caught in the cyber crosshairs: what can higher ed do … - goldstein.pdf · 243 caught in the...

243

CAUGHT IN THE CYBER CROSSHAIRS: WHAT CAN

HIGHER ED DO TO MANAGE DATA SECURITY

BREACHES AND PRIVACY LOSSES?

Ken Goldstein1

“The average cost for data breaches in the U.S. education

industry has risen to $245 per capita (or per record lost),

which is $45 above the worldwide average, according to a

recent study from the Ponemon Institute.”2

ABSTRACT

Higher education’s (“Higher Ed’s”) consistent and widespread

use of technology has generated significant cybersecurity

concerns. While Higher Ed struggles with enrollment numbers

and budgetary restrictions, it has diverse private and proprietary

information worth aggressively protecting. As such, appropriate

investments in cybersecurity along with enhanced loss control and

risk financing measures must be taken by Higher Ed to survive

and function appropriately.

This paper will first address the inherent conflict between scarce

financial resources at the Higher Ed level and the importance of

managing a strong cybersecurity posture. Next, it will review

private and proprietary information and evaluate data breaches,

privacy losses, and Higher Ed’s current administrative and

technology practices. Thereafter, it will highlight costs impacting

Higher Ed and summarize legal, regulatory, and compliance-

related consequences facing the industry. Finally, the paper will

discuss practical strategies for balancing Higher Ed’s financial

circumstances and the long-term benefits of appropriate

1 Ken Goldstein is a former global Cyber Security Product Manager at legacy

Chubb Group of Insurance Companies and current Clinical Instructor of Risk

Management and Insurance at the Barney School of Business, University of

Hartford. Ken earned his J.D. at Western New England University School of

Law and B.A. at Binghamton University. Professor Goldstein would like to

thank Dr. Susan Coleman for her helpful insight and support.

2 Shalina Chatlani, Cost of Education Data Breaches Averages $245 Per Record,

EDUCATION DIVE (July 18, 2017), https://www.educationdive.com/news/cost-of-

education-data-breaches-averages-245-per-record/447376/.

244 ALB. L.J. SCI. & TECH. [Vol. 29.3

technology safeguards, budgeting, enhanced training, strong

vetting of partnerships, and comprehensive risk transfer.

1. Introduction ............................................................. 242

2. Private and Proprietary Information: Higher Ed Data

at Risk ...................................................................... 244

3. Data Breaches and Privacy Losses: What Could Go

Wrong ....................................................................... 246

4. A Challenging Cybersecurity Posture ..................... 250

5. Data Breach Costs Impacting Higher Ed ............... 250

6. Legal, Regulatory, and Compliance-Related

Consequences ........................................................... 252

7. Cybersecurity Loss Control in Higher Ed ............... 252

8. Cybersecurity Risk Financing in Higher Ed ........... 261

9. Summary and Conclusions ...................................... 266

1. INTRODUCTION

It is not breaking news that Higher Ed institutions are

struggling with enrollment numbers and budgetary restrictions.3

There are a variety of issues contributing to the situation, ranging

from retention numbers and antiquated programs to the reduction

of funding contributions and outdated facilities.4 As a

consequence, scarce dollars are being prioritized and used to

undertake data analytics, conduct targeted and concentrated

3 HIGHER EDUCATION, HANOVER RESEARCH INDUSTRY TREND REPORT 1, 3 (2017),

https://www.hanoverresearch.com/reports-and-briefs/2017-higher-education-

trend-report/ (stating that higher education institutions are “[f]acing declining

enrollments and reductions in funding across key academic offerings. . . .”). 4 U.S. Dep’t of Educ., Education Department Awards $20.1 Million in Grants to

Strengthen 39 Higher Education Institutions, DEP’T OF EDUC. (Sept. 26, 2013),

https://www.ed.gov/news/press-releases/education-department-awards-201-

million-grants-strengthen-39-higher-education-in (stating that funds were

provided to improve and strengthen academic quality); Michael Mitchell, ET. AL.,

A Lost Decade in Higher Education Funding, CTR ON BUDGET AND POL’Y

PRIORITIES (Aug. 23, 2017), https://www.cbpp.org/research/state-budget-and-

tax/a-lost-decade-in-higher-education-funding (suggesting that “state spending

on public colleges and universities remains well below historic levels. . . .”);

Jeffrey J. Selingo, Colleges Struggling to Stay Afloat, N.Y. TIMES (Apr. 12, 2013),

https://www.nytimes.com/2013/04/14/education/edlife/many-colleges-and-

universities-face-financial-problems.html (noting “colleges have been on a

borrowing spree . . . nearly doubling the amount of debt they’ve taken on in the

last decade to fix aging campuses, keep up with competitors and lure students

with lavish amenities.”).

2019] CAUGHT IN THE CYBER CROSSHAIRS 245

marketing, and ultimately differentiate regarding the selection of

desired students.5

At the same time, however, Higher Ed continues to be a treasure

trove for sensitive, private and proprietary information.6 Further,

there is consistent and widespread use of innovative technology to

support teaching and learning, often within the context of

interconnected systems.7 Not surprisingly, Higher Ed continues to

be at the top of the radar for international hackers, placing it

directly within the Cyber Crosshairs.8

This paper explores the inherent conflict between scarce

resources and the importance of prioritizing and managing a

strong cybersecurity posture. Without careful attention, Higher

Ed institutions will run the risk of an adverse impact to

organizational health and longevity.

We will start with a brief overview of the definitions of

Personally Identifiable Information, Protected Health

Information, and business and proprietary information. These

definitions will allow us to consider the types of sensitive

information available at Higher Ed institutions.

Next, we will evaluate sample data breaches and privacy losses

impacting Higher Ed over the past two years along with common

5 Sandra Beckwith, Data Analytics Rising in Higher Education: A look at four

campus “data czars” and how they’re promoting predictive analytics, UNIVERSITY

BUSINESS (May 26, 2016), https://universitybusiness.com/data-analytics-rising-

in-higher-education/ (noting that data analytics are being used to focus upon

retention and on-time completion of courses); Four Leading Satrategies to

Identify, Attract, Engage, and Enroll the Right Students, BLACKBOARD 1, 7

(2014), http://www.blackboard.com/sites/student-services/assets/pdf/white-

marketing.pdf (reinforcing the importance of a “customized communication

strategy”); HIGHER EDUCATION, supra note 3, at 22 (noting, in part, that higher

education institutions are looking to diversify offerings to better attract and

retain students). 6 A Briefing on 2017 Cybersecurity Trends in Higher Education, CTR FOR

DIGITAL EDUC. (May 23, 2017),

http://www.govtech.com/education/events/webinars/A-Briefing-on-2017-

Cybersecurity-Trends-in-Higher-Education-71014.html. 7 Donna Davis, Managing Cybersecurity in Higher Education, UNITED

EDUCATORS https://www.ue.org/education-matters/profiles-in-managing-

risk/managing-cybersecurity-in-higher-education/ (noting “little separation or

segmentation of systems and data. . . .”). 8 See Higher Education—A Goldmine of Personal Data for Hackers, HUB (Mar.

