March 23, 2018

March 22, 2018

Subscribe to Latest Legal News and Analysis

March 21, 2018

Subscribe to Latest Legal News and Analysis

March 20, 2018

Subscribe to Latest Legal News and Analysis

Michigan State Data Breach and the Value of Preparedness

Michigan State University’s announcement earlier this month that hackers had gained access to a school database of about 400,000 records highlights why colleges and universities are such tempting targets for hackers and just how important it is to prepare for a data breach.

Reports indicate that the university discovered the breach on Nov. 13 when a ransom demand was made for stolen data. This demand allowed the university to identify the breach and quickly take action, limiting the hacker’s access to only 449 records. And while those records included the names and social security numbers of students and staff, they did not include full academic, financial, or health records, according to the university 

Affected individuals are being notified and offered credit monitoring and other services. While the number of records involved is small, the cost to the university likely will not be. A recent study sponsored by IBM found that a data breach costs an organization nearly $7.01 million on average.

This is Michigan State’s second data breach this year and its fourth significant incident since 2012, according to cyber security blog Security Affairs. In October hackers stole and posted on the website Pastebin the user names, logins, phone numbers and email addresses for individuals in the university’s system.

A similar ransomware breach was announced on Dec. 1 at Carleton University in Canada.  Details about that breach are still emerging, but early indications are that the university will be able to restore its systems without paying ransom.

These events highlight the increasing prominence of ransom demands in cybercrime. Cybercriminals are shifting focus away from mass theft of payment card information and personal data – usually from large retailers and insurers – and are turning their focus to smaller, data dependent entities where stolen data or entire IT systems can be held hostage.

In light of these trends, educational institutions can expect to see increasing threats from cybercriminals and in turn expect to see increasing legal responsibilities. As such, it is critical for colleges and universities have in place detailed data breach response plans developed in consultation with highly qualified cybersecurity professionals, including legal counsel.

An experienced data management and cybersecurity attorney will advise on:

  • Creation of a Data Breach Response Team

  • Training and table top exercises for board of directors and other key personnel

  • Identifying the organization’s statutory data privacy obligations and the notifications required in case of breach

  • Identifying and managing the scope of data protection obligations under non-disclosure agreements and other contracts with third parties

  • Ensuring that appropriate data protection and cyber security clauses are include in vendor contracts

  • Assessing cyber insurance policies, terms and exclusions

  • Managing internal investigations of breaches, with an emphasis on maintaining attorney client privilege for communications during those investigation

  • Managing investigations by regulatory agencies including the Office of Civil Rights in Department of Health and Human Services (HIPAA), States’ attorney generals, and the Family Policy Compliance Office of the U.S. Department of Education (FERPA)

According to, there have been over 800 data breach incidents at educational institutions and 15,000,000 records breached at educational institutions since tracking began. 

Cybercriminal have an unfair advantage over their victims:  It takes only one mistake for cybercriminals to get into a system, victims must protect against all vulnerabilities.  But thoughtful planning and vigilance can dramatically limit how much damage cybercriminals cause when a breach occurs.

Copyright © 2018 Womble Bond Dickinson (US) LLP All Rights Reserved.


About this Author

Beth Tyler Jones, Womble Carlyle Law Firm, Employment and Education Law Attorney

Beth practices primarily in the areas of employment and education law. She concentrates her practice on providing effective counseling and compliance assistance to enable her clients to manage risks proactively. She is a leader of the Firm’s Education Team.

Beth uses her experience as a human resources professional and in-house legal counsel to assist employers, both public and private, in complying with all federal and state employment laws including preparing policies, procedures, programs, plans, handbooks...

Benton Zeigler lawyer, Womble Carlyle Law Firm, Cybersecurity and Environmental law Attorney

Belton Zeigler brings more than 30 years of experience to his South Carolina-based cybersecurity and utility, environmental and energy practice. He has served as General Counsel to a major electric utility, and also served as Vice President for industrial customer relations, power marketing and strategic planning.

Belton has participated as a lead attorney in multiple general gas and electric rate cases and numerous smaller regulatory proceedings. He worked with the South Carolina General Assembly to draft the Base Load Review Act, the Distributed Energy Resources Act, and the Natural Gas Rate Stabilization Act. Zeigler has extensive experience in the state regulation of solar and nuclear power and has been instrumental in shaping South Carolina’s laws regulating those industries.