Have you read the latest newsflash? School district data breaches are on the rise, and your school district’s Student Information System (SIS) data could be a prime target for hackers. The SIS contains records of minors, representing an unexploited, potential victim. Identity thieves are sharpening their digital knives for the feast. Let’s explore this topic from a cyber liability insurance perspective.
Framing the Discussion
Keep these questions in mind as we step through this relevant topic.
- What is cyber liability insurance and how does it work?
- Are there any laws about the management of student and employee records?
- How susceptible is my school district to a data breach?
- How can my district mitigate the risks of a data breach?
What Is Cyber Liability?
Are you looking for an insurance policy designed to manage risks and costs associated with a data breach? Most providers have recognized the growing threat and now offer a policy known as “Cyber Liability Insurance Coverage” or CLIC. Did you know that the average cost of data breach mitigation is $245 per record, which is $45 dollars higher than the worldwide average according to a study by the Ponemon Institute. Ask your school district insurance provider for a rider or enhancement. Learn more about cyber coverage.
What Factors into the Cost of a Data Breach?
This education sector cost takes the following factors into consideration:
- Investigation – After a breach, affected parties take several actions. Those actions include a detailed forensic analysis that facilitates identification of three things. The first is how the breach occurred. The second is the number of records affected. The third is how to prevent the breach from happening again. To achieve this, there must be involvement from a third-party security firm and coordination with law enforcement.
- Business loss – These are costs associated with data loss recovery, potential district closure, crisis management, and repairing reputation damage.
- Privacy and notification – Notifying affected people of a breach can be expensive. You must notify students, parents, staff, and the community. What’s more, credit monitoring may be an extra cost. Those who suffered data loss or theft would typically receive this credit monitoring at no charge to themselves.
- Lawsuits and Fines – Your organization will incur legal expenses (e.g. lawsuits, settlements) and possibly regulatory fines. Your district may even have to pay cyber extortion in the case of ransomware.
As mentioned, the cost of legal expenses plays a big part.
Did you know you must inform affected parties of a security breach? If a security breach compromises private data, you must say so per the Texas Identity Theft Enforcement and Protection Act. What’s more, you may face fines at $100 per record/per day up to $250,000 per breach.
Need to know more about the law? Read TASB’s compilation of legal information. The Texas Association of School Boards dealt with their own breach back in the summer of 2017 when they exposed sensitive the data of thousands of teachers through their public-facing website. Also explore Texas Data Breach Law.
Assess Your Organization’s Risk Level
No school district wants to place their sensitive data at risk. Here are a few guidelines to aid in the determination of your risk level. What’s more, they will help you identify areas where you may be more vulnerable.
The Attack Vectors
“Attack vector is a path or means through which a hacker gains access to your digital content,” says Amit Kumar Sharma. Here are potential school district attack vectors:
- The Student Information System (SIS). This can include systems such as TxEIS or Skyward.
- Public Education Information Management System (PEIMS) data stored in your business applications. It resides along with your business applications.
- People who work with sensitive data. Each person (e.g. PEIMS coordinators, IT/HR personnel) that handles sensitive data may inadvertently expose it.
- Website security protocols and certificates (e.g. outdated Secure Socket Layer (SSL), sFTP)
- Offsite placement of sensitive data (e.g. third party vendor)
- Unsecured employee email and/or cloud storage
Cyber liability insurance providers need to know you have secured data. They may ask questions such as the following:
- If personnel are handling data, are they encrypting it?
- Are you accessing confidential data over an insecure connection from a remote location?
- How are you sending sensitive data via email, if at all?
- Do staff know to not place unencrypted data on USB flash drives for transport?
On August 12, 2016, the largest school district in San Antonio, Texas suffered a data breach. The breach affected almost twenty-three thousand students and faculty. As mentioned above, an unauthorized individual gained entry via an employee email account.
Tips to Protect Against a Breach
Here are some tips to keep in mind:
- Never share passwords, period
- Enable and use two-factor authentication to access key systems
- Secure your workstation and log out when you get up from your desk
- Ensure physical/network security for offices, MDFs, and IDFs in server/network closets
- Use security protocols for network, vLAN, wireless SSID, and firewall configurations
- Verify security for essential services including email, SIS applications, local area network logins, and VPN access
- Put strong password policies in place
Hot Tip: Use a pass phrase or a short sentence without spaces instead of a password. Include a number and the punctuation, and you’ve got yourself a very strong password. Example: “KeepAust1nweird!” or “Ilov3mydogSally!” Learn more.
Educate and Protect
Education is key. No district can afford down time due to a cyber security breach. Coach your faculty and coworkers on security best practices and plan ahead for how you will handle sensitive data.