CAUGHT IN THE CYBER CROSSHAIRS: WHAT CAN HIGHER ED DO … - Goldstein.pdf · 243 CAUGHT IN THE...
Transcript of CAUGHT IN THE CYBER CROSSHAIRS: WHAT CAN HIGHER ED DO … - Goldstein.pdf · 243 CAUGHT IN THE...
243
CAUGHT IN THE CYBER CROSSHAIRS: WHAT CAN
HIGHER ED DO TO MANAGE DATA SECURITY
BREACHES AND PRIVACY LOSSES?
Ken Goldstein1
“The average cost for data breaches in the U.S. education
industry has risen to $245 per capita (or per record lost),
which is $45 above the worldwide average, according to a
recent study from the Ponemon Institute.”2
ABSTRACT
Higher education’s (“Higher Ed’s”) consistent and widespread
use of technology has generated significant cybersecurity
concerns. While Higher Ed struggles with enrollment numbers
and budgetary restrictions, it has diverse private and proprietary
information worth aggressively protecting. As such, appropriate
investments in cybersecurity along with enhanced loss control and
risk financing measures must be taken by Higher Ed to survive
and function appropriately.
This paper will first address the inherent conflict between scarce
financial resources at the Higher Ed level and the importance of
managing a strong cybersecurity posture. Next, it will review
private and proprietary information and evaluate data breaches,
privacy losses, and Higher Ed’s current administrative and
technology practices. Thereafter, it will highlight costs impacting
Higher Ed and summarize legal, regulatory, and compliance-
related consequences facing the industry. Finally, the paper will
discuss practical strategies for balancing Higher Ed’s financial
circumstances and the long-term benefits of appropriate
1 Ken Goldstein is a former global Cyber Security Product Manager at legacy
Chubb Group of Insurance Companies and current Clinical Instructor of Risk
Management and Insurance at the Barney School of Business, University of
Hartford. Ken earned his J.D. at Western New England University School of
Law and B.A. at Binghamton University. Professor Goldstein would like to
thank Dr. Susan Coleman for her helpful insight and support.
2 Shalina Chatlani, Cost of Education Data Breaches Averages $245 Per Record,
EDUCATION DIVE (July 18, 2017), https://www.educationdive.com/news/cost-of-
education-data-breaches-averages-245-per-record/447376/.
244 ALB. L.J. SCI. & TECH. [Vol. 29.3
technology safeguards, budgeting, enhanced training, strong
vetting of partnerships, and comprehensive risk transfer.
1. Introduction ............................................................. 242
2. Private and Proprietary Information: Higher Ed Data
at Risk ...................................................................... 244
3. Data Breaches and Privacy Losses: What Could Go
Wrong ....................................................................... 246
4. A Challenging Cybersecurity Posture ..................... 250
5. Data Breach Costs Impacting Higher Ed ............... 250
6. Legal, Regulatory, and Compliance-Related
Consequences ........................................................... 252
7. Cybersecurity Loss Control in Higher Ed ............... 252
8. Cybersecurity Risk Financing in Higher Ed ........... 261
9. Summary and Conclusions ...................................... 266
1. INTRODUCTION
It is not breaking news that Higher Ed institutions are
struggling with enrollment numbers and budgetary restrictions.3
There are a variety of issues contributing to the situation, ranging
from retention numbers and antiquated programs to the reduction
of funding contributions and outdated facilities.4 As a
consequence, scarce dollars are being prioritized and used to
undertake data analytics, conduct targeted and concentrated
3 HIGHER EDUCATION, HANOVER RESEARCH INDUSTRY TREND REPORT 1, 3 (2017),
https://www.hanoverresearch.com/reports-and-briefs/2017-higher-education-
trend-report/ (stating that higher education institutions are “[f]acing declining
enrollments and reductions in funding across key academic offerings. . . .”). 4 U.S. Dep’t of Educ., Education Department Awards $20.1 Million in Grants to
Strengthen 39 Higher Education Institutions, DEP’T OF EDUC. (Sept. 26, 2013),
https://www.ed.gov/news/press-releases/education-department-awards-201-
million-grants-strengthen-39-higher-education-in (stating that funds were
provided to improve and strengthen academic quality); Michael Mitchell, ET. AL.,
A Lost Decade in Higher Education Funding, CTR ON BUDGET AND POL’Y
PRIORITIES (Aug. 23, 2017), https://www.cbpp.org/research/state-budget-and-
tax/a-lost-decade-in-higher-education-funding (suggesting that “state spending
on public colleges and universities remains well below historic levels. . . .”);
Jeffrey J. Selingo, Colleges Struggling to Stay Afloat, N.Y. TIMES (Apr. 12, 2013),
https://www.nytimes.com/2013/04/14/education/edlife/many-colleges-and-
universities-face-financial-problems.html (noting “colleges have been on a
borrowing spree . . . nearly doubling the amount of debt they’ve taken on in the
last decade to fix aging campuses, keep up with competitors and lure students
with lavish amenities.”).
2019] CAUGHT IN THE CYBER CROSSHAIRS 245
marketing, and ultimately differentiate regarding the selection of
desired students.5
At the same time, however, Higher Ed continues to be a treasure
trove for sensitive, private and proprietary information.6 Further,
there is consistent and widespread use of innovative technology to
support teaching and learning, often within the context of
interconnected systems.7 Not surprisingly, Higher Ed continues to
be at the top of the radar for international hackers, placing it
directly within the Cyber Crosshairs.8
This paper explores the inherent conflict between scarce
resources and the importance of prioritizing and managing a
strong cybersecurity posture. Without careful attention, Higher
Ed institutions will run the risk of an adverse impact to
organizational health and longevity.
We will start with a brief overview of the definitions of
Personally Identifiable Information, Protected Health
Information, and business and proprietary information. These
definitions will allow us to consider the types of sensitive
information available at Higher Ed institutions.
Next, we will evaluate sample data breaches and privacy losses
impacting Higher Ed over the past two years along with common
5 Sandra Beckwith, Data Analytics Rising in Higher Education: A look at four
campus “data czars” and how they’re promoting predictive analytics, UNIVERSITY
BUSINESS (May 26, 2016), https://universitybusiness.com/data-analytics-rising-
in-higher-education/ (noting that data analytics are being used to focus upon
retention and on-time completion of courses); Four Leading Satrategies to
Identify, Attract, Engage, and Enroll the Right Students, BLACKBOARD 1, 7
(2014), http://www.blackboard.com/sites/student-services/assets/pdf/white-
marketing.pdf (reinforcing the importance of a “customized communication
strategy”); HIGHER EDUCATION, supra note 3, at 22 (noting, in part, that higher
education institutions are looking to diversify offerings to better attract and
retain students). 6 A Briefing on 2017 Cybersecurity Trends in Higher Education, CTR FOR
DIGITAL EDUC. (May 23, 2017),
http://www.govtech.com/education/events/webinars/A-Briefing-on-2017-
Cybersecurity-Trends-in-Higher-Education-71014.html. 7 Donna Davis, Managing Cybersecurity in Higher Education, UNITED
EDUCATORS https://www.ue.org/education-matters/profiles-in-managing-
risk/managing-cybersecurity-in-higher-education/ (noting “little separation or
segmentation of systems and data. . . .”). 8 See Higher Education—A Goldmine of Personal Data for Hackers, HUB (Mar.