7, 2017), https://www.hubinternational.com/blog/2017/03/higher-education-

university-data-breach/ (“Higher education institutions now account for as

much as 17% of all cyber breaches, second only to healthcare.”).

http://www.blackboard.com/sites/student-services/assets/pdf/white-marketing.pdf

http://www.blackboard.com/sites/student-services/assets/pdf/white-marketing.pdf


themes associated with a challenging cybersecurity posture. This

will ensure a proper understanding of what can go wrong from a

data breach and privacy loss perspective.

Thereafter, we will turn to costs adversely impacting Higher Ed

and compare it to the maze of legal, regulatory, and compliance-

related consequences facing the industry. This will reinforce the

tangible, financial and reputational concerns facing Higher Ed.

Lastly, we will explore strategies for striking the right balance

between Higher Ed’s financial circumstances and the long-term

benefits of implementing cybersecurity best practices. This will

include a focus on appropriate loss control and risk financing

measures, including highlighting the importance of a written

network security and privacy policy, proper budgeting, incident

response planning, enhanced training of staff, strong vetting of

external partnerships, and comprehensive risk transfer.

2. PRIVATE AND PROPRIETARY INFORMATION:

HIGHER ED DATA AT RISK

Let us begin with a brief overview of the definitions of Personally

Identifiable Information (“PII”), Protected Health Information

(“PHI”), and business and proprietary information, including

cutting edge research and development (“R&D”). We will consider

these important definitions within the context of the types of

information readily available at Higher Ed institutions.

PII

PII has been classically defined as an individual’s first initial or

first name, coupled with his or her last name, along with

something that would be considered a private identifier.9 Some

examples include social security information, driver’s license or

state-identification number, or financial account information,

including debit and credit card numbers.10 Beyond the classic

definition of private information, other data elements considered

9 See Data Breach Charts, BAKERHOSTETLER 1 (July 2018),

https://www.bakerlaw.com/files/Uploads/Documents/Data%20Breach%20docum

ents/Data_Breach_Charts.pdf (defining personal information as “An individual’s

first name or first initial and last name plus one or more of the following data

elements: (i) Social Security number; (ii) driver’s license number or state-issued

ID card number; or (iii) account number, credit card number or debit card

number combined with any security code, access code, PIN or password needed

to access an account. . . .” ). 10 Id.


PII, while paired with another identifier, include “citizenship or

immigration status, medical information (see PHI discussion that

follows), ethnic, religious, sexual orientation, or lifestyle

information, and account passwords, in conjunction with the

identity of an individual (directly or indirectly inferred).”11 Not

unexpectedly, the presence of PII is rampant within the context of

Higher Ed campuses, including student, parent, donor, alumni,

and employee information.12 Further, whether a Higher Ed

institution safeguards this information directly, or chooses to

outsource responsibility for its protection to others, PII surely

attracts the attention of bad actors for nefarious purposes.13

PHI

Let us turn next to the definition of PHI. According to the U.S.

Department of Health & Human Services, “[t]he HIPAA Privacy

Rule provides federal protections for [PHI] held by covered entities

[or their business associates] and gives patients an array of rights

with respect to that information.”14 PHI includes the following:

Individually identifiable health information, held or

maintained by a covered entity or its business

associates, transmitted or maintained in any form

or medium (including the individually identifiable

health information of non-U.S. citizens) …15

At the Higher Ed level, there are a number of institutions with

vast amounts of PHI, including academic medical centers and

medical research centers maintaining identifiable health

11 Michael Sweeney & Karolina Lubowicka, What is PII, and Personal Data?,

https://piwik.pro/blog/what-is-pii-personal-data/ (last updated Aug. 9, 2019). 12 CTR FOR DIGITAL EDUC. supra note 6 (diverse, data-rich digital resources

include student, parent, donor, alumni, and employee; PII ranges from payroll

information to retail transactions). 13 Lori Coleman & Bernice Purcell, Data Breaches in Higher Education, J. BUS.

CASES & APPLICATIONS 15, 15–16 (2015). In this article the authors study four

University cases involving data breaches and external actors. 14 U.S. Dep’t of Health & Human Services, What is PHI?,

https://www.hhs.gov/answers/hipaa/what-is-phi (last visited Feb. 26, 2013). 15 U.S. Dep’t of Health & Human Services, What Health Information is

Protected by the Privacy Rule?,

https://privacyruleandresearch.nih.gov/pr_07.asp (last updated Feb. 2, 2007).


information.16 In addition, it is possible that employees may be

able to file health insurance claims directly through an

institution’s human resources office.17

R&D

Lastly, beyond PII and PHI, there is also a vast amount of R&D

at Higher Ed institutions. This information ranges from grants

and contracts to proprietary trade secrets, technology, ongoing

research and publication projects (including with partners from

multiple institutions), and Intellectual Property.18

3. DATA BREACHES AND PRIVACY LOSSES:

WHAT COULD GO WRONG

Given the comprehensive nature of private and proprietary

information available at Higher Ed institutions, it should not come

as a surprise that data breaches and privacy losses are

widespread.19 In fact, Privacy Rights Clearinghouse paints a

telling picture over the past several years.20 For example, in May

2017, the data of more than 29,000 Oklahoma University (“OU”)

students became unintentionally accessible, including social

security numbers, financial aid information and grades dating

back to 2002.21 This occurred during the migration from

SharePoint to cloud servers due to lax privacy settings in a campus

16 Derek T. Teeter, Top 5 Common HIPAA “Myths” That Arise in Higher

Education, LEXOLOGY (2017),

https://www.highereducationlegalinsights.com/2017/05/common-hipaa-myths-

that-arise-in-higher-education/ (noting that “[i]f a student health center

provides medical treatment to non-students and bills for those services, medical

records relating to such treatment are . . . subject to HIPAA’s privacy rule.”). 17 Id. (“HIPAA may protect the privacy of medical records a college employee

submits to the institution’s health plan for purposes of making an insurance

claim.”). 18 CTR FOR DIGITAL EDUC., supra note 6. 19 Meghan Bogardus Cortez, Education Sector Data Breaches Skyrocket in

2017, EDTECH (Dec. 1, 2017) (stating that security breaches more than

doubled, increasing by 103%, between 2016 and 2017). 20 See generally Privacy Rights Clearinghouse: Data Breaches,

https://www.privacyrights.org/data-breaches (highlighting data breaches within

the context of a searchable database). 21 Dana Branham, Security Breach at OU Exposes Thousands of Students’ Data,

OKLAHOMA WATCH (Jun. 14, 2017),

http://oklahomawatch.org/2017/06/14/security-breach-at-ou-exposes-thousands-

of-students-data/.


file-sharing network.22 After becoming aware of the event, the

school’s IT department worked to secure the files.23 The U.S.

