Significant exposure
Colleges and universities face complex issues when a breach occurs. You maintain personal data on applicants, students, faculty and other employees, donors, trustees, and board members, who often reside in different states with different breach notification laws. Educational institutions with health clinics may also be subject to the breach notification requirements imposed by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). These laws require time-consuming and labor intensive internal investigations, the expertise of specialized outside vendors, and can create a public relations nightmare.
The negative publicity resulting from a data breach can lead to massive reputational and brand damage. In fact, 62% of consumers said breach notification decreased trust and confidence in the organization.
*Source: Pass or fail? Data privacy and cybersecurity in higher education
Class action lawsuits
The publicity and consumer dissatisfaction that surround a cyber breach have spurred a wave of class action complaints against organizations big and small. Relying on a variety of privacy laws, enterprising plaintiffs’ lawyers have filed complaints seeking billions of dollars in damages. The risk of crippling damages, and the sizeable costs of litigation, often push organizations to settle even in the absence of any clear harm to the affected individuals.
Regulatory investigations and penalties
State and federal regulators have made one point clear: a significant breach of information will result in monetary penalties, onerous corrective action plans, and on-going audits. Whether through the strict data privacy and security requirements of the Family Educational Rights and Privacy Act (FERPA), or the increasing interest of state attorneys general in enforcing privacy laws, the regulatory landscape for higher education institutions carries an immense amount of risk.