7, 2017), https://www.hubinternational.com/blog/2017/03/higher-education-
university-data-breach/ (“Higher education institutions now account for as
much as 17% of all cyber breaches, second only to healthcare.”).
246 ALB. L.J. SCI. & TECH. [Vol. 29.3
themes associated with a challenging cybersecurity posture. This
will ensure a proper understanding of what can go wrong from a
data breach and privacy loss perspective.
Thereafter, we will turn to costs adversely impacting Higher Ed
and compare it to the maze of legal, regulatory, and compliance-
related consequences facing the industry. This will reinforce the
tangible, financial and reputational concerns facing Higher Ed.
Lastly, we will explore strategies for striking the right balance
between Higher Ed’s financial circumstances and the long-term
benefits of implementing cybersecurity best practices. This will
include a focus on appropriate loss control and risk financing
measures, including highlighting the importance of a written
network security and privacy policy, proper budgeting, incident
response planning, enhanced training of staff, strong vetting of
external partnerships, and comprehensive risk transfer.
2. PRIVATE AND PROPRIETARY INFORMATION:
HIGHER ED DATA AT RISK
Let us begin with a brief overview of the definitions of Personally
Identifiable Information (“PII”), Protected Health Information
(“PHI”), and business and proprietary information, including
cutting edge research and development (“R&D”). We will consider
these important definitions within the context of the types of
information readily available at Higher Ed institutions.
PII
PII has been classically defined as an individual’s first initial or
first name, coupled with his or her last name, along with
something that would be considered a private identifier.9 Some
examples include social security information, driver’s license or
state-identification number, or financial account information,
including debit and credit card numbers.10 Beyond the classic
definition of private information, other data elements considered
9 See Data Breach Charts, BAKERHOSTETLER 1 (July 2018),
https://www.bakerlaw.com/files/Uploads/Documents/Data%20Breach%20docum
ents/Data_Breach_Charts.pdf (defining personal information as “An individual’s
first name or first initial and last name plus one or more of the following data
elements: (i) Social Security number; (ii) driver’s license number or state-issued
ID card number; or (iii) account number, credit card number or debit card
number combined with any security code, access code, PIN or password needed
to access an account. . . .” ). 10 Id.
2019] CAUGHT IN THE CYBER CROSSHAIRS 247
PII, while paired with another identifier, include “citizenship or
immigration status, medical information (see PHI discussion that
follows), ethnic, religious, sexual orientation, or lifestyle
information, and account passwords, in conjunction with the
identity of an individual (directly or indirectly inferred).”11 Not
unexpectedly, the presence of PII is rampant within the context of
Higher Ed campuses, including student, parent, donor, alumni,
and employee information.12 Further, whether a Higher Ed
institution safeguards this information directly, or chooses to
outsource responsibility for its protection to others, PII surely
attracts the attention of bad actors for nefarious purposes.13
PHI
Let us turn next to the definition of PHI. According to the U.S.
Department of Health & Human Services, “[t]he HIPAA Privacy
Rule provides federal protections for [PHI] held by covered entities
[or their business associates] and gives patients an array of rights
with respect to that information.”14 PHI includes the following:
Individually identifiable health information, held or
maintained by a covered entity or its business
associates, transmitted or maintained in any form
or medium (including the individually identifiable
health information of non-U.S. citizens) …15
At the Higher Ed level, there are a number of institutions with
vast amounts of PHI, including academic medical centers and
medical research centers maintaining identifiable health
11 Michael Sweeney & Karolina Lubowicka, What is PII, and Personal Data?,
https://piwik.pro/blog/what-is-pii-personal-data/ (last updated Aug. 9, 2019). 12 CTR FOR DIGITAL EDUC. supra note 6 (diverse, data-rich digital resources
include student, parent, donor, alumni, and employee; PII ranges from payroll
information to retail transactions). 13 Lori Coleman & Bernice Purcell, Data Breaches in Higher Education, J. BUS.
CASES & APPLICATIONS 15, 15–16 (2015). In this article the authors study four
University cases involving data breaches and external actors. 14 U.S. Dep’t of Health & Human Services, What is PHI?,
https://www.hhs.gov/answers/hipaa/what-is-phi (last visited Feb. 26, 2013). 15 U.S. Dep’t of Health & Human Services, What Health Information is
Protected by the Privacy Rule?,
https://privacyruleandresearch.nih.gov/pr_07.asp (last updated Feb. 2, 2007).
248 ALB. L.J. SCI. & TECH. [Vol. 29.3
information.16 In addition, it is possible that employees may be
able to file health insurance claims directly through an
institution’s human resources office.17
R&D
Lastly, beyond PII and PHI, there is also a vast amount of R&D
at Higher Ed institutions. This information ranges from grants
and contracts to proprietary trade secrets, technology, ongoing
research and publication projects (including with partners from
multiple institutions), and Intellectual Property.18
3. DATA BREACHES AND PRIVACY LOSSES:
WHAT COULD GO WRONG
Given the comprehensive nature of private and proprietary
information available at Higher Ed institutions, it should not come
as a surprise that data breaches and privacy losses are
widespread.19 In fact, Privacy Rights Clearinghouse paints a
telling picture over the past several years.20 For example, in May
2017, the data of more than 29,000 Oklahoma University (“OU”)
students became unintentionally accessible, including social
security numbers, financial aid information and grades dating
back to 2002.21 This occurred during the migration from
SharePoint to cloud servers due to lax privacy settings in a campus
16 Derek T. Teeter, Top 5 Common HIPAA “Myths” That Arise in Higher
Education, LEXOLOGY (2017),
https://www.highereducationlegalinsights.com/2017/05/common-hipaa-myths-
that-arise-in-higher-education/ (noting that “[i]f a student health center
provides medical treatment to non-students and bills for those services, medical
records relating to such treatment are . . . subject to HIPAA’s privacy rule.”). 17 Id. (“HIPAA may protect the privacy of medical records a college employee
submits to the institution’s health plan for purposes of making an insurance
claim.”). 18 CTR FOR DIGITAL EDUC., supra note 6. 19 Meghan Bogardus Cortez, Education Sector Data Breaches Skyrocket in
2017, EDTECH (Dec. 1, 2017) (stating that security breaches more than
doubled, increasing by 103%, between 2016 and 2017). 20 See generally Privacy Rights Clearinghouse: Data Breaches,
https://www.privacyrights.org/data-breaches (highlighting data breaches within
the context of a searchable database). 21 Dana Branham, Security Breach at OU Exposes Thousands of Students’ Data,
OKLAHOMA WATCH (Jun. 14, 2017),
http://oklahomawatch.org/2017/06/14/security-breach-at-ou-exposes-thousands-
of-students-data/.
2019] CAUGHT IN THE CYBER CROSSHAIRS 249
file-sharing network.22 After becoming aware of the event, the
school’s IT department worked to secure the files.23 The U.S.
