By Jeff Alderson, Principal Analyst
In July of 2013, hackers stole the identity information of more than 72,000 people from the University of Delaware’s systems. Costs to the university are estimated to run as high as $19 million, including footing the bill for subscriptions to credit-monitoring services for affected faculty and students until 2015. More recently, two faculty members were placed on administrative leave at the University of Oregon as a result of internal mismanagement of confidential information. These examples, along with an increasing number of highly publicized data breaches in the for-profit sector (think Target, Home Depot, and Anthem), have spurred a growing consumer awareness of data privacy (or the lack thereof) and a general reckoning for companies that are stewards of sensitive consumer information.
Legislators have also taken notice, spawning legislation to protect students’ sensitive information. While the 20 different student privacy acts passed by state legislatures this year have set requirements for K-12 schools, districts, and the technology vendors that serve them, legislation has been generally silent on the implications for institutions of higher education. Even the Student Data Privacy Pledge, which has been signed by over 75 companies to date and in effect as of January 1 of this year, only applies to vendors of K-12 data systems.
Eduventures believes that this attention will be brought to bear on higher education in 2015. Even if we’re wrong, higher education institutions would be well served to start preparing now to get ahead of potential legislation. Waiting for federal legislation could prove to be more disruptive and costly.
Moreover, the discipline of tackling this issue will make your organization more efficient regardless of impending legislation. Consider the following:
- In higher education, the data at risk is potentially more valuable than in K-12. College systems contain financial records, academic transcripts, and employment information. Combined with the traditional sources of personally identifiable information, this represents a veritable treasure trove for profiteering hackers.
- Higher education systems are more vulnerable to data breaches than K-12. Data systems are decentralized; systems and business processes are more open, with multiple stakeholders. In higher education, vastly more data flows through a larger number of interfaces and web services than in K-12.
- While not a direct financial impact to an institution, a data breach or public privacy incident with a technology vendor could cause students to avoid interactions with educational systems and services altogether, which could be manifested in ways such as reduced enrollment in online courses.
- A data breach can also be seen as an indication of overall instability in a college’s administration and management. Long-term, residual effects will be felt across the administration and may include staff and faculty perceptions and lower giving rates.
- Finally, as the University of Delaware example demonstrates, there are hard costs associated with recovering from any data breach.
How Colleges Should Prepare
The University of Oregon data breach has highlighted the need for better automated and manual processes for overall records management. It also points to a need to define what constitutes confidential, sensitive, or other protected educational records data. Colleges and universities can start getting their houses in order to protect their data in the following ways:
- Accountability and policy creation for data privacy and security should be centralized through the creation of a Chief Privacy Officer (CPO) and the adoption of standard contract language, terms of service, and data breach and response procedures.
- Budgets should be set aside for privacy review of existing contracts and vendor relationships, as well as for dedicated security and auditing tools to prevent data breaches entirely.
- Training programs for data stewardship and accountability should be standardized and must be required for all staff and faculty who handle personally identifiable information or student records.
- Contracts with service providers should be clear with respect to data ownership and transferability, as well as whether the institution and individual students have a right to purge their data prior to an acquisition.
Stay tuned for more on this topic in 2015. As part of our continuing coverage of education technology, we will also be covering the vendor perspective on data privacy and security of student records.