Data Breach Defense for Educational Institutions

Data Breach Defense for Educational Institutions

S. Wilson Quick

S. Wilson Quick

June 17, 2021 09:29 AM

The past 15 months have been extremely challenging for every industry, but that is especially true of educational institutions. Every level of education—from local school districts to the largest universities—has had to work to balance the safety of students, faculty and staff with their mission to provide high-quality education all the while knowing that every decision would be highly scrutinized and criticized. During this time of turmoil and uncertainty, many schools faced a challenge they were not expecting – a cyber attack.

Schools collect all sorts of personal and sensitive information about students and parents, making them prime targets for a security breach. In 2020, there were 408 publicly-disclosed data breaches or security attacks in K-12 schools, including student and staff data breaches, ransomware and other malware outbreaks, phishing attacks and a wide variety of other incidents, according to the nonprofit K-12 Cybersecurity Resource Center. This is an 18% increase over 2019. This data does not include cyber attacks at any institutions of higher education, but they are no less susceptible.

As the threat of COVID begins to lift, educational institutions need to shift more of their focus to applying the same preparation and planning as they did for the pandemic to defend against a cyber attack.

What are some steps educational institutions can take to minimize their risk?

There are a number of things that educational institutions can do to help limit their exposure to a cyber attack. First, schools — especially colleges and universities where there are more likely to be thousands of personal laptops, mobile phones, tablets and other devices connected to the network — should create, implement and enforce BYOD (bring your own device) policies that address everything from operating system updates to requirements for antivirus and other malware protection (pro-tip: offering free anti-virus software to all users on the system can go a long way in both encouraging and enhancing protection).

Educational institutions should also look into network segmentation if they have not done so already. This way if a cyber attack impacts one part of the network, it may not necessarily impact the whole network. For example, a college could segment the network so that if a hacker was able to access student housing records, the attacker would have no way of accessing student academic or health records.

It’s also important to make sure schools are allocating resources, including personnel, to focus on this issue. For the past year, many schools have understandably shifted their IT spending and employees to focus on expanding their remote learning capabilities. As the world is starting to return to normal, educational institutions need to reallocate at least some of those resources back to protecting from cyber attacks.

As schools examine their resources, they should also take a look at all of their vendor contracts related to IT services or online products. As an example, more schools are turning to third-party “cloud” solutions for data storage and software. While cloud storage has many security advantages, not all providers are created equal, especially when it comes to responding to a security incident. Review contracts to see who is held liable should there be a breach related to a vendor or service and consider renegotiating contracts if needed to limit exposure.

What should an educational institution do if it has been hacked or suspects a cyber attack?

The first thing a school should do is consult its incident response plan. Of course, this presupposes one exists! So, before a school even gets to this point it should develop a robust incident response plan with the help of qualified legal counsel. The benefits of having a plan in place before an incident are substantial. For example, the time-savings and comfort of knowing there are qualified professionals on call to assist can really help make a stressful situation more palatable.

In the event an incident response plan is not in place, consult an attorney who has experience serving as a breach coach and who understands data privacy issues and reporting obligations. While most schools are aware of their privacy obligations under the Family Educational Rights and Privacy Act (FERPA), data breaches that release potentially sensitive information, such as Social Security numbers, have their own legal reporting requirements. For colleges and universities that have students from other states, and even possibly from other countries, reporting gets even more complex as they may be required to meet the legal requirements from every state and country where students live.

Schools should also consider involving law enforcement early in the process—though this decision should be made in conjunction with qualified counsel. Larger jurisdictions sometimes have resources who can help investigate the cause of a data breach. The FBI also has experts who specialize in this kind of work that can be brought in to help with the investigation—especially where there is ransomware involved.

While any online connectivity bears some risk, taking the appropriate steps can minimize an educational institution’s risk of a cyber attack and limit their legal exposure should one occur.

Related Articles

Trending Top Five: Critical Corporate Components for 2022

by Justin Smulison

It’s no longer “business as usual” for most of Corporate America. With a growing list of challenges facing the legal and financial health of many companies, we talked to several major General Counsel about the biggest areas in which businesses should remain vigilant.

Corporate Advice From General Counsel

Current State of EU to U.S. Data Transfers

by Gregory Sirico

The Biden Administration and European Commission recently came to a principle political agreement concerning the ever-changing future of EU to U.S. data transfers.

New Framework for EU and U.S. Data Transfers

Privacy Practice

by Casey Waughn

Data protection is all the rage among tech companies and state, national (and even transnational) governments alike. Is it a passing fad or here to stay? And how should businesses and groups of all sizes handle compliance with a blizzard of new laws?

Data Protection Prompt New Privacy Laws

Announcing the 7th Annual Women in the Law Publication

by Best Lawyers

The 7th Annual Women in the Law publication is a celebration of all the female legal talent across the country, honoring every woman listed in The Best Lawyers in America and Best Lawyers: Ones to Watch in America.

Honoring Female Lawyers in the United States

What the Courts Say About Recording in the Classroom

by Christina Henagen Peer and Peter Zawadski

Students and parents are increasingly asking to use audio devices to record what's being said in the classroom. But is it legal? A recent ruling offer gives the answer to a question confusing parents and administrators alike.

Is It Legal for Students to Record Teachers?

Getting Schooled

by Janice Zhou

Public-education policy is fraught throughout the United States, and Texas is certainly no different. Two leading education lawyers weigh in on accountability, resource inequities, and why “teaching to the test” has been a bad deal for kids.

Public Education Issues and Reform

A Sea Change on Land

by Linda A. Klein and Suneel Gupta

Autonomous vehicles will revolutionize almost every area of the law. Here’s a look at what’s rapidly approaching.