Department of Education also contacted OU to assess whether the
institution complied with its data security safeguard requirements
under federal law.24
In addition, in February 2017, a former employee in charge of
scheduling patients at WVU Medicine University Healthcare (part
of Berkeley County Medical Center) inappropriately accessed
unsecured PHI and PII of more than 7,000 individuals.25 At least
113 patients’ sensitive information were found by investigators in
the former worker’s possession, including drivers’ licenses with
photos, social security cards and other personal information.26
Notification to impacted individuals followed, including an offer
for one-year of free Identity monitoring.27 As of April 2017, WVU’s
post-data breach vendor, Kroll, received over 500 calls to an
established call center.28 Legal counsel for WVU also noted that
they would be assessing procedures to make sure a comparable
breach could not happen in the future.29
Lastly, also in 2017, UCLA notified more than 30,000 current
and former students about a potential security breach stemming
22 Greg Masters, Data Breach at Oklahoma U Impacts 30K Students, SC MEDIA
(Jun. 15, 2017), https://www.scmagazine.com/data-breach-at-oklahoma-u-
impacts-30k-students/article/668731/. 23 Id. 24 Robyn Craig, U.S. Department of Education looking into Security Breach at
OU, OUDAILY (Jun. 20, 2017), http://www.oudaily.com/news/u-s-department-
of-education-looking-into-security-breach-at/article_46666450-55fb-11e7-981c-
1786c84f69a9.html. 25 WVU Medicine Announces Patient Information Breach, METRONEWS (Feb.
25, 2017), http://wvmetronews.com/2017/02/25/wvu-medicine-announces-
patient-information-breach/. 26 Id. 27 Id. 28 Hans Fogle, No New Reports of Identity Theft Following WVU Medicine
University Healthcare Data Breach, METRONEWS (Apr. 2, 2017),
http://wvmetronews.com/2017/04/02/no-new-reports-of-identity-theft-following-
wvu-medicine-university-healthcare-data-breach/. 29 Hans Fogle, Former WVU Medicine Employee Fired After Data Breach,
WEPM (Feb. 27, 2017), http://wepm.com/former-wvu-medicine-employee-fired-
after-data-breach/.
250 ALB. L.J. SCI. & TECH. [Vol. 29.3
from a hack into a server containing personal data.30 UCLA
offered one-year of free identity-protection services.31
Not surprisingly, a number of additional breaches occurred in
2016, including at Tidewater Community College, UC Berkeley,
and the University of Central Florida.32 For example, in March
2016, over 3,100 current and former employees of Tidewater
Community College had personal information stolen in a tax
phishing scam.33 When certain employees went to file their taxes,
they found out that someone had already done so. In addition to
providing free credit monitoring to impacted individuals,
Tidewater coordinated their breach response with the FBI and
Virginia State Police.34 They also decided to implement a new
training protocol for employees handling sensitive information.35
Beyond Tidewater, in February 2016, hackers gained
unauthorized access to UC Berkeley’s financial management
software.36 In fact, the software had a security flaw that was
present while updating.37 This flaw potentially exposed social
security numbers and banking information for over 80,000
impacted victims, including current and former students, current
and former employees, and vendor partners.38 UC Berkeley
retained a forensics expert, provided notification to impacted
individuals, and offered free identity and credit monitoring
services.39
Lastly, in January 2016, the University of Central Florida
discovered that cyber criminals had compromised the University’s
30 30,000 UCLA Students, Former Students Warned About Potential Security
Breach, ABC7 (Aug. 5, 2017), https://abc7.com/technology/30k-ucla-students-
warned-about-potential-security-breach/2279390/. 31 Id. 32 Judy Leary, The Biggest Data Breaches in 2016, IDENTITYFORCE (Dec. 16,
2016), https://www.identityforce.com/blog/2016-data-breaches. 33 Id. 34 Matt McKinney, Data Breach Exposes Information on More Than 3,000 TCC
Employees, THE VIRGINIAN PILOT (Mar. 25, 2016),
https://pilotonline.com/news/local/crime/data-breach-exposes-information-on-
more-than-tcc-employees/article_6ab72a2f-52a0-533e-8060-a2d245c7f151.html. 35 Id. 36 Dian Schaffhauser, While 80,000 UC Berkeley Students and Staff Suffer
Breach, Campus May Suffer Suit, CAMPUS TECH. (Mar. 3, 3016),
https://campustechnology.com/articles/2016/03/03/while-80000-uc-berkeley-
students-and-staff-suffer-breach-campus-may-suffer-suit.aspx. 37 Id. 38 Id. 39 Id.
2019] CAUGHT IN THE CYBER CROSSHAIRS 251
computer system and stole information from 63,000 current and
former students, faculty, and staff.40 After the discovery, the
institution reported the matter to law enforcement and launched
an internal investigation with the support of a post-data breach
vendor.41 The investigation determined that the breach actually
impacted the private information of student athletes and current
and former employees.42 As a result, the University provided
notification, free credit and identity-protection services, and set up
a call center to manage victim questions.43 The University also
called for a review of online systems, policies and training to
determine areas for improvement.44 Notwithstanding these
efforts, several lawsuits were filed against the University.45
So what do 2016 and 2017 have in common? For starters, each
of the above Higher Ed institutions had a variety of stakeholders
adversely impacted along with an impairment of their time and
financial resources. In addition, the Higher Ed breaches and
privacy losses were largely focused upon hacking, malware and/or
unintended disclosures.46 Lastly, beyond the financial
implications, it is safe to assume that there were significant
reputational consequences as a result of these events.47
40 Leila Meyer, University of Central Florida Responds to Data Breach,
CAMPUS TECHNOLOGY (Feb. 5, 2016),
https://campustechnology.com/articles/2016/02/05/university-of-central-florida-
responds-to-data-breach.aspx. 41 Id. 42 Id. 43 Id. 44 Id. 45 Gabrielle Russon, UCF Sued a 2nd Time Over Data Breach, ORLANDO
SENTENTIAL, Feb. 26, 2016,
https://www.orlandosentinel.com/features/education/os-ucf-second-lawsuit-hack-
20160226-story.html.
46 Lori Coleman & Bernice Purcell, Data Breaches in Higher Educ., J. BUS.
CASES & APPLICATIONS (Dec. 2015),
http://www.aabri.com/manuscripts/162377.pdf; see also D. CHRISTOPHER BROOKS
AND JEFFREY POMERANTZ, STUDY OF UNDERGRADUATE STUDENTS AND INFO. TECH.,
EDUCAUSE (2017),
https://er.educause.edu/~/media/files/library/2017/10/studentitstudy2017.pdf?la
=en. 47 Megan O’Neil, Data Breaches Put a Dent in Colls.’ Fin. as Well as
Reputations, THE CHRONICLE OF HIGHER EDUC., Mar. 17, 2014,
https://www.chronicle.com/article/Data-Breaches-Put-a-Dent-in/145341.
252 ALB. L.J. SCI. & TECH. [Vol. 29.3
4. A CHALLENGING CYBERSECURITY POSTURE
If you dig even further beyond the above cases, you will find an
equally challenging story about easier access to private and
proprietary information across Higher Ed institutions. For
example, according to the Center for Digital Education, “[s]ixty-
seven percent of respondents to a 2017 survey say their
institutions data is either not secure or only somewhat secure.”48
The same survey also noted that “forty-eight percent of …
respondents [suggested] that their institutions either did not have,
or were not sure whether they had, security policies to protect
sensitive [R&D] and IP.”49 In essence, Higher Ed institutions are
“low hanging fruit” for bad cyber actors globally.