Department of Education also contacted OU to assess whether the

institution complied with its data security safeguard requirements

under federal law.24

In addition, in February 2017, a former employee in charge of

scheduling patients at WVU Medicine University Healthcare (part

of Berkeley County Medical Center) inappropriately accessed

unsecured PHI and PII of more than 7,000 individuals.25 At least

113 patients’ sensitive information were found by investigators in

the former worker’s possession, including drivers’ licenses with

photos, social security cards and other personal information.26

Notification to impacted individuals followed, including an offer

for one-year of free Identity monitoring.27 As of April 2017, WVU’s

post-data breach vendor, Kroll, received over 500 calls to an

established call center.28 Legal counsel for WVU also noted that

they would be assessing procedures to make sure a comparable

breach could not happen in the future.29

Lastly, also in 2017, UCLA notified more than 30,000 current

and former students about a potential security breach stemming

22 Greg Masters, Data Breach at Oklahoma U Impacts 30K Students, SC MEDIA

(Jun. 15, 2017), https://www.scmagazine.com/data-breach-at-oklahoma-u-

impacts-30k-students/article/668731/. 23 Id. 24 Robyn Craig, U.S. Department of Education looking into Security Breach at

OU, OUDAILY (Jun. 20, 2017), http://www.oudaily.com/news/u-s-department-

of-education-looking-into-security-breach-at/article_46666450-55fb-11e7-981c-

1786c84f69a9.html. 25 WVU Medicine Announces Patient Information Breach, METRONEWS (Feb.

25, 2017), http://wvmetronews.com/2017/02/25/wvu-medicine-announces-

patient-information-breach/. 26 Id. 27 Id. 28 Hans Fogle, No New Reports of Identity Theft Following WVU Medicine

University Healthcare Data Breach, METRONEWS (Apr. 2, 2017),

http://wvmetronews.com/2017/04/02/no-new-reports-of-identity-theft-following-

wvu-medicine-university-healthcare-data-breach/. 29 Hans Fogle, Former WVU Medicine Employee Fired After Data Breach,

WEPM (Feb. 27, 2017), http://wepm.com/former-wvu-medicine-employee-fired-

after-data-breach/.


from a hack into a server containing personal data.30 UCLA

offered one-year of free identity-protection services.31

Not surprisingly, a number of additional breaches occurred in

2016, including at Tidewater Community College, UC Berkeley,

and the University of Central Florida.32 For example, in March

2016, over 3,100 current and former employees of Tidewater

Community College had personal information stolen in a tax

phishing scam.33 When certain employees went to file their taxes,

they found out that someone had already done so. In addition to

providing free credit monitoring to impacted individuals,

Tidewater coordinated their breach response with the FBI and

Virginia State Police.34 They also decided to implement a new

training protocol for employees handling sensitive information.35

Beyond Tidewater, in February 2016, hackers gained

unauthorized access to UC Berkeley’s financial management

software.36 In fact, the software had a security flaw that was

present while updating.37 This flaw potentially exposed social

security numbers and banking information for over 80,000

impacted victims, including current and former students, current

and former employees, and vendor partners.38 UC Berkeley

retained a forensics expert, provided notification to impacted

individuals, and offered free identity and credit monitoring

services.39

Lastly, in January 2016, the University of Central Florida

discovered that cyber criminals had compromised the University’s

30 30,000 UCLA Students, Former Students Warned About Potential Security

Breach, ABC7 (Aug. 5, 2017), https://abc7.com/technology/30k-ucla-students-

warned-about-potential-security-breach/2279390/. 31 Id. 32 Judy Leary, The Biggest Data Breaches in 2016, IDENTITYFORCE (Dec. 16,

2016), https://www.identityforce.com/blog/2016-data-breaches. 33 Id. 34 Matt McKinney, Data Breach Exposes Information on More Than 3,000 TCC

Employees, THE VIRGINIAN PILOT (Mar. 25, 2016),

https://pilotonline.com/news/local/crime/data-breach-exposes-information-on-

more-than-tcc-employees/article_6ab72a2f-52a0-533e-8060-a2d245c7f151.html. 35 Id. 36 Dian Schaffhauser, While 80,000 UC Berkeley Students and Staff Suffer

Breach, Campus May Suffer Suit, CAMPUS TECH. (Mar. 3, 3016),

https://campustechnology.com/articles/2016/03/03/while-80000-uc-berkeley-

students-and-staff-suffer-breach-campus-may-suffer-suit.aspx. 37 Id. 38 Id. 39 Id.


computer system and stole information from 63,000 current and

former students, faculty, and staff.40 After the discovery, the

institution reported the matter to law enforcement and launched

an internal investigation with the support of a post-data breach

vendor.41 The investigation determined that the breach actually

impacted the private information of student athletes and current

and former employees.42 As a result, the University provided

notification, free credit and identity-protection services, and set up

a call center to manage victim questions.43 The University also

called for a review of online systems, policies and training to

determine areas for improvement.44 Notwithstanding these

efforts, several lawsuits were filed against the University.45

So what do 2016 and 2017 have in common? For starters, each

of the above Higher Ed institutions had a variety of stakeholders

adversely impacted along with an impairment of their time and

financial resources. In addition, the Higher Ed breaches and

privacy losses were largely focused upon hacking, malware and/or

unintended disclosures.46 Lastly, beyond the financial

implications, it is safe to assume that there were significant

reputational consequences as a result of these events.47

40 Leila Meyer, University of Central Florida Responds to Data Breach,

CAMPUS TECHNOLOGY (Feb. 5, 2016),

https://campustechnology.com/articles/2016/02/05/university-of-central-florida-

responds-to-data-breach.aspx. 41 Id. 42 Id. 43 Id. 44 Id. 45 Gabrielle Russon, UCF Sued a 2nd Time Over Data Breach, ORLANDO

SENTENTIAL, Feb. 26, 2016,

https://www.orlandosentinel.com/features/education/os-ucf-second-lawsuit-hack-

20160226-story.html.

46 Lori Coleman & Bernice Purcell, Data Breaches in Higher Educ., J. BUS.

CASES & APPLICATIONS (Dec. 2015),

http://www.aabri.com/manuscripts/162377.pdf; see also D. CHRISTOPHER BROOKS

AND JEFFREY POMERANTZ, STUDY OF UNDERGRADUATE STUDENTS AND INFO. TECH.,

EDUCAUSE (2017),

https://er.educause.edu/~/media/files/library/2017/10/studentitstudy2017.pdf?la

=en. 47 Megan O’Neil, Data Breaches Put a Dent in Colls.’ Fin. as Well as

Reputations, THE CHRONICLE OF HIGHER EDUC., Mar. 17, 2014,

https://www.chronicle.com/article/Data-Breaches-Put-a-Dent-in/145341.


4. A CHALLENGING CYBERSECURITY POSTURE

If you dig even further beyond the above cases, you will find an

equally challenging story about easier access to private and

proprietary information across Higher Ed institutions. For

example, according to the Center for Digital Education, “[s]ixty-

seven percent of respondents to a 2017 survey say their

institutions data is either not secure or only somewhat secure.”48

The same survey also noted that “forty-eight percent of …

respondents [suggested] that their institutions either did not have,

or were not sure whether they had, security policies to protect

sensitive [R&D] and IP.”49 In essence, Higher Ed institutions are

“low hanging fruit” for bad cyber actors globally.

