From securing research, to protecting student records, to paying maintenance staff, privacy is a key concern in everything universities do. Many of the data protection concerns that universities have are the same issues other organizations face. Enterprise data security risks like poor password practices and unsafe downloading threaten universities in the same way they threaten businesses, for example.
However, academic organizations have a special obligation to take a stand for the rights that undergird our society — particularly intellectual freedom. When students and faculty have to constantly worry about government surveillance, foreign spying or cyber criminals, they aren’t able to learn, explore, and advance human knowledge. If universities are going to remain intellectual leaders, they must become privacy leaders.
University Data Protection Has a Checkered History
Quantifying university security is difficult, but from the evidence we have, it doesn’t look good. In 2015, the Breach Level Index recorded 102 breaches in education out of a total of 974 — about 10.5% of total breaches. However, that number doesn’t count healthcare organizations, which are often connected to universities. The healthcare industry accounts for 27% of total breaches — many in organizations affiliated with universities.
Additionally, university data protection breaches aren’t subject to the same level of disclosure as many other industries. FERPA compliance gives students control over the way that records are disclosed, but it doesn’t have the strict security requirements or penalties that healthcare and education have.
University Data Protection is Regulated Inconsistently
There’s no single organization or set of rules that regulates university data protection and privacy across the board. As mentioned above, FERPA compliance regulates a range of data, including academic records, Personally Identifiable Information (PII), billing info, and some medical records. Other student medical records are governed by HIPAA, as are records for non-student patients. There are also PCI rules that apply to financial data and PII in a financial context. Certain research may be governed by 21 CFR Part 11, or even EAR compliance regulations. And that doesn’t count all the emerging state, local, and national laws that may subject some universities to higher standards.
Many schools also suffer from a lack of strong, centralized university data protection governance in IT. Different departments generally run their own services and labs under their own direction. These resources are often operated by part-time student workers, and used by a large pool of end users, all with little or no supervision.
And there are also risks from outside the university. When resources are shared with other universities or private organizations, it may be unclear who is responsible for data privacy and protection. In some cases, there may be no one watching, allowing bad actors to gain access to personal data or other confidential information.
Data Protection and Privacy Breaches Can Still Be Costly
Lax and uncertain compliance laws don’t protect you from costly breaches. In fact, detection and cleanup are often more costly than prevention. According to Ponemon’s 2016 Cost of Data Breach Study, the average total cost of a data breach was $4 million — $158 for every record stolen. However, investment in security infrastructure consistently decreased that cost. For example, organizations can save $7.00 per record by appointing a CISO, or $13 per record by using encryption extensively.
Costs are likely to rise for under-regulated sectors like universities as privacy laws become stricter. This is particularly true when it comes to costs that are harder to predict or quantify, such as reputation damage and litigation. Lawsuits can drag on for years, continually embarrassing the university and piling on millions in costs.
A massive November 2013 breach of Maricopa County Community College District, for example, cost $26 million in the first year, including $9.3 million in legal costs alone. However, multiple lawsuits dragged on for more than two years. The public interest group the Electronic Privacy Information Center (EPIC) waded into the fight. There were FTC complaints, millions more in fines and expenses, and incalculable damage to the university’s reputation.
Bad University Data Protection Loses Valuable IP
In academic research, a lack of data privacy and protection safeguards, combined with an open collaborative culture and strong economic and political incentives can create the perfect conditions for IP theft. According to the FBI, foreign governments and companies use a wide range of tactics to collect sensitive IP.
Hacking is part of the story, but the scams often rely on sophisticated infiltration and insider theft to circumvent university data protection. Agents may use social engineering tactics, “accidentally” wander into controlled areas, or even attend conferences “to surreptitiously collect valuable information and establish personal relationships for future elicitation and exploitation.”
The case of Robin Sage is a particularly fascinating and worrying example. Security consultant Thomas Ryan created social media profiles for a fictitious cyber security expert named Robin Sage. Within just 28 days, Ryan was able to connect with senior figures in the defense contracting, military, and corporate world — including the sitting Chairman of the Joint Chiefs of Staff. In the Sage persona, Ryan was offered job interviews, speaking gigs, and even an offer by a NASA researcher to share his paper. Even when some security personnel correctly identified Sage as a fake, it didn’t stop others from reaching out.
Fortunately, Ryan was a white hat hacker — a researcher who breaks security in order to identify its weaknesses before the bad guys can exploit them. Had he been in the pay of a foreign government or unscrupulous corporation, however, there’s little doubt he would have been able to gain access to classified information.
University Data Protection Needs a Consistent Privacy Framework
Creating a single consistent university data protection policy is the best solution. From a governance perspective, the benefits are obvious: rather than laboring under a maze of rules and supervisory mechanisms for HIPAA, FERPA, PCI, and all other laws, you can create a single set of rules that’s stringent enough to meet all of them.
But this approach is also superior for data protection and privacy, compliance, and even cost control. Different compliance regimes have different strengths, but they all contribute to data security in meaningful ways. PCI controls like strong encryption and data segregation are equally effective for other kinds of data. Similarly, HIPAA Business Associate Agreements and other healthcare controls can improve the legal and procedural protections of non-healthcare data as well.
Ultimately, data is data. A single, highly-effective university data protection plan will avoid the costs of duplicate functionality, increase security and go above and beyond regulatory compliance requirements for all your information.
University Data Protection and Privacy Shows Leadership
The academic world has always been a place for vigorous debate and intellectual freedom. This is crucial not only for education and research, but also for a free society as a whole. To maintain this freedom in an age of cybercrime and government spying, universities need to maintain data privacy and protection for all.
By making a stand for privacy and backing up your words with a strong university data protection program, your organization will show leadership — both in academia and the wider public sphere. In a period of rapid digital transformation, this is key to staying at the forefront of technology and thought.
Contact us to learn how Virtru can help you be a privacy leader.