There’s no question that cyber attacks against the education sector have been increasing, in both K-12 and higher education. And while there are guidelines like NIST available to help schools proactively build effective cybersecurity programs, and FERPA to protect student information, budget is still not always allocated due to the lack of oversight and enforcement.
Schools tend to be “softer targets” with less security controls, monitoring and expertise than commercial businesses, but plenty of valuable data that can be leveraged for ransom and/or sold on the Dark Web. Doug Levin, President of Ed Tech Strategies confirmed that schools should not wait to bolster their security. “Unless they take cybersecurity more seriously, there will be legal action,” he said. “We’re starting to see lawsuits filed and potential legal action being brought by those who are affected by these incidents.”
Here are several examples of lawsuits resulting from cyber incidents:
Tipton County Board of Education – Sued for $19M after Board of Education responded to a phishing email with W2 information.
Maricopa Community College – Maricopa’s breach response was dismal; affected parties were not notified for seven months. The FBI had warned the college back in 2011 that personal information from a MCCCD database had been found for sale on the Dark Web, but the college still had not addressed vulnerabilities. Final costs were estimated at almost $20M with 2.3M in legal fees, as well as remediation and damages.
University of Central Florida – UCF settled a lawsuit that resulted in the exposure of 63,000 social security numbers. Terms of the settlement include a $1M annual spend to add three internal information security positions and a full time internal information security auditor. They also spent an estimated $900,000 on technical controls.
Don’t assume insurance will cover you. Cyber policies may not cover certain costs, such as employee error, notification expenses, litigation, or fines.
If fulfilling their duty to protect the information on their staff and students is not enough incentive to take proactive measures to assess and improve their cybersecurity, schools may also want to consider what happened in the public sector when commercial businesses took a reactive approach and breaches became the norm. Multiple government agencies, including the FTC have begun proactively looking at security measures, assessing fines, and putting lax organizations into multi-year remediation programs costing them far more than they would have spent being proactive. Could the education sector be next on the list for proactive cybersecurity enforcement?