In a recent webinar, Dr. Steven Zink did an excellent job

summarizing various areas of importance for educational

leadership, including how Higher Ed has a tradition of open access

and inquiry, limited management hierarchy, a custom of faculty

governance and intellectual freedom, a culture of non-compliance,

a highly decentralized computing environment, late adoption of

executive level IT representation and security authority, and

funding limitations.50 HUB, a global insurance broker, highlighted

similar concerns to Dr. Zink’s, including limited security budgets,

the lack of an official IT security manager, and unprotected public

wireless access points across university campuses.51

5. DATA BREACH COSTS IMPACTING HIGHER ED

Factoring in the above cybersecurity posture challenges, if you

look at mainstream industry reports, including the Ponemon

Institute’s 2017 Cost of Data Breach Study, it suggests that the

cost per record for educational institution breaches are $59 higher

than the global average ($141/record global average versus

$200/record educational global average).52 In the U.S. in

particular, the cost per record for educational institution breaches

is $20 higher ($225/record U.S. average versus $245/record U.S.

48 CTR FOR DIGITAL EDUC., supra note 6. 49 Id. 50 Id. 51 HUB, Higher Education–A Goldmine of Personal Data for Hackers, (Mar. 7,

2017), https://www.hubinternational.com/blog/2017/03/higher-education-

university-data-breach/. 52 PONEMON INST., COST OF DATA BREACH STUDY: GLOBAL OVERVIEW 13 (2017).


educational average).53 Overall, these figures reinforce the

financial and reputational consequences stemming from data

breaches and privacy losses.

As to the financial implications, consider a data breach against

Maricopa County colleges that exceeded $26 million.54 In April

2013, the 10-college district suffered a hack that exposed social

security numbers and banking information of more than 2 million

people, including current and former students, staff and vendors.55

As of November 2014, Maricopa’s governing board approved

contracts totaling $26,019,436.56 According to a public report, the

largest chunk ($9.3 million) related to legal expenses, the next

highest figure concerned post-data breach consulting and

computer system repair costs ($7.5 million), the third largest

figure dealt with notification, credit monitoring and call center

costs ($7 million), and the final expenditures related to records

management, public relations and photocopying fees ($2.2

million).57

With regard to reputational consequences, general industry

spending on breaches is substantially driven by lost customer

business [41%] and customer acquisition [8%].58 Likewise, “94% [of

consumers recently surveyed] believe [an] organization itself is

solely to blame for [a] breach.”59 Furthermore, “[a]s many as 62

percent of those queried said being notified of a breach would lower

their trust and confidence in the college or university.”60 Which

begs the question, why would Higher Ed institutions engage

external stakeholders to strengthen their reputation, secure

partnerships, solicit philanthropic contributions, and bolster

revenues – only to mishandle significant PII, PHI, and R&D with

53 Shalina Chatlani, Cost of Educ. Data Breaches Averages $245 per record, July

18, 2017, EDUC. DIVE, https://www.educationdive.com/news/cost-of-education-

data-breaches-averages-245-per-record/447376/. 54 Mary Beth Faller, Maricopa County Colleges Computer Hack Cost Tops $26M,

THE REPUBLIC, (Dec. 17, 2014),

https://www.azcentral.com/story/news/local/phoenix/2014/12/17/costs-repair-

massive-mcccd-computer-hack-top-million/20539491/. 55 Id. 56 Id. 57 Id. 58 PONEMON INST., COST OF DATA BREACH STUDY: U.S. 20 (2017). 59 Main Cybersecurity Problem for Colleges? Gathering Diverse Kinds of Data,

HELPNETSECURITY, (Oct. 12, 2017),

https://www.helpnetsecurity.com/2017/10/12/cybersecurity-problem-college/. 60 Id.


lax security? Compromising sensitive, personal and proprietary

information would certainly have the opposite desired effect.61

6. LEGAL, REGULATORY, AND COMPLIANCE-

RELATED CONSEQUENCES

If lax security practices, limited budgets, and open

environments were not enough, Higher Ed institutions should also

be deeply concerned with the myriad of legal, regulatory and

compliance-related issues that will only exacerbate the financial

and reputational consequences associated with a data breach or

privacy loss. These include state and federal breach notification

(for PII and PHI), Payment Card Industry Standards (for

credit/debit card purchases and related movement of funds),

HIPAA (for PHI), FERPA (data security safeguards that exist to

protect private student information collected by companies

generally), potential third-party liability (most notably Class

Actions and Regulatory Proceedings), and first-party expenses

directly incurred by Higher Ed institutions (forensic costs, legal

fees, public relations expenses, business interruption and extra

expenses, notification costs, credit, health, and identity

monitoring/restoration expenses, ransom-related costs, and data

remediation fees).62

7. CYBERSECURITY LOSS CONTROL IN HIGHER

ED

So what are some best practice considerations for striking the

right balance between Higher Ed’s financial concerns and the long-

term cybersecurity consequences? Because without taking a

drastically different approach, Higher Ed institutions have the

potential to fail. What follows are strategies for a viable network

security and privacy policy, proper budgeting, a comprehensive

61 O’Neil, supra note 47 (suggesting that “[t]he alumni-fund-raising office might

see a downturn in giving”). 62 CARTER, LEDYARD & MILBURN LLP, CYBERSECURITY: REGULATORY LITIGATION

CONSEQUENCES OF A DATA BREACH, (Apr. 26, 2017),

http://www.clm.com/docs/7942385_1.pdf; Pamela Mills-Senn, PCI Compliance

Crackdown, U. BUS., (Feb. 3, 2015), https://universitybusiness.com/pci-

compliance-crackdown/; Jason Hall, Cyber Security and FERPA regulation –

Five Steps for Better Cyber Security to Protect Student Data, INT’L PATHWAYS,

(Feb. 22, 2016), https://www.linkedin.com/pulse/cyber-security-ferpa-

regulations-five-steps-better-data-hall-mba?articleId=8104367194687027052.


incident response plan, and robust training for phishing and

strong passwords.

Written Network Security and Privacy Policy

First, an institution’s written network security and privacy

policy should be continually re-assessed and properly funded as a

part of a university’s strategic plan. Considering the substantial

focus upon hacking, malware and unintended disclosures within

the Higher Ed environment, institutions should earmark funds for

penetration testing (to guard against weaknesses or holes in the

institution’s system(s)),63 intrusion detection software (equivalent

to your house alarm, are there bad actors in your network),64

proper patches and system updates (to avoid inadvertent

disclosure of information or easier access),65 two-factor

authentication (to make it more difficult to enter an institution’s

systems),66 securing the wireless environment,67 and encryption

for sensitive PII, PHI and R&D (maintaining a separate location

for the encryption key).68

63 See Eric Basu, What is a Penetration Test and Why Would I Need One For My

Company?, FORBES (Oct. 13, 2013),

https://www.forbes.com/sites/ericbasu/2013/10/13/what-is-a-penetration-test-

and-why-would-i-need-one-for-my-company/#e402ba818a0d (exploring “the real-

world effectiveness of . . . existing security controls against an active, human,

skilled attacker.”). 64 See DEP’T OF HOMELAND SECURITY, INTRUSION DETECTION AND PREVENTION

SYSTEMS (Aug. 2013), https://www.dhs.gov/publication/intrusion-detection-and-

prevention-systems (highlighting systems used to detect and identify possible

threats to a system). 65 See JLT, What are Security Patches, (Oct. 5, 2017),

https://www.jltspecialty.com/our-insights/publications/cyber-decoder/what-are-

security-patches (defining patching to include “software updates, usually

released to improve … performance or fix bugs and security vulnerabilities in

software already installed on computers, IT systems and devices.”). 66 See Seth Rosenblatt and Jason Cipriani, Two-factor authentication: What you

need to know (FAQ), CNET, (Jun. 15, 2015), https://www.cnet.com/news/two-

factor-authentication-what-you-need-to-know-faq/ (noting that two factor

authentication adds a second level of authentication to an account log-in). 67 Fed. Trade Comm’n, Securing Your Wireless Network, FED. TRADE COMM’N

(Sept. 2015), https://www.consumer.ftc.gov/articles/0013-securing-your-wireless-

network. 68 APRICORN, ENCRYPTION IN EDUCATION,

https://www.apricorn.com/media/pressreleases/file/e/d/education_data_encryptio

n_whitepaper.pdf (noting that “Encryption transforms data to make it

unreadable without authorized access.”); PONEMON INST., supra note 52, at 17


Budgeting

Budget constraints (41 percent) and a lack of

trained personnel (21 percent) are among the top

challenges facing security specialists in education.