In a recent webinar, Dr. Steven Zink did an excellent job
summarizing various areas of importance for educational
leadership, including how Higher Ed has a tradition of open access
and inquiry, limited management hierarchy, a custom of faculty
governance and intellectual freedom, a culture of non-compliance,
a highly decentralized computing environment, late adoption of
executive level IT representation and security authority, and
funding limitations.50 HUB, a global insurance broker, highlighted
similar concerns to Dr. Zink’s, including limited security budgets,
the lack of an official IT security manager, and unprotected public
wireless access points across university campuses.51
5. DATA BREACH COSTS IMPACTING HIGHER ED
Factoring in the above cybersecurity posture challenges, if you
look at mainstream industry reports, including the Ponemon
Institute’s 2017 Cost of Data Breach Study, it suggests that the
cost per record for educational institution breaches are $59 higher
than the global average ($141/record global average versus
$200/record educational global average).52 In the U.S. in
particular, the cost per record for educational institution breaches
is $20 higher ($225/record U.S. average versus $245/record U.S.
48 CTR FOR DIGITAL EDUC., supra note 6. 49 Id. 50 Id. 51 HUB, Higher Education–A Goldmine of Personal Data for Hackers, (Mar. 7,
2017), https://www.hubinternational.com/blog/2017/03/higher-education-
university-data-breach/. 52 PONEMON INST., COST OF DATA BREACH STUDY: GLOBAL OVERVIEW 13 (2017).
2019] CAUGHT IN THE CYBER CROSSHAIRS 253
educational average).53 Overall, these figures reinforce the
financial and reputational consequences stemming from data
breaches and privacy losses.
As to the financial implications, consider a data breach against
Maricopa County colleges that exceeded $26 million.54 In April
2013, the 10-college district suffered a hack that exposed social
security numbers and banking information of more than 2 million
people, including current and former students, staff and vendors.55
As of November 2014, Maricopa’s governing board approved
contracts totaling $26,019,436.56 According to a public report, the
largest chunk ($9.3 million) related to legal expenses, the next
highest figure concerned post-data breach consulting and
computer system repair costs ($7.5 million), the third largest
figure dealt with notification, credit monitoring and call center
costs ($7 million), and the final expenditures related to records
management, public relations and photocopying fees ($2.2
million).57
With regard to reputational consequences, general industry
spending on breaches is substantially driven by lost customer
business [41%] and customer acquisition [8%].58 Likewise, “94% [of
consumers recently surveyed] believe [an] organization itself is
solely to blame for [a] breach.”59 Furthermore, “[a]s many as 62
percent of those queried said being notified of a breach would lower
their trust and confidence in the college or university.”60 Which
begs the question, why would Higher Ed institutions engage
external stakeholders to strengthen their reputation, secure
partnerships, solicit philanthropic contributions, and bolster
revenues – only to mishandle significant PII, PHI, and R&D with
53 Shalina Chatlani, Cost of Educ. Data Breaches Averages $245 per record, July
18, 2017, EDUC. DIVE, https://www.educationdive.com/news/cost-of-education-
data-breaches-averages-245-per-record/447376/. 54 Mary Beth Faller, Maricopa County Colleges Computer Hack Cost Tops $26M,
THE REPUBLIC, (Dec. 17, 2014),
https://www.azcentral.com/story/news/local/phoenix/2014/12/17/costs-repair-
massive-mcccd-computer-hack-top-million/20539491/. 55 Id. 56 Id. 57 Id. 58 PONEMON INST., COST OF DATA BREACH STUDY: U.S. 20 (2017). 59 Main Cybersecurity Problem for Colleges? Gathering Diverse Kinds of Data,
HELPNETSECURITY, (Oct. 12, 2017),
https://www.helpnetsecurity.com/2017/10/12/cybersecurity-problem-college/. 60 Id.
254 ALB. L.J. SCI. & TECH. [Vol. 29.3
lax security? Compromising sensitive, personal and proprietary
information would certainly have the opposite desired effect.61
6. LEGAL, REGULATORY, AND COMPLIANCE-
RELATED CONSEQUENCES
If lax security practices, limited budgets, and open
environments were not enough, Higher Ed institutions should also
be deeply concerned with the myriad of legal, regulatory and
compliance-related issues that will only exacerbate the financial
and reputational consequences associated with a data breach or
privacy loss. These include state and federal breach notification
(for PII and PHI), Payment Card Industry Standards (for
credit/debit card purchases and related movement of funds),
HIPAA (for PHI), FERPA (data security safeguards that exist to
protect private student information collected by companies
generally), potential third-party liability (most notably Class
Actions and Regulatory Proceedings), and first-party expenses
directly incurred by Higher Ed institutions (forensic costs, legal
fees, public relations expenses, business interruption and extra
expenses, notification costs, credit, health, and identity
monitoring/restoration expenses, ransom-related costs, and data
remediation fees).62
7. CYBERSECURITY LOSS CONTROL IN HIGHER
ED
So what are some best practice considerations for striking the
right balance between Higher Ed’s financial concerns and the long-
term cybersecurity consequences? Because without taking a
drastically different approach, Higher Ed institutions have the
potential to fail. What follows are strategies for a viable network
security and privacy policy, proper budgeting, a comprehensive
61 O’Neil, supra note 47 (suggesting that “[t]he alumni-fund-raising office might
see a downturn in giving”). 62 CARTER, LEDYARD & MILBURN LLP, CYBERSECURITY: REGULATORY LITIGATION
CONSEQUENCES OF A DATA BREACH, (Apr. 26, 2017),
http://www.clm.com/docs/7942385_1.pdf; Pamela Mills-Senn, PCI Compliance
Crackdown, U. BUS., (Feb. 3, 2015), https://universitybusiness.com/pci-
compliance-crackdown/; Jason Hall, Cyber Security and FERPA regulation –
Five Steps for Better Cyber Security to Protect Student Data, INT’L PATHWAYS,
(Feb. 22, 2016), https://www.linkedin.com/pulse/cyber-security-ferpa-
regulations-five-steps-better-data-hall-mba?articleId=8104367194687027052.
2019] CAUGHT IN THE CYBER CROSSHAIRS 255
incident response plan, and robust training for phishing and
strong passwords.
