July 31, 2014

On the Rise? Data Breach Incidents in Colleges and Universities

A rash of data breaches on campuses across the U.S. this year suggests that colleges and universities still have a lot to learn about information security.

  • Probably the biggest data breach occurred at the University of Maryland and exposed social security numbers, birth dates and other personally identifiable information of more than 309,000 faculty, staff and students.
  • At Indiana University, 146,000 students’ and recent graduates’ personal information was compromised when it was accessed by automated computer applications known as web-crawlers.
  • More recently, Butler University in Indiana reported that computer hackers may have accessed personal information including birthdates, Social Security numbers and bank account information of over 160,000 students, staff and alumni.  

And that’s just a few examples.

In fact, universities are considered easy targets because of their open structure and long information retention periods.

According to Privacy Rights Clearinghouse, 736 breaches have occurred in educational institutions since 2005 ranging from lost laptops with sensitive information to targeted cyber-attacks. Beyond payment data and student records, other sensitive data includes employee records, patient health information and scientific research data.

How much is it costing the institutions?  

The Ponemon Institute 2014 Cost of Data Breach Study shows that education has the second highest data breach costs. In the study the per capita costs for the consolidated education sample was $294 (which was much higher than the overall mean of $145).

The 2013 Cost of Data Breach Study: Global Analysis showed that data breaches in higher education specifically cost an average of $111 per record, including damage to the institution’s reputation.

While the cost is significant, an article at chronicle.com points out that all the publicity may help IT and data security managers make their case to better protect information across the board with top administrators and trustees.

“This kind of public exposure for a high-profile breach, helps elevate the conversation out of the IT group,” said a security expert, “and into the executive level and into the boardroom.”

Making data security a boardroom concern is an important risk reduction strategy.

Here is a roundup of ways educational institutions – and all businesses – can reduce the risk of a data breach incident.

  1. Establish a culture of data security throughout the entire organization and from the top down. Create an Information Security Policy and Office for students and staff.
  2. Conduct a risk assessment to see where there are gaps in information security – and provide solutions.
  3. Ensure proper physical security of all sensitive data – for example, lock down work stations and laptops, maintain a clean desk policy, shred sensitive paper records before disposing of them.
  4. Utilize IT data security tools such as firewalls, anti-virus software, encryption, and strong passwords.
  5. Train staff – and where possible, students – on security policies and procedures.
  6. Implement a document management process that tracks all documents from generation and storage to destruction. When information is no longer needed, it should be purged.
  7. Securely dispose of information that is no longer needed. Partner with a reliable shredding company that provides a secure chain of custody for on and off site document destruction as well as hard drive destruction services too.

Check out the State of the Information Security Industry report for more information.