Colleges and universities report employing an

average of twenty dedicated security employees,

half that of most industries. This notable shortage

of security personnel results in a lack of proper

threat investigation and remediation. It is also

hindering the deployment of innovative

technologies or processes that could strengthen

their security posture.69

Second, while industry experts offer different approaches to

budgeting, the higher end numbers often reach 13-15%.70 Given

the amount of private and proprietary information available

within Higher Ed generally, and the substantial costs per record,

institutions should carve out a comparable range of their IT

budgets to ensure a viable cybersecurity posture. The

implementation of the budget should be prioritized between IT and

institutional leadership and include a yearly risk assessment for

roadmap purposes.71 If cybersecurity is outsourced, meaningful

(noting that one of the factors that decreases the cost of a data breach or privacy

loss includes extensive use of encryption—$16.1/record reduction). 69 CISCO, ANNUAL CYBERSECURITY REPORT: IMPACTS ON PUBLIC SECTOR (2018),

https://www.noacsc.org/wp-

content/uploads/2018/05/Cisco2018AnnualCybersecurityReportImpactsOnPubli

cSector.pdf. 70 Stickman, How Much Should you Invest in Cybersecurity?, (Jan. 2, 2018),

https://www.stickman.com.au/how-much-should-you-invest-in-cybersecurity/

(stating that 13.7 percent seems fairly reasonable and provides a nice reference

point); Global Data Sentinel, How Much Should Companies Spend on Cyber

Security?, GLOBAL DATA SENTINEL (Dec. 28, 2016),

https://www.globaldatasentinel.com/the-latest/how-much-should-companies-

spend-on-cyber-security/ (“The range of spending was between 1 percent and 13

percent for the companies surveyed.”); Paul Rubens, Why You Should be

Spending More on Security, CIO (Apr. 1, 2015),

https://www.cio.com/article/2904364/security0/why-you-should-be-spending-

more-on-security.html (“According to the survey, large organizations spend an

average of 11 percent of their IT budgets on security while small businesses

spend nearly 15 percent.”). 71 See Ilia Kolochenko, Cybersecurity Spending: More Does Not Necessarily

Mean Better, CSO (Apr. 4, 2016),


communication and engagement should occur to replicate an in-

house IT team approach.72 Regardless of in-house versus

outsourcing, the consequences are too significant not to allocate

proper resources up-front.

Alternatively, Xuyen Bowles, director of sales, training &

marketing at Sentek Global, offers a more systematic approach for

tailoring an institution’s needs to a specifically allocated

cybersecurity budget figure.73 The process starts with a

comprehensive risk assessment measuring the probability of a

network security and privacy event coupled with the costs

associated with such an event.74 Following the risk assessment,

Ms. Bowles suggests using the Gordon-Loeb Model to quantify the

budget, a cybersecurity risk assessment tool developed by

researchers at the University of Maryland.75 With Higher Ed in

mind, the Gordon-Loeb Model consists of four steps, including:

(1) estimating the value of the information the institution is

looking to protect;

(2) estimating the probability that each information set will be

compromised as well as assigning each set with a

vulnerability score based on its probability of being

attacked;

(3) prioritizing the information set by developing a grid with a

vulnerability assessment (low value/low vulnerability to

high value/high vulnerability) and then calculating

potential loss by multiplying the information’s value by its

probability of a breach; and

(4) identifying which information sets are most crucial to

prioritize and spend money on.76

https://www.csoonline.com/article/3051123/leadership-

management/cybersecurity-spending-more-does-not-necessarily-mean-

better.html (noting that “[c]ybersecurity budgeting should start with a holistic

and comprehensive risk assessment”). 72 See 5 Reasons Why You Should Outsource Your Cybersecurity, AFFINITY IT

SECURITY SERVICES, https:/ /affinity-it-security.com/5-reasons-why-

you-should-outsource-your-cybersecurity/ (last visited Mar. 30,

2019) (discussing how to retain control of your infrastructure and

operations while outsourcing). 73 See Xuyen Bowles, What’s a Good Cybersecurity Budget & How Do I Get It?,

SC MEDIA (July 27, 2017), https://www.scmagazine.com/whats-a-good-

cybersecurity-budget-how-do-i-get-it/article/672371/. 74 Id. 75 Id. 76 Id.

https://www.csoonline.com/article/3051123/leadership-management/cybersecurity-spending-more-does-not-necessarily-mean-better.html



https://affinity-it-security.com/5-reasons-why-you-should-outsource-your-cybersecurity/

https://affinity-it-security.com/5-reasons-why-you-should-outsource-your-cybersecurity/

https://www.scmagazine.com/whats-a-good-cybersecurity-budget-how-do-i-get-it/article/672371/

https://www.scmagazine.com/whats-a-good-cybersecurity-budget-how-do-i-get-it/article/672371/


Overall, the Gordon-Loeb Model cautions that budgets should not

exceed 37% of total expected losses as the security offered by such

a budget yields diminishing returns with increased spending.77

Incident Response Planning

Third, an Incident Response Plan should be sufficiently outlined

and tested prior to an actual breach or privacy loss.78 The Incident

Response Plan (“IRP”) should consider the following key steps:

Pre-Event IRP Steps

The first pre-event IRP step for Higher Ed will be to establish

an internal incident response team.79 Members should include

diverse representatives, including institutional leadership, IT,

compliance, legal, marketing and communications, human

resources, and audit personnel.80 Out of this group, the institution

should designate an internal breach manager (or lead) that is

capable of managing communications effectively across the

particular institution.81

The next pre-event IRP step will be to create a short list of the

external team, including a pre-approved network security and

privacy attorney (or breach coach), law enforcement contacts (at

the state and federal levels), and a post-data breach team (for

example, a forensics firm with appropriate expertise).82

Ultimately, a pre-approved network security and privacy attorney

will be the quarterback for assisting in the institution’s build of a

post-data breach panel of experts.83 Pre-approving relationships

77 Id. 78 See PONEMON INSTITUTE, supra note 52, at 6 (explaining that an incident

response team reduces the cost of a data breach privacy loss by $19 per record). 79 See Tom Hagy, When a Data Breach Happens: Be Ready, Be Calm, and

