Data breaches at colleges and universities are on the rise. These institutions are targets because their networks have access to a large amount of private information, including educational and medical records, as well as employees’ personal data. But in other instances, their systems are being attacked for malicious sport. According to the Ponemon Institute, data breaches at academic institutions cost in excess of $300 per compromised record. As illustrated by a recent incident at the University of Maryland (where approximately 300,000 students’ personal information may have been compromised), the potential financial and reputational impact could be crippling.
Data breaches will happen, but academic institutions should take certain measures now to protect – or at the very least minimize – their exposure in the event of a breach.
- Implement privacy and security policies and procedures that are known and adhered to by the institution: A privacy and security policy is critical to ensure that the institution: prevents the unauthorized access to devices and systems; implements technical security controls; routinely updates its process of analyzing potential cybersecurity threats; and controls and/or limits student and/or employee access to information technologies and systems. To mitigate potential claims, steps should be taken now to ensure that training and compliance programs are in place, that such programs are regularly updated, and that employee attendance is mandated and tracked.
- Prepare a corrective action plan in the event of a breach. Institutions must have an immediate response – both internally and externally – in the event of a data breach. The response should reach all relevant parties, disclose the breach, describe mitigation efforts, and address questions that will arise.
- Enhance privacy and security-related language in vendor and partner agreements. Liability risks for data breaches may be mitigated through the front-end assessment of contracts and business relationships. Institutions should: review vendor and partner agreements for indemnity and warranty provisions that may offer protection in the event of a data breach; review the privacy and security policies of all business partners; and analyze the gaps in indemnity protections, including whether the college or university has the right to control the defense, select counsel, and make settlement decisions.
- Consider cyber insurance. Traditional policies, such as property, errors and omissions, and comprehensive general liability, may cover certain cyber-related losses. However, these risks are now frequently excluded, and insurers resist paying claims under such policies, even without specific exclusions. Cyber-liability policies address data breach risks, and will cover specific costs that will likely not be covered under a traditional policy (e.g., forensic investigation, breach response and notification costs). Moreover, many of these policies cover the institution’s first-party losses, as well as associated breach response costs, including a forensic investigation, public relations experts, and support teams for customer queries and client care. There is no recognized standard form for cyber insurance, and terms may be negotiable, so it is important to carefully review proposed policy forms to make sure they meet the needs of the institution.