The University of Maryland announced on February 19th that it is the most recent university to fall victim to a data breach. According to the University’s President, UM was the target of a “sophisticated” computer attack that exposed the personally identifiable information (PII) of over 300,000 individuals. Specifically, the hack targeted records that relate to the University’s student identification (ID) system and thus compromised the PII of various students and staff who had been issued a University ID since 1998. The compromised PII includes names, Social Security numbers, dates of birth, and University ID numbers.

The compromised records were maintained by the school’s IT Department and protected by “sophisticated, multi-layered security defenses” that the hackers were nonetheless able to bypass. This reflects the painful reality that data breaches are often a matter of when, not if, especially for universities.

Educational institutions are particularly attractive targets for both cyber criminals and state-sponsored groups. As repositories of extensive personal, financial, and health information, they offer a wealth of opportunity for identity thieves. The intellectual property that many research institutions generate is similarly appealing to state-sponsored actors looking to capitalize on U.S. economic investments. As the New York Times has reported, at least one university has faced up to 100,000 daily penetration attempts from China alone. It thus comes as no surprise that dozens of educational institutions – many with highly sophisticated defense systems in place – have reported data breaches in recent years.

Not only are the risks to educational institutions substantial, but the consequences are also daunting. Educational institutions are subject to numerous federal laws governing data protection, including FERPA, the Gramm-Leach-Bliley Act, and the Federal Trade Commission Act, as well as a number of state laws. The collection and analysis of health data that many universities undertake may also trigger a range of obligations under HIPAA and the HITECH Act. Finally, those receiving government funding must ensure compliance with other unique requirements, such as those arising under their government contracts.

Cyber events need not be devastating. Educational institutions can and should take a variety of proactive steps to ensure that they are adequately protected against cyber attacks, yet prepared for data breaches. Risk assessments, such as that outlined in the recently released Cybersecurity Framework, and detailed incident response plans are essential. In the event that a breach does occur, universities should immediately hire experienced counsel to manage the inevitable notification requirements and reinstitution of privacy safeguards. Just as importantly, responsible counsel can assess and minimize litigation exposure, particularly that posed by class actions. These and other measures – both preventative and responsive – can mean the difference between catastrophe and calm.

 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jeffrey L. Poston Jeffrey L. Poston

Jeff Poston is a partner in Crowell & Moring’s Washington, D.C. office, where he serves as co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and is a member of the Litigation Group. A seasoned trial lawyer with more than 25 years…

Jeff Poston is a partner in Crowell & Moring’s Washington, D.C. office, where he serves as co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and is a member of the Litigation Group. A seasoned trial lawyer with more than 25 years of experience leading investigations and litigation for corporate clients, Jeff counsels and defends clients in complex data protection matters involving class-actions and regulatory enforcement actions, as well as commercial disputes. Jeff also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).

Read more about Jeffrey L. Poston
Show more Show less
Photo of Kate Growley Kate Growley

Businesses around the globe rely on Kate M. Growley to navigate their most challenging digital issues, particularly those involving cybersecurity, artificial intelligence, digital infrastructure, and their intersection with national security. Clients seek her guidance on proactive compliance, incident response, internal and government-facing investigations…

Businesses around the globe rely on Kate M. Growley to navigate their most challenging digital issues, particularly those involving cybersecurity, artificial intelligence, digital infrastructure, and their intersection with national security. Clients seek her guidance on proactive compliance, incident response, internal and government-facing investigations, and policy engagement. With a unique combination of legal, policy, and consulting experience, Kate excels in translating complex technical topics into advice that is practical and informed by risk and business needs.

Kate has extensive experience working with members of the U.S. government contracting community, especially those within the Defense Industrial Base. She has partnered with contractors from every major sector, including technology, manufacturing, health care, and professional services. Kate is an IAPP AI Governance Professional (AIGP) and a Certified Information Privacy Professional for both the U.S. private and government sectors (CIPP/G and CIPP/US). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Having lived in Greater China for several years, Kate also brings an uncommon understanding of digital and national security requirements from across the Asia Pacific region. She has notable experience with the regulatory environments of Australia, Singapore, Japan, and Greater China—including the growing regulation of data flows between the latter and the United States.

Kate is a partner in the firm’s Washington, D.C., office, as well as a senior director in the firm’s consultancy Crowell Global Advisors, to which she was seconded for several years. She is a founding member of the firm’s Privacy & Cybersecurity Group and part of the firm’s AI Steering Committee. She has been internationally recognized by Chambers and named a “Rising Star” by both Law360 and the American Bar Association (ABA). She has held numerous leadership positions in the ABA’s Public Contract Law and Science & Technology Sections and has been inducted as a lifetime fellow in the American Bar Foundation.

Read more about Kate Growley
Show more Show less
Related Posts
AI-Powered Chatbots:  Mythical Super Creature or Legal Trojan Horse
June 6, 2023
SEC Encourages Internal Accounting Controls to Guard Against Cyber Fraud
November 8, 2018
FERC Proposes to Require Expanded Cyber Security Incident Reporting
January 17, 2018