Preserve Evidence, LEXISNEXIS: CORPORATE LAW ADVISORY,

https://www.lexisnexis.com/communities/corporatecounselnewsletter/b/newslett

er/archive/2013/05/05/when-a-data-breach-happens-be-ready-be-calm-and-

preserve-evidence.aspx (last visited Mar. 30, 2019) (“To prepare . . . ‘[i]t’s about

getting a team together.’”). 80 LARISSA K. CRUM & BRIAN ZAWADA, FINDING THE RIGHT BALANCE: DATA BREACH

PREVENTION VS. RESPONSE (2010), http://cbp.lsu.edu/wp-

content/uploads/docs/366DataBreachPreventionvsResponse.pdf. 81 Id. 82 ALLCLEAR ID, INC., DATA BREACH INCIDENT RESPONSE WORKBOOK 5-7 (2014). 83 See id. at 2 (stressing the importance of getting outside professionals to

review the plan).

https://www.lexisnexis.com/communities/corporatecounselnewsletter/b/newsletter/archive/2013/05/05/when-a-data-breach-happens-be-ready-be-calm-and-preserve-evidence.aspx



http://cbp.lsu.edu/wp-content/uploads/docs/366DataBreachPreventionvsResponse.pdf

http://cbp.lsu.edu/wp-content/uploads/docs/366DataBreachPreventionvsResponse.pdf


will assist with controlling costs at the point of a data breach or

privacy loss.84

The third pre-event IRP step will be to create a 24/7 contact list

of both the internal and external teams.85 That way, there will be

ease of communication from within and outside an institution.

The last pre-event IRP step will be ensuring that internal staff

is appropriately trained on the IRP.86 This includes prompt

communication of updated versions of the IRP, as well as tabletop

exercises to simulate a data breach or privacy loss.87 Similar to the

benefit of studying in advance for a test, replicating an actual

event will ensure that your Higher Ed institution is better

prepared to mitigate losses and protect the bottom line.

Post-Event IRP Steps

If an event occurs, and it likely will, tapping into your pre-

approved network security and privacy attorney will be crucial.88

This will ensure appropriate legal oversight and the ability to rely

upon attorney-client privilege and/or work product strategies in

the event of subsequent litigation.89 There will also be a variety of

areas to consider such as a forensic analysis, notification to

impacted parties, retention of post-data breach experts to

minimize adverse consequences, and reputational management.

Each of these areas are highlighted in additional detail below.

84 See Craig Hoffman, How and Why to Pick a Forensic Firm Before the

Inevitable Occurs, BAKERHOSTETLER (Nov. 16, 2015),

https://www.dataprivacymonitor.com/cybersecurity/how-and-why-to-pick-a-

forensic-firm-before-the-inevitable-occurs/ (recognizing the difficulty of

negotiations under emergency conditions). 85 ALLCLEAR ID, supra note 82, at 9. 86 Id. at 7-8. 87 See id. at 2 (stressing the importance of making employees familiar with the

plan). 88 Id. 89 Elissa Doroff & Melissa Ventrone, Protecting Privilege: Strategies to Keep

Post-Cyber Breach Activities from Disclosure, AXA XL (Apr. 25, 2016),

https://axaxl.com/fast-fast-forward/articles/protecting-privilege_-strategies-to-

keep-post-cyber-breach-activities-from-disclosure.

https://www.dataprivacymonitor.com/cybersecurity/how-and-why-to-pick-a-forensic-firm-before-the-inevitable-occurs/

https://www.dataprivacymonitor.com/cybersecurity/how-and-why-to-pick-a-forensic-firm-before-the-inevitable-occurs/


Forensic Analysis

A forensic analysis will need to be undertaken to assess the

nature and extent of the data breach or privacy loss.90 This

analysis will include making a determination about the type of

private and proprietary information at stake, along with potential

notification obligations to impacted parties, commonly referred to

as compliance assessment.91 Assuming private and/or proprietary

information has actually, or potentially, been compromised,

notification via one’s agent or broker to the applicable insurance

carrier(s) will be crucial.92 Depending upon one’s negotiated

insurance policy, the carrier may have an interest in partnering in

the ongoing selection of retained legal and/or post-data breach

firms.93 In the event one is looking for certainty in managing these

relationships up-front, in order to avoid duplication of services and

extra costs, policy terms and conditions should clearly outline who

has the right to select and retain key relationships.94 Furthermore,

in order to avoid compromising coverage, special attention should

be given to the timeliness of reporting events generally.95

90 Patrick Haggerty, 3 Tips For Using Forensic Firms In Data Breach Response,

LAW360 (Mar. 23, 2017), https://www.law360.com/articles/927094/3-tips-for-

using-forensic-firms-in-data-breach-response. 91 See IT FORENSIC SERVICES, INVESTIGATING A DATA BREACH 1-2 (2014),

https://www.ey.com/Publication/vwLUAssets/IT_Forensic_Services_-

_Investigating_a_data_breach/$File/EY-IT-Forensic-Services-Investigating-a-

data-breach.pdf (identifying the “who, what, when and how” of a breach and

advising reporting and notification practicalities). 92 See 4 Steps to Help Manage a Data Breach, TRAVELERS INSURANCE,

https://www.travelers.com/resources/cyber-security/how-to-manage-a-data-

breach-the-safe-way (last visited Mar. 3, 2019) (describing how setting the

strategy includes contacting your insurance agent and carrier). 93 See Craig R. Blackman, Cyber Insurance And The Defense Conundrum, PAMIC

(Summer 2017), https://www.stradley.com/-

/media/files/publications/2017/08/blackman---updated---cyber-insurance-and-

the-defense-conundrum.pdf (stating that “[i]t is not uncommon in the cyber

insurance market that the insurer controls the defense of claims under the

policy”). 94 See id. (discussing the importance of policy control). 95 See Insurance Recovery: Can Your Company Handle a Data Breach and Are

You Insured?, PERKINS COIE, https://www.perkinscoie.com/en/insurance-

recovery-resource-library-1/cyber-attacks-and-data-breaches-insurance.html

(last visited Mar. 3, 2019) (emphasizing that “[t]he policyholder should provide

prompt notice of a claim or circumstances to relevant carriers”).


Notification to Impacted Parties

Assuming notification to impacted individuals is required, an

appropriate mapping must occur based upon the victims’

locations.96 Depending upon the size and nature of the event,

different venues will have specific notification requirements (e.g.,

email, mailing, etc.).97 Additionally, expertise in implementing

appropriate notification template strategies will be the key to

minimizing costs.98 As a part of the notification process, thoughtful

consideration must be given to call center operations, frequently

asked questions (in response to stakeholders), and applicable

monitoring and/or or restoration services, such as identity, credit,

and/or healthcare.99 Beyond interacting with impacted victims,

simultaneous strategies should be implemented with regard to

managing relationships at the state and/or federal levels (e.g.,

attorney generals) and ensuring public relations communications

are crisp and timely (reputational management).100

Post-Data Breach Experts

In the event a Higher Ed’s systems have been compromised,

data restoration experts may need to be tapped in order to

96 See Christopher Wolf, Introduction to Data Security Preparedness with Model

Data Security Breach Preparedness Guide, IAPP (Apr. 2012),

https://www.americanbar.org/content/dam/aba/administrative/litigation/materia

ls/sac_2012/22-

15_intro_to_data_security_breach_preparedness.authcheckdam.pdf (instructing

the principal to identify legal jurisdictions involved by determining the location

of customers, employees, and/or systems affected by the breach). 97 Louis Dempsey, Data Breach! What to Know About Where to Go . . .,

