In early December Michigan State University (MSU) announced that it had suffered a breach in which hackers had gained access to a school database of about 400,000 records. As a result, MSU is spending an estimated $2.9 million on identity theft protection in the wake of the data breach, highlighting the need for educational institutions to take cyber security seriously and be prepared for such incidents.
According to a statement from university President Lou Anna K. Simon, MSU will provide credit monitoring and identity theft protection free of charge to everyone affected. “We have a reserve fund that we have set aside that is used to pay deductibles for insurance claims and general liability claims and the money will come from that reserve fund,” university spokesperson Jason Cody said.
According to reports, the university discovered the breach on November 13 when a ransom demand was made for stolen data. This demand enabled MSU to identify the breach and immediately take action, limiting the hacker’s access to only 449 records. Although those records included the names and Social Security numbers of students and staff, they did not include full academic, financial, or health records, according to MSU.
The cyber incident is MSU’s second data breach this year and its fourth significant incident since 2012, according to cyber security blog Security Affairs. In October hackers stole and posted on the website Pastebin the user names, logins, phone numbers and email addresses for individuals in the university’s system.
MSU is just the latest in the line of educational institutions to announce a data breach. Early in 2016, the University of Central Florida announced a data breach that affected approximately 63,000 current and former students, faculty, and staff. Unknown cyber criminals compromised the university’s computer system and stole a variety of information including Social Security numbers, first and last names, and student/employee ID numbers. In addition, in February 2016, it was announced that the financial data of more than 80,000 University of California, Berkeley students, alumni, employees, and school officials was compromised around December 2015. The school says that although it was clear its system was hacked, it does not appear that any information was stolen. Those who may have been affected were notified and encouraged to keep an eye on their personal information.
In another case, current and former employees of Tidewater Community College (TCC) in Norfolk, Virginia had their personal information stolen in a tax season phishing scam. An employee in the school’s finance department received a request from a fake TCC e-mail address asking for all W-2 information. The individual, not realizing the e-mail was fake, responded with sensitive information including names, earnings, and Social Security numbers. TCC’s spokesperson has said that at least 16 TCC employees have reported false tax returns filed under their Social Security numbers.
Educational institutions are increasingly experiencing threats by cybercriminals, making it critical for colleges and universities to have in place detailed data breach response plans developed in conjunction with highly qualified cyber security professionals, legal counsel and an insurance and risk management advisor. Some of the issues to address include:
- Creation of a data breach response team
- Training for board of directors and other key personnel
- Identifying the organization’s statutory data privacy obligations and the notifications required in case of breach
- Identifying and managing the scope of data-protection obligations under non-disclosure agreements and other contracts with third parties
- Ensuring that appropriate data protection and cyber security clauses are included in vendor contracts
- Assessing Cyber Liability insurance policies, terms and exclusions
- Managing internal investigations of breaches, with an emphasis on maintaining attorney-client privilege for communications during those investigation
- Managing investigations by regulatory agencies including the Office of Civil Rights, Department of Health and Human Services, States’ attorney generals, and the Family Policy Compliance Office of the U.S. Department of Education
We can assist you in reviewing an educational institution’s insurance program, including its Cyber Liability coverage. RPS specializes in providing end-to-end insurance solutions for colleges and universities. Contact us for more information.