Written Network Security and Privacy Policy
First, an institution’s written network security and privacy
policy should be continually re-assessed and properly funded as a
part of a university’s strategic plan. Considering the substantial
focus upon hacking, malware and unintended disclosures within
the Higher Ed environment, institutions should earmark funds for
penetration testing (to guard against weaknesses or holes in the
institution’s system(s)),63 intrusion detection software (equivalent
to your house alarm, are there bad actors in your network),64
proper patches and system updates (to avoid inadvertent
disclosure of information or easier access),65 two-factor
authentication (to make it more difficult to enter an institution’s
systems),66 securing the wireless environment,67 and encryption
for sensitive PII, PHI and R&D (maintaining a separate location
for the encryption key).68
63 See Eric Basu, What is a Penetration Test and Why Would I Need One For My
Company?, FORBES (Oct. 13, 2013),
https://www.forbes.com/sites/ericbasu/2013/10/13/what-is-a-penetration-test-
and-why-would-i-need-one-for-my-company/#e402ba818a0d (exploring “the real-
world effectiveness of . . . existing security controls against an active, human,
skilled attacker.”). 64 See DEP’T OF HOMELAND SECURITY, INTRUSION DETECTION AND PREVENTION
SYSTEMS (Aug. 2013), https://www.dhs.gov/publication/intrusion-detection-and-
prevention-systems (highlighting systems used to detect and identify possible
threats to a system). 65 See JLT, What are Security Patches, (Oct. 5, 2017),
https://www.jltspecialty.com/our-insights/publications/cyber-decoder/what-are-
security-patches (defining patching to include “software updates, usually
released to improve … performance or fix bugs and security vulnerabilities in
software already installed on computers, IT systems and devices.”). 66 See Seth Rosenblatt and Jason Cipriani, Two-factor authentication: What you
need to know (FAQ), CNET, (Jun. 15, 2015), https://www.cnet.com/news/two-
factor-authentication-what-you-need-to-know-faq/ (noting that two factor
authentication adds a second level of authentication to an account log-in). 67 Fed. Trade Comm’n, Securing Your Wireless Network, FED. TRADE COMM’N
(Sept. 2015), https://www.consumer.ftc.gov/articles/0013-securing-your-wireless-
network. 68 APRICORN, ENCRYPTION IN EDUCATION,
https://www.apricorn.com/media/pressreleases/file/e/d/education_data_encryptio
n_whitepaper.pdf (noting that “Encryption transforms data to make it
unreadable without authorized access.”); PONEMON INST., supra note 52, at 17
256 ALB. L.J. SCI. & TECH. [Vol. 29.3
Budgeting
Budget constraints (41 percent) and a lack of
trained personnel (21 percent) are among the top
challenges facing security specialists in education.
Colleges and universities report employing an
average of twenty dedicated security employees,
half that of most industries. This notable shortage
of security personnel results in a lack of proper
threat investigation and remediation. It is also
hindering the deployment of innovative
technologies or processes that could strengthen
their security posture.69
Second, while industry experts offer different approaches to
budgeting, the higher end numbers often reach 13-15%.70 Given
the amount of private and proprietary information available
within Higher Ed generally, and the substantial costs per record,
institutions should carve out a comparable range of their IT
budgets to ensure a viable cybersecurity posture. The
implementation of the budget should be prioritized between IT and
institutional leadership and include a yearly risk assessment for
roadmap purposes.71 If cybersecurity is outsourced, meaningful
(noting that one of the factors that decreases the cost of a data breach or privacy
loss includes extensive use of encryption—$16.1/record reduction). 69 CISCO, ANNUAL CYBERSECURITY REPORT: IMPACTS ON PUBLIC SECTOR (2018),
https://www.noacsc.org/wp-
content/uploads/2018/05/Cisco2018AnnualCybersecurityReportImpactsOnPubli
cSector.pdf. 70 Stickman, How Much Should you Invest in Cybersecurity?, (Jan. 2, 2018),
https://www.stickman.com.au/how-much-should-you-invest-in-cybersecurity/
(stating that 13.7 percent seems fairly reasonable and provides a nice reference
point); Global Data Sentinel, How Much Should Companies Spend on Cyber
Security?, GLOBAL DATA SENTINEL (Dec. 28, 2016),
https://www.globaldatasentinel.com/the-latest/how-much-should-companies-
spend-on-cyber-security/ (“The range of spending was between 1 percent and 13
percent for the companies surveyed.”); Paul Rubens, Why You Should be
Spending More on Security, CIO (Apr. 1, 2015),
https://www.cio.com/article/2904364/security0/why-you-should-be-spending-
more-on-security.html (“According to the survey, large organizations spend an
average of 11 percent of their IT budgets on security while small businesses
spend nearly 15 percent.”). 71 See Ilia Kolochenko, Cybersecurity Spending: More Does Not Necessarily
Mean Better, CSO (Apr. 4, 2016),
2019] CAUGHT IN THE CYBER CROSSHAIRS 257
communication and engagement should occur to replicate an in-
house IT team approach.72 Regardless of in-house versus
outsourcing, the consequences are too significant not to allocate
proper resources up-front.
Alternatively, Xuyen Bowles, director of sales, training &
marketing at Sentek Global, offers a more systematic approach for
tailoring an institution’s needs to a specifically allocated
cybersecurity budget figure.73 The process starts with a
comprehensive risk assessment measuring the probability of a
network security and privacy event coupled with the costs
associated with such an event.74 Following the risk assessment,
Ms. Bowles suggests using the Gordon-Loeb Model to quantify the
budget, a cybersecurity risk assessment tool developed by
researchers at the University of Maryland.75 With Higher Ed in
mind, the Gordon-Loeb Model consists of four steps, including:
(1) estimating the value of the information the institution is
looking to protect;
(2) estimating the probability that each information set will be
compromised as well as assigning each set with a
vulnerability score based on its probability of being
attacked;
(3) prioritizing the information set by developing a grid with a
vulnerability assessment (low value/low vulnerability to
high value/high vulnerability) and then calculating
potential loss by multiplying the information’s value by its
probability of a breach; and
(4) identifying which information sets are most crucial to
prioritize and spend money on.76
https://www.csoonline.com/article/3051123/leadership-
management/cybersecurity-spending-more-does-not-necessarily-mean-
better.html (noting that “[c]ybersecurity budgeting should start with a holistic
and comprehensive risk assessment”). 72 See 5 Reasons Why You Should Outsource Your Cybersecurity, AFFINITY IT
SECURITY SERVICES, https:/ /affinity-it-security.com/5-reasons-why-
you-should-outsource-your-cybersecurity/ (last visited Mar. 30,
2019) (discussing how to retain control of your infrastructure and
operations while outsourcing). 73 See Xuyen Bowles, What’s a Good Cybersecurity Budget & How Do I Get It?,
SC MEDIA (July 27, 2017), https://www.scmagazine.com/whats-a-good-
cybersecurity-budget-how-do-i-get-it/article/672371/. 74 Id. 75 Id. 76 Id.
258 ALB. L.J. SCI. & TECH. [Vol. 29.3
Overall, the Gordon-Loeb Model cautions that budgets should not
exceed 37% of total expected losses as the security offered by such
a budget yields diminishing returns with increased spending.77
Incident Response Planning
Third, an Incident Response Plan should be sufficiently outlined
and tested prior to an actual breach or privacy loss.78 The Incident
Response Plan (“IRP”) should consider the following key steps:
Pre-Event IRP Steps
The first pre-event IRP step for Higher Ed will be to establish
an internal incident response team.79 Members should include
diverse representatives, including institutional leadership, IT,
compliance, legal, marketing and communications, human
resources, and audit personnel.80 Out of this group, the institution
should designate an internal breach manager (or lead) that is
capable of managing communications effectively across the
particular institution.81
The next pre-event IRP step will be to create a short list of the
external team, including a pre-approved network security and
privacy attorney (or breach coach), law enforcement contacts (at
the state and federal levels), and a post-data breach team (for
example, a forensics firm with appropriate expertise).82
Ultimately, a pre-approved network security and privacy attorney
will be the quarterback for assisting in the institution’s build of a
post-data breach panel of experts.83 Pre-approving relationships
77 Id. 78 See PONEMON INSTITUTE, supra note 52, at 6 (explaining that an incident
response team reduces the cost of a data breach privacy loss by $19 per record). 79 See Tom Hagy, When a Data Breach Happens: Be Ready, Be Calm, and
Preserve Evidence, LEXISNEXIS: CORPORATE LAW ADVISORY,
https://www.lexisnexis.com/communities/corporatecounselnewsletter/b/newslett
er/archive/2013/05/05/when-a-data-breach-happens-be-ready-be-calm-and-
preserve-evidence.aspx (last visited Mar. 30, 2019) (“To prepare . . . ‘[i]t’s about
getting a team together.’”). 80 LARISSA K. CRUM & BRIAN ZAWADA, FINDING THE RIGHT BALANCE: DATA BREACH
PREVENTION VS. RESPONSE (2010), http://cbp.lsu.edu/wp-
content/uploads/docs/366DataBreachPreventionvsResponse.pdf. 81 Id. 82 ALLCLEAR ID, INC., DATA BREACH INCIDENT RESPONSE WORKBOOK 5-7 (2014). 83 See id. at 2 (stressing the importance of getting outside professionals to
review the plan).
