Students. Faculty. University Health Services. Insurance providers. Campus police. Alumni donors. Research centers. Registrars. Disciplinary committees.
If you’re a university, these are just some of the parties at risk of leaking your most sensitive data, most of which must be protected by law.
For organizations that rely on so many different groups to execute their mission, universities face significant pressure to protect sensitive information as it travels across those groups.
Judging by the numbers, most universities are struggling to keep up with this responsibility to ensure data protection and satisfy related compliance regulations. According to a report by Ellucian, 17% of all data breaches in the past decade occurred in higher education – the second highest of any industry besides healthcare. Universities experience an average of more than one data breach per week, with average fines for these breaches totaling up to $4 million.
Michigan State University, for example, lost an estimated $3 million from its 2016 security incident, which also required the school to purchase free credit monitoring services for all affected users. The incident resulted when hackers infiltrated a network database containing 400,000 student and faculty records, exposing Social Security Numbers, university access credentials, and other sensitive information.
There’s no single organization or set of rules that regulates university data protection and privacy across the board. FERPA compliance regulates a range of data, including academic records, Personally Identifiable Information (PII), billing info, and some medical records. Other student medical records are governed by HIPAA, as are records for non-student patients. There are also PCI rules that apply to financial data and PII in a financial context. Certain research may be governed by 21 CFR Part 11, or even EAR compliance regulations. And that doesn’t count all the emerging state, local, and national laws that may subject some universities to higher standards.
Many schools also suffer from a lack of strong, centralized university data protection governance in IT. Different departments generally run their own services and labs under their own direction. These resources are often operated by part-time student workers, and used by a large pool of end users, all with little or no supervision.
And there are also risks from outside the university. When resources are shared with other universities or private organizations, it may be unclear who is responsible for data privacy and protection. In some cases, there may be no one watching, allowing bad actors to gain access to personal data or other confidential information.
Lax and uncertain compliance laws don’t protect you from costly breaches. In fact, detection and cleanup are often more costly than prevention. According to Ponemon’s 2020 Cost of Data Breach Study, the average total cost of a data breach is $3.45 million. However, investment in security infrastructure consistently decreased that cost. For example, organizations can save $7.00 per record by appointing a CISO, or $13 per record by using encryption extensively.
Costs are likely to rise for under-regulated sectors like universities as privacy laws become stricter. This is particularly true when it comes to costs that are harder to predict or quantify, such as reputation damage and litigation. Lawsuits can drag on for years, continually embarrassing the university and piling on millions in costs.
A massive November 2013 breach of Maricopa County Community College District, for example, cost $26 million in the first year, including $9.3 million in legal costs alone. However, multiple lawsuits dragged on for more than two years. The public interest group the Electronic Privacy Information Center (EPIC) waded into the fight. There were FTC complaints, millions more in fines and expenses, and incalculable damage to the university’s reputation.
In academic research, a lack of data privacy and protection safeguards, combined with an open collaborative culture and strong economic and political incentives can create the perfect conditions for intellectual property theft. According to the FBI, foreign governments and companies use a wide range of tactics to collect sensitive IP.
Hacking is part of the story, but the scams often rely on sophisticated infiltration and insider theft to circumvent university data protection. Agents may use social engineering tactics, “accidentally” wander into controlled areas, or even attend conferences “to surreptitiously collect valuable information and establish personal relationships for future elicitation and exploitation.”
The case of Robin Sage is a particularly fascinating and worrying example. Security consultant Thomas Ryan created social media profiles for a fictitious cyber security expert named Robin Sage. Within just 28 days, Ryan was able to connect with senior figures in the defense contracting, military, and corporate world — including the sitting Chairman of the Joint Chiefs of Staff. In the Sage persona, Ryan was offered job interviews, speaking gigs, and even an offer by a NASA researcher to share his paper. Even when some security personnel correctly identified Sage as a fake, it didn’t stop others from reaching out.
Fortunately, Ryan was a white hat hacker — a researcher who breaks security in order to identify its weaknesses before the bad guys can exploit them. Had he been in the pay of a foreign government or unscrupulous corporation, however, there’s little doubt he would have been able to gain access to classified information.
Creating a single consistent university data protection policy is the best solution. From a governance perspective, the benefits are obvious: rather than laboring under a maze of rules and supervisory mechanisms for HIPAA, FERPA, PCI, and all other laws, you can create a single set of rules that’s stringent enough to meet all of them.
But this approach is also superior for data protection and privacy, compliance, and even cost control. Different compliance regimes have different strengths, but they all contribute to data security in meaningful ways. PCI controls like strong encryption and data segregation are equally effective for other kinds of data. Similarly, HIPAA Business Associate Agreements and other healthcare controls can improve the legal and procedural protections of non-healthcare data as well.
Most importantly, they must protect data at the object-level, so that information remains secure even if networks or databases are infiltrated. In order to effectively implement object-level protections, universities must deploy data protection software that satisfies three key technical requirements:
Cloud collaboration has enhanced usability expectations for modern security tools. If data protection disrupts existing end-user workflows, university employees and their recipients will work around the technology – plain and simple – even if it means sharing unprotected data.
What’s more, today’s universities share data with many different organizations, service providers, and cloud applications. Effective protections must persist with the data no matter where it travels, and the user experience must remain consistent across platforms. Even the slightest complexities can limit adoption of the most secure technologies.
Full data protection requires more than just securing the data. Whether shared voluntarily with university partners, external health providers, or other third party stakeholders, or accessed by unauthorized hackers, most data ends up leaving the university’s possession at some point.
It’s critical that universities have the ability to monitor where this data travels and manage access to it even after it’s been shared and consumed. Otherwise, it becomes difficult for security and collaboration to coexist.
Between regulatory compliance, ethical responsibilities, and internal privacy policies, it’s difficult to find user segments within a university that share the exact same security obligations. As a result, data protection approaches must offer flexible configuration options to match the privacy requirements and risk appetites of different user types and different higher education institutions.
Specifically, it’s the method of encryption that must be tailored to these needs. In order to eliminate the tradeoff between security and ease of use, universities must be able to choose where their encryption keys are stored, who can access them, and how they are managed.
The academic world has always been a place for vigorous debate and intellectual freedom. This is crucial not only for education and research, but also for a free society as a whole. To maintain this freedom in an age of cybercrime and government spying, universities need to maintain data privacy and protection for all.
By making a stand for privacy and backing up your words with a strong university data protection program, your organization will show leadership — both in academia and the wider public sphere. In a period of rapid digital transformation, this is key to staying at the forefront of technology and thought.
Virtru was founded to combine these qualities for organizations under one seamless and pervasive data sharing platform. Virtru’s mission is to eliminate the tradeoff between data protection and ease of use by making object-level protection the new norm for institutions.
As most universities look to keep pace with emerging data protection and privacy requirements, Virtru’s novel approach fills many of the usability, control, and security gaps inherent in legacy technologies.
That’s why some of the world’s largest universities, like Brown University, rely on Virtru’s email and file sharing protections to:
Unsure whether or not your organization requires additional privacy and control? The following checklist provides a list of questions frequently used by universities to assess their risk profiles and corresponding privacy and security needs:
If you answered yes to any of these questions – or even if you just want help thinking through your biggest university data protection challenges – the Virtru team is here to help.
We believe that everyone has a right to easy-to-use data protection technology, especially those entrusted with preserving the safety and privacy of our universities and their students.
Please contact us to learn more about Virtru and see if it’s a fit for your organization.
Contact us to learn more about our partnership opportunities.