University of Connecticut, City College of San Francisco, University of Central Florida, University of Virginia, University of Northern Iowa, Southern New Hampshire University; aside from being institutions of higher education, what do these schools have in common? Answer: They each suffered a data breach in 2016.
It's not hard to see why colleges and universities are prime targets for hackers. Higher educational institutions collect large sets of varying types of data: healthcare records, educational records, financial information, credit card information, personal information for students and employees, sensitive research and development records, and more. These data sets are highly profitable to hackers on the black market, and higher educational institutions can be a one-stop shop for a hacker looking to maximize the number and types of data acquired.
The value of these records is underscored by the fact that each of these data types is regulated by a different set of rules which are overseen by a different state, federal, or even international governmental entity. Colleges and universities sit at the intersection of these different laws and regulations, including the following:
- Family Educational Rights and Privacy Act (FERPA)1. This law generally governs educational records and applies to any school that receives funds from the Department of Education. While FERPA does not have a specific section involving data breach, it does provide that no funds shall be made available to an institution that has a policy or practice of permitting the release of protected information. A failure to maintain adequate cybersecurity and data protection measures could therefore result in the loss of federal funds.
- Health Insurance Portability and Accountability Act (HIPAA)2 . This law generally governs healthcare records and can apply to a college or university health center or medical school. An unauthorized access to health records triggers specific notification requirements to both the Department of Human Services and the patient. Harsh fines can be imposed for noncompliance.
- Gramm-Leach-Bliley Act (GLBA)3 . This law generally applies to financial institutions, and can apply to colleges and universities that engage in lending funds, collecting loan payments, or facilitating the process of financial aid. While colleges and universities are exempt from certain GLBA requirements provided they are in compliance with FERPA, the GLBA "safeguarding rules" still apply to institutions of higher education. The safeguarding rules necessitate development, implementation, and updating of a coordinated security program and employee training, among other requirements.
- State Data Breach Notification Laws. Nearly every state has passed some form of a data breach notification law, which generally requires that notice of a data breach be provided to the affected individuals and sometimes also to the state in which the breach occurred. Many states require provisions of credit monitoring services for affected individuals, as well. These laws apply based on the resident state of the individual whose information was breached, so a college or university with students from all over the country has to comply with the laws of each state.
For now, the federal laws mentioned above do not preempt the applicable state laws; thus colleges and universities have to comply with all the federal laws as well as the state specific data breach notification requirements in the event of a data security incident.
- Payment Card Industry Data Security Standards (PCI-DSS)4 . Credit card companies, including Visa, MasterCard and American Express, have created standards which apply to any institution accepting credit card payments. Failure to comply with PCI-DSS could result in the imposition of fines or the loss of ability to accept credit card payments, among other penalties.
- International Laws. To the extent that colleges and universities have foreign students or international branch campuses, foreign data breach laws may also apply. For example, the 1995 EU Directive and various EU member nations have strict privacy laws and correspondingly harsh fines for unauthorized release of an EU resident's information. The passage of the new General Data Protection Regulation in 2016 will heighten protections over EU residents' data and likely require reporting of any data breach immediately to the appropriate EU officials.
Higher educational institutions are in a precarious position concerning the ramifications of a data breach, as multiple legal requirements and reporting obligations can be triggered by a single data security event. Each of these laws and regulatory schemes carries different requirements and consequences, fines and penalties for noncompliance, and potential investigation by federal, state, or international government entities. Moreover, violations of these laws could be used in litigation by students, faculty, and staff to prove private claims against the college or university for release of their personal information.
While these laws impose fines and penalties for release of a student's or employee's information, the common theme to be used when navigating through the myriad of laws is preparedness by the institution. Nearly all of these laws, if not by outright requirement then at least by a "best practices" suggestion, emphasize the importance of creating, maintaining, testing and updating a data breach security incident response plan. For institutions of higher education that maintain such large sets of data of different types, proper preparedness is crucial, not only for purposes of more efficiently responding to a data breach, but also to best position the institution to defend against government investigation and private litigation.