2019] CAUGHT IN THE CYBER CROSSHAIRS 259
will assist with controlling costs at the point of a data breach or
privacy loss.84
The third pre-event IRP step will be to create a 24/7 contact list
of both the internal and external teams.85 That way, there will be
ease of communication from within and outside an institution.
The last pre-event IRP step will be ensuring that internal staff
is appropriately trained on the IRP.86 This includes prompt
communication of updated versions of the IRP, as well as tabletop
exercises to simulate a data breach or privacy loss.87 Similar to the
benefit of studying in advance for a test, replicating an actual
event will ensure that your Higher Ed institution is better
prepared to mitigate losses and protect the bottom line.
Post-Event IRP Steps
If an event occurs, and it likely will, tapping into your pre-
approved network security and privacy attorney will be crucial.88
This will ensure appropriate legal oversight and the ability to rely
upon attorney-client privilege and/or work product strategies in
the event of subsequent litigation.89 There will also be a variety of
areas to consider such as a forensic analysis, notification to
impacted parties, retention of post-data breach experts to
minimize adverse consequences, and reputational management.
Each of these areas are highlighted in additional detail below.
84 See Craig Hoffman, How and Why to Pick a Forensic Firm Before the
Inevitable Occurs, BAKERHOSTETLER (Nov. 16, 2015),
https://www.dataprivacymonitor.com/cybersecurity/how-and-why-to-pick-a-
forensic-firm-before-the-inevitable-occurs/ (recognizing the difficulty of
negotiations under emergency conditions). 85 ALLCLEAR ID, supra note 82, at 9. 86 Id. at 7-8. 87 See id. at 2 (stressing the importance of making employees familiar with the
plan). 88 Id. 89 Elissa Doroff & Melissa Ventrone, Protecting Privilege: Strategies to Keep
Post-Cyber Breach Activities from Disclosure, AXA XL (Apr. 25, 2016),
https://axaxl.com/fast-fast-forward/articles/protecting-privilege_-strategies-to-
keep-post-cyber-breach-activities-from-disclosure.
260 ALB. L.J. SCI. & TECH. [Vol. 29.3
Forensic Analysis
A forensic analysis will need to be undertaken to assess the
nature and extent of the data breach or privacy loss.90 This
analysis will include making a determination about the type of
private and proprietary information at stake, along with potential
notification obligations to impacted parties, commonly referred to
as compliance assessment.91 Assuming private and/or proprietary
information has actually, or potentially, been compromised,
notification via one’s agent or broker to the applicable insurance
carrier(s) will be crucial.92 Depending upon one’s negotiated
insurance policy, the carrier may have an interest in partnering in
the ongoing selection of retained legal and/or post-data breach
firms.93 In the event one is looking for certainty in managing these
relationships up-front, in order to avoid duplication of services and
extra costs, policy terms and conditions should clearly outline who
has the right to select and retain key relationships.94 Furthermore,
in order to avoid compromising coverage, special attention should
be given to the timeliness of reporting events generally.95
90 Patrick Haggerty, 3 Tips For Using Forensic Firms In Data Breach Response,
LAW360 (Mar. 23, 2017), https://www.law360.com/articles/927094/3-tips-for-
using-forensic-firms-in-data-breach-response. 91 See IT FORENSIC SERVICES, INVESTIGATING A DATA BREACH 1-2 (2014),
https://www.ey.com/Publication/vwLUAssets/IT_Forensic_Services_-
_Investigating_a_data_breach/$File/EY-IT-Forensic-Services-Investigating-a-
data-breach.pdf (identifying the “who, what, when and how” of a breach and
advising reporting and notification practicalities). 92 See 4 Steps to Help Manage a Data Breach, TRAVELERS INSURANCE,
https://www.travelers.com/resources/cyber-security/how-to-manage-a-data-
breach-the-safe-way (last visited Mar. 3, 2019) (describing how setting the
strategy includes contacting your insurance agent and carrier). 93 See Craig R. Blackman, Cyber Insurance And The Defense Conundrum, PAMIC
(Summer 2017), https://www.stradley.com/-
/media/files/publications/2017/08/blackman---updated---cyber-insurance-and-
the-defense-conundrum.pdf (stating that “[i]t is not uncommon in the cyber
insurance market that the insurer controls the defense of claims under the
policy”). 94 See id. (discussing the importance of policy control). 95 See Insurance Recovery: Can Your Company Handle a Data Breach and Are
You Insured?, PERKINS COIE, https://www.perkinscoie.com/en/insurance-
recovery-resource-library-1/cyber-attacks-and-data-breaches-insurance.html
(last visited Mar. 3, 2019) (emphasizing that “[t]he policyholder should provide
prompt notice of a claim or circumstances to relevant carriers”).
2019] CAUGHT IN THE CYBER CROSSHAIRS 261
Notification to Impacted Parties
Assuming notification to impacted individuals is required, an
appropriate mapping must occur based upon the victims’
locations.96 Depending upon the size and nature of the event,
different venues will have specific notification requirements (e.g.,
email, mailing, etc.).97 Additionally, expertise in implementing
appropriate notification template strategies will be the key to
minimizing costs.98 As a part of the notification process, thoughtful
consideration must be given to call center operations, frequently
asked questions (in response to stakeholders), and applicable
monitoring and/or or restoration services, such as identity, credit,
and/or healthcare.99 Beyond interacting with impacted victims,
simultaneous strategies should be implemented with regard to
managing relationships at the state and/or federal levels (e.g.,
attorney generals) and ensuring public relations communications
are crisp and timely (reputational management).100
Post-Data Breach Experts
In the event a Higher Ed’s systems have been compromised,
data restoration experts may need to be tapped in order to
96 See Christopher Wolf, Introduction to Data Security Preparedness with Model
Data Security Breach Preparedness Guide, IAPP (Apr. 2012),
https://www.americanbar.org/content/dam/aba/administrative/litigation/materia
ls/sac_2012/22-
15_intro_to_data_security_breach_preparedness.authcheckdam.pdf (instructing
the principal to identify legal jurisdictions involved by determining the location
of customers, employees, and/or systems affected by the breach). 97 Louis Dempsey, Data Breach! What to Know About Where to Go . . .,
NATIONAL SOCIETY OF COMPLIANCE PROFESSIONALS (May 2017),
http://www.rrscompliance.com/documents/News/Data_Breach!_What_to_Know_
About_Where_to_Go.pdf. 98 Id.; see generally Wolf, supra note 96. 99 Wolf, supra note 96. 100 See Jenny A. Durkan & Alicia Cobb, Breach Response: After a Cyber Breach,
What Laws Are in Play and Who Is Enforcing Them?, CYBERSECURITY LAW
REPORT (May 20, 2015),
https://www.quinnemanuel.com/media/1125067/cslr_after-a-cyber-breach-what-
laws-are-in-play-and-who-is-enforcing-them.pdf (stating that “[a]ny significant
breach involving consumer information likely will draw the attention of
multiple state attorneys general”); see also Dan Twersky, Cyber Public
Relations Expenses, WILLIS TOWERS WATSON WIRE (Dec. 18, 2015),
https://blog.willis.com/2015/12/cyber-public-relations-expenses/ (discussing how
public relations expenses may help mitigate negative media attention).
