from everyone who has received a university ID from the College Park or Shady Grove campuses since 1998.
Moreover, on the heels of the University of Maryland’s data breach announcement, Indiana University reported that a staff error exposed information on 146,000 students for nearly a year. The North Dakota University system also reported that a server that contained information of 291,465 former, current, and aspiring students and 784 employees had been hacked. And one month after Maryland’s huge security breach, the school suffered a second cyber attack, albeit a small one.
These security breach incidents are not isolated to higher learning institutions by any means. K-12 schools are also vulnerable to cyber crimes with hackers getting their hands on names, Social Security numbers, driver’s license numbers, medical records, financial records and credit card information.
With the sharing of information so easily accessed by many individuals throughout the educational hierarchy, strong security protocols need to be implemented and enforced, including encryption, firewalls, among many other measure. Additionally, liability insurance in the form of cyber coverage should be part of a school’s risk management strategy. Without such insurance, the cost of a breach can be substantially. In fact, the Ponemon Institute, a research firm that studies cyber security and data protection, estimates that the cost of a breach for higher educational institutions is $111 per record. This includes the reputational damage to the school, notification costs, forensics to pinpoint how the breach occurred, credit card monitoring expenses, third-party liability judgments, among other costs. All these expenses would be covered by a cyber liability or privacy network security insurance program and should be an integral component of an educator’s liability insurance plan.