According to statistics compiled by the Educational Security Incidents website which reports on security incidents affecting institutions of higher education, in 2009, more than 102 different educational institutions reported security incidents impacting individuals whose personal information was collected, used, and disclosed in the college and university environment. In a one-year period, these incidents led to the exposure of 1,043,532 records containing personal information. While a sharp decrease from prior years, the number of security incidents experienced in the educational sector still leads most other industry sectors in the nation. Further, with nearly 50 incidents reported at the time of the writing of this article, it appears that institutions of higher education continue to face challenges in connection with protecting the data that they maintain and manage in their environment.
In the foregoing security incidents, nearly all of the compromised records involved the misuse, inappropriate access, or disclosure of social security numbers; however, many of these incidents also impacted educational, financial, and health data. Managing and protecting these various types of data is complicated by the numerous constituencies from whom personal data is collected. Colleges and universities may collect personal data from students, faculty, staff, parents, alumni, retail customers, and patients, among others. Further, many regulations govern the use and protection of this data, including the Family Education Rights and Privacy Act (FERPA), state breach notification laws, the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley, Payment Card Industry Data Security Standard (PCIDSS), and after December 31, 2010, the Red Flags Rule. Finally, the complexity of meeting compliance obligations surrounding the protection and appropriate usage of this data is further complicated by the fact that business activities and processes are often decentralized and distributed throughout the college or university environment.
A study authored by PGP Corporation, a global enterprise data protection company, and the Ponemon Institute, a privacy and information management research firm, and published in 2009 stated that data breach incidents cost U.S. companies $204 per compromised customer record in 2009 (compared to $202 in 2008). Additionally, the average total per-incident costs in 2009 were $6.75 million, compared to an average per-incident cost of $6.65 million in 2008. Educational institutions can face other liabilities as a result of a security or privacy incident beyond those costs and expenses which relate to notification to individuals, credit monitoring services, legal fees and administrative expenses. Federal and state regulators have stepped up their enforcement activities, and penalties for violations of these privacy and data protection laws can include onerous consent decrees requiring the supervised development and management of privacy and security programs and security audits for 10 to 20 years, fines in the seven figures, and criminal and civil liability for those who violate applicable laws.
Protecting the personal information of your students, employees, customers, and other individuals who use and support your institution and its services present significant challenges in today's dynamic and complex legal and operational environment.