262 ALB. L.J. SCI. & TECH. [Vol. 29.3
preserve and/or recover critical information.101 Similarly, to the
extent that an institution’s systems have been impaired from
functioning, a Higher Ed institution may find itself managing
extra costs that they did not anticipate to continue business
operations (referred to as “Extra Expenses”) or facing substantial
business interruption losses generally (perhaps an inability to
close a deal and win a desired student for tuition purposes).102
Avoiding Data Breaches or Privacy Losses: Training for Phishing
and Strong Passwords
Fourth, targeted best practices for Higher Ed institutions should
include training for phishing and the use of strong passwords.103
Phishing
Phishing is defined as “a technique used to gain personal
information for purposes of identity theft, using fraudulent email
messages that appear to come from legitimate businesses.”104 The
goal of Phishing is “to fool recipients into divulging personal data
such as account numbers and passwords, credit card numbers and
Social Security Numbers.”105 In terms of managing against
Phishing threats, recommendations might include being cautious
about individuals and organizations asking for private and
proprietary information, evaluating the legitimacy of an email by
assessing whether the message originates from a different domain
101 Best Practices: Backing Up Data, TREND MICRO (Sept. 7, 2017),
https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-
cloud/best-practices-backing-up-data (noting that “[i]n one of the most
significant cyberattacks of 2017, the WannaCry outbreak caused massive
damage . . . to businesses around the world”). 102 Business Interruption and Cyber Incidents Dominate 2018 Risk Landscape,
According to Allianz Risk Barometer, BUSINESS WIRE (Jan. 16, 2018),
https://www.businesswire.com/news/home/20180116005424/en/Business-
Interruption-Cyber-Incidents-Dominate-2018-Risk/ (noting that cyber incidents
are the most feared Business Interruption trigger). 103 PONEMON INSTITUTE, supra note 52, at 17 (reporting that a third factor that
decreases the cost of a data breach or privacy loss includes employee training—
a $12.5/record reduction). 104 Russell Kay, Phishing, COMPUTERWORLD (Jan. 19, 2004),
https://www.computerworld.com/article/2575156/security0/phishing.html. 105 Id.
2019] CAUGHT IN THE CYBER CROSSHAIRS 263
(a red flag), or generally looking for spelling and grammatical
errors in the communication.106
Strong Passwords
In addition to phishing, Higher Ed needs to consider the
implementation of a strong approach to password management.107
This might include creating passwords with a combination of
words, numbers, symbols, and upper- and lower-case letters, or
contemplating words that form a complex phrase or sentence.108
8. CYBERSECURITY RISK FINANCING IN HIGHER
ED
In addition to loss control, Higher Ed should consider
appropriate risk financing strategies, including effective contract
management with vendors and comprehensive cyber insurance to
properly address third-party liability and first-party expense
issues stemming from a data breach or privacy loss.109
Contract management and outsourcing
Beginning with contract management, if outsourcing does occur,
Higher Ed institutions should make sure that they properly vet
partnerships, including desired security standards.110 Bottom line,
Higher Ed institutions are accountable for the private and
proprietary information provided to third-party service providers
and small to mid-size institutions will struggle with bargaining
power regarding favorable indemnification and hold harmless
contract language.
106 Best Practices: Identifying and Mitigating Phishing Attacks, TREND MICRO
(Feb. 10, 2017), https://www.trendmicro.com/vinfo/us/security/news/cybercrime-
and-digital-threats/best-practices-identifying-and-mitigating-phishing-attack 107 See Brian Krebs, Password Do’s and Don’ts, KREBS ON SECURITY,
https://krebsonsecurity.com/password-dos-and-donts/ (last visited Mar. 9, 2019)
(providing instructions on how to create strong passwords). 108 Id. 109 PONEMON INSTITUTE, supra note 52, at 17 (reporting that a final factor that
decreases the cost of a data breach or privacy loss includes third party
involvement—$16.9/record reduction). 110 Teresa Meek, Outsourcing Cybersecurity: When And How To Bring In
Contractors, FORBES (May 27, 2017),
https://www.forbes.com/sites/eycybersecurity/2017/03/27/outsourcing-
cybersecurity-when-and-how-to-bring-in-contractors/#fbe31266ca15 (noting that
“[s]uccessful outsourcing . . . requires careful vetting of the contractor”).
264 ALB. L.J. SCI. & TECH. [Vol. 29.3
Cyber Insurance
In addition to contract management, Higher Ed institutions
need to look for a variety of insurance coverages.111 For starters,
third-party liability insurance provides several key features,
including defense costs and indemnity coverage associated with
claims (e.g., lawsuits) brought against the Higher Ed institution
by others (e.g., employees, students, donors).112 At a more granular
level, specific coverages often include triggers for network security
and privacy features, regulatory defenses and fines, penalties,
consumer redress funds, PCI fines and assessments, system-to-
system exposures, and impaired access injuries.113 Relatedly, if an
institution chooses to outsource responsibility, policies may often
address coverage for third- party service providers.114 Each of
these third-party liability coverages are explored below.
Network security and privacy triggers
Higher Ed institutions should be looking to transfer risk for both
unauthorized access to systems (a network security exposure) and
negligent disclosure of private and proprietary information (a
privacy exposure).115 Examples previously addressed include
hacking, malware, rogue employees, and inadvertent disclosure of
private information. Very importantly, from a private information
perspective, a comprehensive definition should be included with a
catch all for “private information as defined by law.”116 Using a
catch all (in addition to more specific definitions of PII and PHI),
will make sure that the coverage evolves with the times and
anticipates legal and regulatory changes. Furthermore, business
and proprietary information should be readily captured as a third-
party partner may sue an institution for compromising R&D in its
care, custody, and control.117
Regulatory coverage
Not unlike other industry segments, the state and federal
government will be interested in whether a Higher Ed institution
111 Richard S. Betterley, Cyber/Privacy Insurance Market Survey—2017, THE
BETTERLEY REPORT, June 2017, at 1, 8-9. 112 Id. at 23-34. 113 Id. at 48-62. 114 Id. at 96-117. 115 Id. at 8-9. 116 Id. at 62-64. 117 Betterley, supra note 111, at 62-64.