Legal Considerations for Autonomous Vehicles

In the News: Texas 2019

by Best Lawyers

A roundup of relevant news from lawyers listed in Texas.

Legal News Roundup Texas

A Startup Accelerator Program Sets Cuatrecasas Apart

by Best Lawyers

Miguel de Almada and Frederico Bettencourt Ferreira from the Portuguese firm discuss their 2019 "Law Firm of the Year" award for Litigation and Arbitration.

Cuatrecasas "Law Firm of the Year"

Into the Breach

by John Ettorre

Data breaches have become inevitable. Here’s what you can do to respond.

Data Breaches

Recent Developments on Privacy and Data Protection in Brazil

by Ricardo Barretto Ferreira da Silva and Camila Taliberti Ribeiro da Silva

A change of paradigm is urgent and requires a robust legislation on personal data protection.

Privacy and Data Protection Brazil

The Future of Data Privacy: You Can Run but You Can’t Hide (or Can You?)

by Chad W. King

In Ernest Cline’s dystopian novel "Ready Player One," the world’s population is addicted to a virtual reality game called the OASIS.

The Future of Data Privacy

My Data My Rules: An Overview of Data Protection in Brazil

by Fábio Pereira

My Data My Rules

The European Regulation on Data Protection and Brexit

by Anna Viladàs Jené

After many years of negotiations, on 27 April 2016, the European Regulation concerning the protection of individuals in respect of the processing of personal data and the free movement of this data (hereafter, “the Regulation”), has finally seen the light of day.

Brexit Data Protection

Cyber School

by Elizabeth S. Fitch and Theodore M. Schaer

Cybersecurity and the Claims and Litigation Management Alliance’s School of Cyber Claims

Cyber School

Trending Articles

The Best Lawyers in Spain™ 2023

by Best Lawyers

Announcing Spain's recognized lawyers for 2023.

Flag of Spain

Announcing the 2023 The Best Lawyers in America Honorees

by Best Lawyers

Only the top 5.3% of all practicing lawyers in the U.S. were selected by their peers for inclusion in the 29th edition of The Best Lawyers in America®.

Gold strings and dots connecting to form US map

The Best Lawyers in Chile™ 2023

by Best Lawyers

The results include an elite field of top lawyers and firms in Chile.

White star in blue box beside white box with red box on bottom

Thirteen Years of Excellence

by Best Lawyers

For the 13th consecutive year, “Best Law Firms” has awarded the most elite and talented law firms across the country through a thorough and trusted data review process.

Red, white and blue pipes and writing on black background

The Best Lawyers in South Africa™ 2023

by Best Lawyers

Best Lawyers proudly announces lawyers recognized in South Africa for 2023.

South African flag

The 2023 Best Lawyers in Portugal™

by Best Lawyers

Announcing the elite group of lawyers recognized in Portugal for 2023.

Green and red Portuguese flag

Announcing The Best Lawyers in Peru™ 2023

by Best Lawyers

Honoring our awarded lawyers for 2023 in Peru.

Red and white stripes with green leaf symbol

The Best Lawyers in Spain™ 2022

by Best Lawyers

The results include an elite field of top lawyers and firms.

The Best Lawyers in Spain™ 2022

Best Lawyers: Ones to Watch in America for 2023

by Best Lawyers

The third edition of Best Lawyers: Ones to Watch in America™ highlights the legal talent of lawyers who have been in practice less than 10 years.

Three arrows made of lines and dots on blue background

Famous Songs Unprotected by Copyright Could Mean Royalties for Some

by Michael B. Fein

A guide to navigating copyright claims on famous songs.

Can I Sing "Happy Birthday" in Public?


Rewriting 𝙃𝙀𝙍𝙨𝙩𝙤𝙧𝙮 One Verdict at a Time

by Justin Smulison

Athea Trial Lawyers was formed only a year ago by several prestigious lawyers seeking justice for their clients, and together they are making history.

Six female lawyers sitting in office

Announcing the 2022 Best Lawyers® in the United States

by Best Lawyers

The results include an elite field of top lawyers listed in the 28th Edition of The Best Lawyers in America® and in the 2nd Edition of Best Lawyers: Ones to Watch in America for 2022.

2022 Best Lawyers Listings for United States

Announcing the 2023 The Best Lawyers in Canada Honorees

by Best Lawyers

The Best Lawyers in Canada™ is entering its 17th edition for 2023. We highlight the elite lawyers awarded this year.

Red map of Canada with white lines and dots

What the Courts Say About Recording in the Classroom

by Christina Henagen Peer and Peter Zawadski

Students and parents are increasingly asking to use audio devices to record what's being said in the classroom. But is it legal? A recent ruling offer gives the answer to a question confusing parents and administrators alike.

Is It Legal for Students to Record Teachers?

Strength in Numbers: When Partnering Up May Be Best in Whistleblower Litigation

by Justin Smulison

Whistleblower claims make headlines when they result in multimillion-dollar settlements. But the journey to the courtroom is characterized by complexity and requires time and resources. Bienert Katzman Littrell Williams partner and The Best Lawyers in America awardee Michael R. Williams discusses when and why partnerships between counsel will strengthen whistleblower litigation.

A Blue Person in the Middle of White People

Announcing the 2022 "Best Law Firms" Rankings

by Best Lawyers

The 2022 “Best Law Firms” publication includes all “Law Firm of the Year” recipients, national and metro Tier 1 ranked firms and editorial from thought leaders in the legal industry.

The 2022 Best Law Firms Awards