NATIONAL SOCIETY OF COMPLIANCE PROFESSIONALS (May 2017),

http://www.rrscompliance.com/documents/News/Data_Breach!_What_to_Know_

About_Where_to_Go.pdf. 98 Id.; see generally Wolf, supra note 96. 99 Wolf, supra note 96. 100 See Jenny A. Durkan & Alicia Cobb, Breach Response: After a Cyber Breach,

What Laws Are in Play and Who Is Enforcing Them?, CYBERSECURITY LAW

REPORT (May 20, 2015),

https://www.quinnemanuel.com/media/1125067/cslr_after-a-cyber-breach-what-

laws-are-in-play-and-who-is-enforcing-them.pdf (stating that “[a]ny significant

breach involving consumer information likely will draw the attention of

multiple state attorneys general”); see also Dan Twersky, Cyber Public

Relations Expenses, WILLIS TOWERS WATSON WIRE (Dec. 18, 2015),

https://blog.willis.com/2015/12/cyber-public-relations-expenses/ (discussing how

public relations expenses may help mitigate negative media attention).


preserve and/or recover critical information.101 Similarly, to the

extent that an institution’s systems have been impaired from

functioning, a Higher Ed institution may find itself managing

extra costs that they did not anticipate to continue business

operations (referred to as “Extra Expenses”) or facing substantial

business interruption losses generally (perhaps an inability to

close a deal and win a desired student for tuition purposes).102

Avoiding Data Breaches or Privacy Losses: Training for Phishing

and Strong Passwords

Fourth, targeted best practices for Higher Ed institutions should

include training for phishing and the use of strong passwords.103

Phishing

Phishing is defined as “a technique used to gain personal

information for purposes of identity theft, using fraudulent email

messages that appear to come from legitimate businesses.”104 The

goal of Phishing is “to fool recipients into divulging personal data

such as account numbers and passwords, credit card numbers and

Social Security Numbers.”105 In terms of managing against

Phishing threats, recommendations might include being cautious

about individuals and organizations asking for private and

proprietary information, evaluating the legitimacy of an email by

assessing whether the message originates from a different domain

101 Best Practices: Backing Up Data, TREND MICRO (Sept. 7, 2017),

https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-

cloud/best-practices-backing-up-data (noting that “[i]n one of the most

significant cyberattacks of 2017, the WannaCry outbreak caused massive

damage . . . to businesses around the world”). 102 Business Interruption and Cyber Incidents Dominate 2018 Risk Landscape,

According to Allianz Risk Barometer, BUSINESS WIRE (Jan. 16, 2018),

https://www.businesswire.com/news/home/20180116005424/en/Business-

Interruption-Cyber-Incidents-Dominate-2018-Risk/ (noting that cyber incidents

are the most feared Business Interruption trigger). 103 PONEMON INSTITUTE, supra note 52, at 17 (reporting that a third factor that

decreases the cost of a data breach or privacy loss includes employee training—

a $12.5/record reduction). 104 Russell Kay, Phishing, COMPUTERWORLD (Jan. 19, 2004),

https://www.computerworld.com/article/2575156/security0/phishing.html. 105 Id.


(a red flag), or generally looking for spelling and grammatical

errors in the communication.106

Strong Passwords

In addition to phishing, Higher Ed needs to consider the

implementation of a strong approach to password management.107

This might include creating passwords with a combination of

words, numbers, symbols, and upper- and lower-case letters, or

contemplating words that form a complex phrase or sentence.108

8. CYBERSECURITY RISK FINANCING IN HIGHER

ED

In addition to loss control, Higher Ed should consider

appropriate risk financing strategies, including effective contract

management with vendors and comprehensive cyber insurance to

properly address third-party liability and first-party expense

issues stemming from a data breach or privacy loss.109

Contract management and outsourcing

Beginning with contract management, if outsourcing does occur,

Higher Ed institutions should make sure that they properly vet

partnerships, including desired security standards.110 Bottom line,

Higher Ed institutions are accountable for the private and

proprietary information provided to third-party service providers

and small to mid-size institutions will struggle with bargaining

power regarding favorable indemnification and hold harmless

contract language.

106 Best Practices: Identifying and Mitigating Phishing Attacks, TREND MICRO

(Feb. 10, 2017), https://www.trendmicro.com/vinfo/us/security/news/cybercrime-

and-digital-threats/best-practices-identifying-and-mitigating-phishing-attack 107 See Brian Krebs, Password Do’s and Don’ts, KREBS ON SECURITY,

https://krebsonsecurity.com/password-dos-and-donts/ (last visited Mar. 9, 2019)

(providing instructions on how to create strong passwords). 108 Id. 109 PONEMON INSTITUTE, supra note 52, at 17 (reporting that a final factor that

decreases the cost of a data breach or privacy loss includes third party

involvement—$16.9/record reduction). 110 Teresa Meek, Outsourcing Cybersecurity: When And How To Bring In

Contractors, FORBES (May 27, 2017),

https://www.forbes.com/sites/eycybersecurity/2017/03/27/outsourcing-

cybersecurity-when-and-how-to-bring-in-contractors/#fbe31266ca15 (noting that

“[s]uccessful outsourcing . . . requires careful vetting of the contractor”).


Cyber Insurance

In addition to contract management, Higher Ed institutions

need to look for a variety of insurance coverages.111 For starters,

third-party liability insurance provides several key features,

including defense costs and indemnity coverage associated with

claims (e.g., lawsuits) brought against the Higher Ed institution

by others (e.g., employees, students, donors).112 At a more granular

level, specific coverages often include triggers for network security

and privacy features, regulatory defenses and fines, penalties,

consumer redress funds, PCI fines and assessments, system-to-

system exposures, and impaired access injuries.113 Relatedly, if an

institution chooses to outsource responsibility, policies may often

address coverage for third- party service providers.114 Each of

these third-party liability coverages are explored below.

Network security and privacy triggers

Higher Ed institutions should be looking to transfer risk for both

unauthorized access to systems (a network security exposure) and

negligent disclosure of private and proprietary information (a

privacy exposure).115 Examples previously addressed include

hacking, malware, rogue employees, and inadvertent disclosure of

private information. Very importantly, from a private information

perspective, a comprehensive definition should be included with a

catch all for “private information as defined by law.”116 Using a

catch all (in addition to more specific definitions of PII and PHI),

will make sure that the coverage evolves with the times and

anticipates legal and regulatory changes. Furthermore, business

and proprietary information should be readily captured as a third-

party partner may sue an institution for compromising R&D in its

care, custody, and control.117

Regulatory coverage

Not unlike other industry segments, the state and federal

government will be interested in whether a Higher Ed institution

111 Richard S. Betterley, Cyber/Privacy Insurance Market Survey—2017, THE

BETTERLEY REPORT, June 2017, at 1, 8-9. 112 Id. at 23-34. 113 Id. at 48-62. 114 Id. at 96-117. 115 Id. at 8-9. 116 Id. at 62-64. 117 Betterley, supra note 111, at 62-64.