2019] CAUGHT IN THE CYBER CROSSHAIRS 265
is complying with its publicly stated position on network security
and privacy. In addition to addressing defense costs associated
with an enforcement action (e.g., an action by the government
against an institution to determine compliance with a network
security and privacy policy), policies should cover regulatory fines
and consumer redress funds (the latter, funds to compensate
victims associated with a particular breach or privacy loss).118
PCI insurance
As suggested earlier, Higher Ed institutions standardly manage
(or perhaps even outsource) responsibility for payment card
information. Regardless of which path they choose, failing to
properly protect card data (PII) can result in PCI fines (e.g.,
penalties) and assessments (e.g., fraud recovery losses and
notification costs being shifted to the institution for not adhering
to industry standards). A robust insurance program will check off
the box for PCI coverage and ensure a proper limit of liability that
corresponds with an institution’s exposure.119
System-to-System exposures
It is fair to assume that Higher Ed routinely targets diverse
stakeholders with institutional communications, including
prospects, students, parents, donors, and alumni. To the extent
institutions are impacted by bad actors (e.g., malware, phishing),
they have the potential to inadvertently transmit viruses from
their systems to these stakeholders. Consequently, a viable cyber
insurance program will ensure proper liability coverage for
system-to-system exposures.120
Impaired Access injuries
With the growth of online content being delivered
internationally, students (customers) are often accessing
institutional systems (e.g., Blackboard) to take a variety of classes.
If a cyber-attack impacted the ability of an institution to timely
provide access to services (e.g., an impaired access exposure),
institutions have the potential to be sued by students (including
118 Id. at 55-57. 119 Id. at 58-59. 120 Id. at 12.
266 ALB. L.J. SCI. & TECH. [Vol. 29.3
on a class action basis). As a result, cyber insurance should
routinely include impaired access coverage.121
Outsourcing
In an effort to control costs, and perhaps maximize technical
expertise, Higher Ed institutions may outsource responsibility for
private and proprietary information to third-party service
providers. A word of caution, outsourcing does not negate an
institution’s legal responsibility for adequately protecting the
information. As a result, cyber insurance should be broadly crafted
to capture third-party service provider relationships and desired
capacity (how much coverage is being carried) should match the
institution’s primary limits of liability.122
First-party expense
In addition to third-party liability coverages, Higher Ed
institutions should also carefully analyze the diversity of first-
party expense coverages from a risk transfer perspective.123 While
not all exposures are readily insurable, first-party insurance
provides several standard features, including reimbursement for
expenses that the institution incurs regardless of whether a third-
party liability claim is brought. Specific coverages often include
crisis management and privacy notification expenses, business
interruption and extra expense losses, cyber-extortion expenses,
and data remediation costs.124 Like the third-party liability
coverages, if an institution chooses to outsource responsibility for
private information, policies should be built to address third-party
service providers.125 Let us look at each of these coverages in turn:
Crisis Management Expenses
To the extent an event occurs, a Higher Ed institution will need
to retain a forensic expert to evaluate the nature and scope of the
impacted information. Further, a network security and privacy
attorney must evaluate the legal and compliance-related
requirements associated with the compromised data. Lastly, it will
be important to proactively manage advertising and public
121 Id. at 23-34. 122 Id. at 96-117. 123 Betterley, supra note 111, at 65-67. 124 Id. at 65-67, 78-81. 125 Id. at 96-117.
2019] CAUGHT IN THE CYBER CROSSHAIRS 267
relations messaging surrounding the event. As a result, Crisis
Management Expense coverage will reimburse institutions for the
cost of a forensic evaluation, legal and compliance-assessments,
and public relations costs.126 Forensic and legal expenses, in
particular, are very critical coverages which often drive significant
exposure to a company’s bottom line.127
Privacy Notification Expenses
After performing forensics, and assessing legal and compliance-
related obligations, a Higher Ed institution may need to notify
others (e.g., impacted students, parents, donors, and employees)
impacted by a data breach or privacy loss.128 Privacy Notification
Expenses will reimburse for the cost of notification along with
providing key monitoring and/or restoration services to victims.129
Depending upon the nature of the information, examples might
range from credit and identity, to healthcare records monitoring
and/or restoration.
Business Interruption and Extra Expenses
A data breach or privacy loss has the potential for an institution
to incur expenses that it would not have otherwise incurred but for
the event. Here, extra expenses, or reasonable expenses that a
company incurs to continue business operations, are transferred
from an institution to an insurance carrier.130 Moreover, to the
extent an event is severe enough to compromise an institution
from doing business, Business Interruption Expenses may be
purchased to transfer risk.131
Cyber Extortion Expenses
Consider the possibility that a hacker obtains full control over
your systems and looks to extort payment (perhaps from a rainy
day fund) in order to release control back to the institution. Sound
unthinkable? In fact, just the opposite is true, as ransom-related
demands have skyrocketed against a diverse number of industries.
The benefit of insurance, Cyber Extortion Expenses can be
126 Id. at 65-67. 127 Id. at 25. 128 Id. at 9. 129 Betterley, supra note 111, at 65-67. 130 Id. at 23-34. 131 Id. at 12.
268 ALB. L.J. SCI. & TECH. [Vol. 29.3
considered, including the cost of a negotiator and ransom
payments made directly to a hacker.132
Data Remediation Costs
A network security event has the potential to wreak havoc with
a Higher Ed institution’s system functionality. This raises the
primary issue about the costs to correct the system(s) but also the
secondary issue associated with the cost to rebuild data, including
cutting edge R&D that might otherwise be lost. As such, a robust
cyber insurance program will include Data Remediation Cost
coverage.133 This will insure that systems are corrected and that
viable content is potentially preserved for future usage.
A Reminder About Outsourcing
As noted above, Higher Ed institutions often outsource
responsibility for private and proprietary information to third-
party service providers. However, outsourcing does not negate an
institution’s legal and compliance-related responsibilities for
adequately protecting information (think notification and
monitoring/restoration). Therefore, cyber insurance should be
broadly crafted to capture third-party service provider
relationships and desired capacity (how much coverage is being
carried) should match the institution’s primary limits of
liability.134
SUMMARY AND CONCLUSIONS
Higher Ed institutions need to appreciate that they are not
immune from hackers or even simple employee negligence.
Notwithstanding their struggles with enrollment and budgetary
restrictions, institutions have diverse and sensitive PII, PHI, and
R&D worth aggressively protecting.
This paper explored the inherent conflict between scarce
financial resources and the importance of prioritizing and
managing a strong cybersecurity posture. It emphasized themes
associated with data breaches and privacy losses, including
hacking, malware, and unintended disclosure. It also reinforced
the challenging cybersecurity landscape within Higher Ed along
with legal, regulatory, and compliance-related consequences that
have the potential to exacerbate the financial and reputational
132 Id. at 84-87. 133 Id. at 65-67. 134 Id. at 96-117.
2019] CAUGHT IN THE CYBER CROSSHAIRS 269
concerns associated with a data breach or privacy loss. Lastly, the
paper explored best practices for striking the right balance
between Higher Ed’s financial circumstances and the long-term
benefits of implementing robust cybersecurity strategies. This
included a focus on appropriate loss control and risk financing
measures such as the importance of a written network security
and privacy policy, proper budgeting, incident response planning,
enhanced training of staff, strong vetting of external partnerships,
and comprehensive risk transfer.
Overall, appropriate investment in cybersecurity must be taken
to protect Higher Ed’s fortress. The failure to do so has the
potential to reduce sustainable growth, isolate key stakeholders,
and detrimentally impact organizational health and longevity.