[Editor’s Note: This article was first published on the TCEA TechNotes blog.]
Have you read the latest newsflash? School district data breaches are on the rise, and your school district’s student information system (SIS) data could be a prime target for hackers. The SIS contains records of minors, representing an unexploited, potential victim. Identity thieves are sharpening their digital knives for the feast. Let’s explore this topic from a cyber liability insurance perspective.
Framing the discussion
Keep these questions in mind as we step through this relevant topic.
- What is cyber liability insurance and how does it work?
- Are there any laws about the management of student and employee records?
- How susceptible is my school district to a data breach?
- How can my district mitigate the risks of a data breach?
What is cyber liability?
Are you looking for an insurance policy designed to manage risks and costs associated with a data breach? Most providers have recognized the growing threat and now offer a policy known as Cyber Liability Insurance Coverage (CLIC). Did you know that the average cost of data-breach mitigation is $245 per record, which is $45 dollars higher than the worldwide average according to a study by the Ponemon Institute. Ask your school district insurance provider for a rider or enhancement. Learn more about cyber coverage.
Related: 5 different ways IT directors handle student data privacy
What factors into the cost of a data breach?
This education sector cost takes the following factors into consideration:
Investigation – After a breach, affected parties take several actions. Those actions include a detailed forensic analysis that facilitates identification of three things. The first is how the breach occurred. The second is the number of records affected. The third is how to prevent the breach from happening again. To achieve this, there must be involvement from a third-party security firm and coordination with law enforcement.
Business loss – These are costs associated with data loss recovery, potential district closure, crisis management, and repairing reputation damage.
Privacy and notification – Notifying affected people of a breach can be expensive. You must notify students, parents, staff, and the community. What’s more, credit monitoring may be an extra cost. Those who suffered data loss or theft would typically receive this credit monitoring at no charge to themselves.
Lawsuits and fines – Your organization will incur legal expenses (e.g., lawsuits, settlements) and possibly regulatory fines. Your district may even have to pay cyber extortion in the case of ransomware.
As mentioned, the cost of legal expenses plays a big part.
Did you know you must inform affected parties of a security breach? If a security breach compromises private data, you must say so per the Texas Identity Theft Enforcement and Protection Act. What’s more, you may face fines at $100 per record/per day up to $250,000 per breach.
Need to know more about the law? Check out the National Conference of State Legislatures’ Student Data Privacy page, which lists detail about state policy approaches.
Assess your organization’s risk level
No school district wants to place their sensitive data at risk. Here are a few guidelines to aid in the determination of your risk level. What’s more, they will help you identify areas where you may be more vulnerable.
The attack vectors
“Attack vector is a path or means through which a hacker gains access to your digital content,” says Amit Kumar Sharma. Here are potential school district attack vectors:
- The Student Information System (SIS).
- Public Education Information Management System (PEIMS) data stored in your business applications. It resides along with your business applications.
- People who work with sensitive data. Each person (e.g., IT/HR personnel) that handles sensitive data may inadvertently expose it.
- Website security protocols and certificates (e.g., outdated Secure Socket Layer (SSL), FTP).
- Offsite placement of sensitive data (e.g., third-party vendor).
- Unsecured employee email and/or cloud storage.
Cyber liability insurance providers need to know you have secured data. They may ask questions such as the following:
- If personnel are handling data, are they encrypting it?
- Are you accessing confidential data over an insecure connection from a remote location?
- How are you sending sensitive data via email, if at all?
- Do staff know to not place unencrypted data on USB flash drives for transport?
Related: Data access is easier than ever, but is that a good thing?
On August 12, 2016, the largest school district in San Antonio, Texas suffered a data breach. The breach affected almost 23,000 students and faculty. An unauthorized individual gained entry via an employee email account.
Tips to protect against a breach
Here are some tips to keep in mind:
- Never share passwords, period
- Enable and use two-factor authentication to access key systems
- Secure your workstation and log out when you get up from your desk
- Ensure physical/network security for offices, MDFs, and IDFs in server/network closets
- Use security protocols for network, vLAN, wireless SSID, and firewall configurations
- Verify security for essential services including email, SIS applications, local area network logins, and VPN access
- Put strong password policies in place
Hot tip: Use a pass phrase or a short sentence without spaces instead of a password. Include a number and the punctuation, and you’ve got yourself a very strong password. Example: “KeepAust1nweird!” or “Ilov3mydogSally!” Learn more.
Educate and protect
Education is key. No district can afford down time due to a cyber security breach. Coach your faculty and coworkers on security best practices and plan ahead for how you will handle sensitive data.