is complying with its publicly stated position on network security

and privacy. In addition to addressing defense costs associated

with an enforcement action (e.g., an action by the government

against an institution to determine compliance with a network

security and privacy policy), policies should cover regulatory fines

and consumer redress funds (the latter, funds to compensate

victims associated with a particular breach or privacy loss).118

PCI insurance

As suggested earlier, Higher Ed institutions standardly manage

(or perhaps even outsource) responsibility for payment card

information. Regardless of which path they choose, failing to

properly protect card data (PII) can result in PCI fines (e.g.,

penalties) and assessments (e.g., fraud recovery losses and

notification costs being shifted to the institution for not adhering

to industry standards). A robust insurance program will check off

the box for PCI coverage and ensure a proper limit of liability that

corresponds with an institution’s exposure.119

System-to-System exposures

It is fair to assume that Higher Ed routinely targets diverse

stakeholders with institutional communications, including

prospects, students, parents, donors, and alumni. To the extent

institutions are impacted by bad actors (e.g., malware, phishing),

they have the potential to inadvertently transmit viruses from

their systems to these stakeholders. Consequently, a viable cyber

insurance program will ensure proper liability coverage for

system-to-system exposures.120

Impaired Access injuries

With the growth of online content being delivered

internationally, students (customers) are often accessing

institutional systems (e.g., Blackboard) to take a variety of classes.

If a cyber-attack impacted the ability of an institution to timely

provide access to services (e.g., an impaired access exposure),

institutions have the potential to be sued by students (including

118 Id. at 55-57. 119 Id. at 58-59. 120 Id. at 12.


on a class action basis). As a result, cyber insurance should

routinely include impaired access coverage.121

Outsourcing

In an effort to control costs, and perhaps maximize technical

expertise, Higher Ed institutions may outsource responsibility for

private and proprietary information to third-party service

providers. A word of caution, outsourcing does not negate an

institution’s legal responsibility for adequately protecting the

information. As a result, cyber insurance should be broadly crafted

to capture third-party service provider relationships and desired

capacity (how much coverage is being carried) should match the

institution’s primary limits of liability.122

First-party expense

In addition to third-party liability coverages, Higher Ed

institutions should also carefully analyze the diversity of first-

party expense coverages from a risk transfer perspective.123 While

not all exposures are readily insurable, first-party insurance

provides several standard features, including reimbursement for

expenses that the institution incurs regardless of whether a third-

party liability claim is brought. Specific coverages often include

crisis management and privacy notification expenses, business

interruption and extra expense losses, cyber-extortion expenses,

and data remediation costs.124 Like the third-party liability

coverages, if an institution chooses to outsource responsibility for

private information, policies should be built to address third-party

service providers.125 Let us look at each of these coverages in turn:

Crisis Management Expenses

To the extent an event occurs, a Higher Ed institution will need

to retain a forensic expert to evaluate the nature and scope of the

impacted information. Further, a network security and privacy

attorney must evaluate the legal and compliance-related

requirements associated with the compromised data. Lastly, it will

be important to proactively manage advertising and public

121 Id. at 23-34. 122 Id. at 96-117. 123 Betterley, supra note 111, at 65-67. 124 Id. at 65-67, 78-81. 125 Id. at 96-117.


relations messaging surrounding the event. As a result, Crisis

Management Expense coverage will reimburse institutions for the

cost of a forensic evaluation, legal and compliance-assessments,

and public relations costs.126 Forensic and legal expenses, in

particular, are very critical coverages which often drive significant

exposure to a company’s bottom line.127

Privacy Notification Expenses

After performing forensics, and assessing legal and compliance-

related obligations, a Higher Ed institution may need to notify

others (e.g., impacted students, parents, donors, and employees)

impacted by a data breach or privacy loss.128 Privacy Notification

Expenses will reimburse for the cost of notification along with

providing key monitoring and/or restoration services to victims.129

Depending upon the nature of the information, examples might

range from credit and identity, to healthcare records monitoring

and/or restoration.

Business Interruption and Extra Expenses

A data breach or privacy loss has the potential for an institution

to incur expenses that it would not have otherwise incurred but for

the event. Here, extra expenses, or reasonable expenses that a

company incurs to continue business operations, are transferred

from an institution to an insurance carrier.130 Moreover, to the

extent an event is severe enough to compromise an institution

from doing business, Business Interruption Expenses may be

purchased to transfer risk.131

Cyber Extortion Expenses

Consider the possibility that a hacker obtains full control over

your systems and looks to extort payment (perhaps from a rainy

day fund) in order to release control back to the institution. Sound

unthinkable? In fact, just the opposite is true, as ransom-related

demands have skyrocketed against a diverse number of industries.

The benefit of insurance, Cyber Extortion Expenses can be

126 Id. at 65-67. 127 Id. at 25. 128 Id. at 9. 129 Betterley, supra note 111, at 65-67. 130 Id. at 23-34. 131 Id. at 12.


considered, including the cost of a negotiator and ransom

payments made directly to a hacker.132

Data Remediation Costs

A network security event has the potential to wreak havoc with

a Higher Ed institution’s system functionality. This raises the

primary issue about the costs to correct the system(s) but also the

secondary issue associated with the cost to rebuild data, including

cutting edge R&D that might otherwise be lost. As such, a robust

cyber insurance program will include Data Remediation Cost

coverage.133 This will insure that systems are corrected and that

viable content is potentially preserved for future usage.

A Reminder About Outsourcing

As noted above, Higher Ed institutions often outsource

responsibility for private and proprietary information to third-

party service providers. However, outsourcing does not negate an

institution’s legal and compliance-related responsibilities for

adequately protecting information (think notification and

monitoring/restoration). Therefore, cyber insurance should be

broadly crafted to capture third-party service provider

relationships and desired capacity (how much coverage is being

carried) should match the institution’s primary limits of

liability.134

SUMMARY AND CONCLUSIONS

Higher Ed institutions need to appreciate that they are not

immune from hackers or even simple employee negligence.

Notwithstanding their struggles with enrollment and budgetary

restrictions, institutions have diverse and sensitive PII, PHI, and

R&D worth aggressively protecting.

This paper explored the inherent conflict between scarce

financial resources and the importance of prioritizing and

managing a strong cybersecurity posture. It emphasized themes

associated with data breaches and privacy losses, including

hacking, malware, and unintended disclosure. It also reinforced

the challenging cybersecurity landscape within Higher Ed along

with legal, regulatory, and compliance-related consequences that

have the potential to exacerbate the financial and reputational

132 Id. at 84-87. 133 Id. at 65-67. 134 Id. at 96-117.


concerns associated with a data breach or privacy loss. Lastly, the

paper explored best practices for striking the right balance

between Higher Ed’s financial circumstances and the long-term

benefits of implementing robust cybersecurity strategies. This

included a focus on appropriate loss control and risk financing

measures such as the importance of a written network security

and privacy policy, proper budgeting, incident response planning,

enhanced training of staff, strong vetting of external partnerships,

and comprehensive risk transfer.

Overall, appropriate investment in cybersecurity must be taken

to protect Higher Ed’s fortress. The failure to do so has the

potential to reduce sustainable growth, isolate key stakeholders,

and detrimentally impact organizational health and longevity.