Data Security and better Education
Historically, educational facilities happen to be accountable for a large portion of all data breaches, creating astronomical losses. Taking steps to prevent these losses is essential. The complexity of academic culture and also the need for the exchange of information and ideas means institutions of higher education are confronted with a far more complicated situation than corporations with regards to data security.
While enterprise data security systems are designed to protect the needs of businesses, universites and colleges must uphold the need for the free exchange of ideas and keep students' personal data secure and adhering to many state and federals laws, including the Family Educational Rights Privacy Act (FERPA), the Health Information Portability and Accessibility Act (HIPAA), the Gramm Leach Bliley Act (GLBA), the Fair Credit rating Act, the Sarbanes-Oxley (SOX), the Federal Privacy Act and others.
Risk Factors
Several common characteristics of university computer place your institution at risk of data breach:
- To maximize usability, university network systems are often configured to allow multiple points of access.
- Outsourced IT entities along with other providers (e.g., e-mail systems, financial aid disbursement or ID card management) may have immediate access to the network, increasing potential exposures.
- Decentralized departments disconnected with central IT operate independently and abide by loosely defined security and privacy practices, enhancing the chance of parents organization.
- Ubiquitous utilization of social networking sites by students leads some institutions to watch behavior, that could produce a duty of care to protect students from dangerous or criminal behavior.
- Limited resources to secure networks, which leads to widespread utilization of free security software that could be less effective than a personalized solution.
- Research universities often have highly confidential or sensitive information stored on their own systems, which could be a lucrative target for cyber attacks.
- Universities that host numerous studies or any human subject research must also adhere to Health Information Portability and Accessibility Act (HIPAA) security and privacy rules.
Designing Reasonable Security
IT departments can take several steps to maximise the safety of university computer. Unfortunately, increased security generally means inconvenience and fewer utility because of the have to freely exchange information inside the academic community. To keep this balance educational facilities should proactively go ahead and take following actions:
- Establish set up a baseline for security and benchmark progress against it.
- Be aware of how different departments are sharing information.
- Verify network behavior of scholars, researchers, visiting professors and other administration professionals via permissions, access control, defined roles and real-time monitoring
- Identify existing system vulnerabilities and prioritize eliminating these vulnerabilities.
- Monitor and keep systems continuously.
- Automate security processes, and schedule routine tasks and reports to stay informed on performance.
- Ensure that patches are implemented in a timely manner.
- Conduct regular audits to ensure that policies are on track and identify irregularities or potential breaches.
- Support auditing activities with real-time intrusion detection to critical systems.
In the Event of the Breach
While federal legislation under FERPA, FACTA and HIPAA doesn't contain provisions mandating consumer notification in the event of an information breach, many institutions of higher education may be subject to state breach notification statutes, many of which require swift public disclosure of any potential breach of personally identifiable information. Talk to an attorney to recognize which statutes may apply to your institution.
Potential lawsuits claiming negligence must demonstrate that accepted standards of performance weren't met, which the plaintiff suffered some sort of direct harm because of the negligence.
Contractual Allocation of Risk
Since a sizable portion of reported breaches are related to external partners, consultants, outsourcers and contractors, it is advisable to determine the boundaries of liability when sharing confidential information for business purposes. Even commonplace outsourcing arrangements can lead to complicated chains of liability dealing with subcontractors. Go ahead and take following steps to mitigate risk:
- Clearly define responsibility
- Ensure proper precautions are taken when details are from the control of the academic institution
- Limit the contractual liability of the organization in case of an information breach
- Work closely with a lawyer and INSURICA to make sure that insurance requirements, contractual indemnities as well as your institution's insurance plans work harmoniously
Your Insurance Policy
It is essential to examine your general liability and property policies to determine the extent of coverage for data breaches. Exclusions are typical as general liability carriers offer standalone network security and online privacy policies. INSURICA can help you figure out what, if any, additional coverage is required to effectively protect your institution from data breach liability exposures.
This article is not intended to be exhaustive nor should any discussion or opinions be construed as legal counsel. Readers should contact legal counsel or an insurance broker for appropriate advice. (c) 2011 Zywave, Inc. All rights reserved.