June 26, 2022

Volume XII, Number 177

Advertisement
Advertisement

June 24, 2022

Subscribe to Latest Legal News and Analysis

June 23, 2022

Subscribe to Latest Legal News and Analysis

Michigan State Data Breach and the Value of Preparedness

Michigan State University’s announcement earlier this month that hackers had gained access to a school database of about 400,000 records highlights why colleges and universities are such tempting targets for hackers and just how important it is to prepare for a data breach.

Reports indicate that the university discovered the breach on Nov. 13 when a ransom demand was made for stolen data. This demand allowed the university to identify the breach and quickly take action, limiting the hacker’s access to only 449 records. And while those records included the names and social security numbers of students and staff, they did not include full academic, financial, or health records, according to the university 

Affected individuals are being notified and offered credit monitoring and other services. While the number of records involved is small, the cost to the university likely will not be. A recent study sponsored by IBM found that a data breach costs an organization nearly $7.01 million on average.

This is Michigan State’s second data breach this year and its fourth significant incident since 2012, according to cyber security blog Security Affairs. In October hackers stole and posted on the website Pastebin the user names, logins, phone numbers and email addresses for individuals in the university’s system.

A similar ransomware breach was announced on Dec. 1 at Carleton University in Canada.  Details about that breach are still emerging, but early indications are that the university will be able to restore its systems without paying ransom.

These events highlight the increasing prominence of ransom demands in cybercrime. Cybercriminals are shifting focus away from mass theft of payment card information and personal data – usually from large retailers and insurers – and are turning their focus to smaller, data dependent entities where stolen data or entire IT systems can be held hostage.

In light of these trends, educational institutions can expect to see increasing threats from cybercriminals and in turn expect to see increasing legal responsibilities. As such, it is critical for colleges and universities have in place detailed data breach response plans developed in consultation with highly qualified cybersecurity professionals, including legal counsel.

An experienced data management and cybersecurity attorney will advise on:

  • Creation of a Data Breach Response Team

  • Training and table top exercises for board of directors and other key personnel

  • Identifying the organization’s statutory data privacy obligations and the notifications required in case of breach

  • Identifying and managing the scope of data protection obligations under non-disclosure agreements and other contracts with third parties

  • Ensuring that appropriate data protection and cyber security clauses are include in vendor contracts

  • Assessing cyber insurance policies, terms and exclusions

  • Managing internal investigations of breaches, with an emphasis on maintaining attorney client privilege for communications during those investigation

  • Managing investigations by regulatory agencies including the Office of Civil Rights in Department of Health and Human Services (HIPAA), States’ attorney generals, and the Family Policy Compliance Office of the U.S. Department of Education (FERPA)

According to privacyrights.org, there have been over 800 data breach incidents at educational institutions and 15,000,000 records breached at educational institutions since tracking began. 

Cybercriminal have an unfair advantage over their victims:  It takes only one mistake for cybercriminals to get into a system, victims must protect against all vulnerabilities.  But thoughtful planning and vigilance can dramatically limit how much damage cybercriminals cause when a breach occurs.

Copyright © 2022 Womble Bond Dickinson (US) LLP All Rights Reserved.National Law Review, Volume VI, Number 340
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Beth Tyner Jones Partner Womble Bond Dickinson (US) LLP
Partner

Beth is a leader of the firm’s Education and School Law Team, head of its Employment and Pensions Service Team and Managing Partner of the Research Triangle Park and Raleigh, NC offices. She builds upon her experience as an HR professional, in-house employment lawyer and a college faculty member to defend employers and serve as a trusted adviser to educational institutions.

As outside general counsel to colleges and universities, Beth advises on compliance, policy and liability matters affecting campuses including student unrest on campus,...

919-755-8177
Benton Zeigler lawyer, Womble Carlyle Law Firm, Cybersecurity and Environmental law Attorney
Partner

Belton Zeigler brings more than 30 years of experience to his South Carolina-based cybersecurity and utility, environmental and energy practice. He has served as General Counsel to a major electric utility, and also served as Vice President for industrial customer relations, power marketing and strategic planning.

Belton has participated as a lead attorney in multiple general gas and electric rate cases and numerous smaller regulatory proceedings. He worked with the South Carolina General Assembly to draft the Base Load Review Act, the...

803-454-7720
Advertisement
Advertisement
Advertisement