1 Page 1 of 8 Technology March 17, 2014 Data Breaches Put a Dent in Colleges Finances as Well as Reputations By Megan O Neil The costs of a cyberattack on the University of Maryland that was made public last month will run into the millions of dollars, according to data-security professionals who work in higher education. Such a financial and reputational wallop threatens many colleges that are vulnerable to serious data breaches, experts say. Crystal Brown, chief communications officer at Maryland, says an investigation into the theft of 309,079 student and personnel records, dating to 1998, is being led by the U.S. Secret Service. As part of its response, the university has contracted with outside forensics experts and is notifying all affected individuals. It is also providing five years worth of free credit-protection services to all those affected. A tally of costs related to the breach is not yet available, Ms. Brown says. But several data-security professionals interviewed by The Chronicle say the total will reach seven figures. "You are talking about 300,000 people spread across the continental U.S. and you offered them all credit monitoring, and you had a lawyer, and you had an IT forensics firm my very conservative estimate would be a couple million dollars," says Paul G. Nikhinson, a manager of privacy-breach-response services with the Beazley Group, which sells cybersecurity insurance to colleges. The Maryland case is one of several data-security breaches reported by colleges in recent weeks. On February 25, Indiana University said a staff error had left information on 146,000 students exposed for 11 months. A week later, the North Dakota
2 Page 2 of 8 University system reported that a server containing the information of 291,465 former, current, and aspiring students and 784 employees had been hacked. Few institutions budget in advance for data breaches, according to college officials and data-security professionals. Cybersecurity insurance in higher education remains a rarity, despite a consensus among those working in the field that the likelihood of such a breach involves "when," not "if." The list of potential expenses is long. It includes forensics consultants, lawyers, call centers, websites, mailings, identityprotection and credit-check services, and litigation. Breaches can prompt major campus projects, such as risk-management reviews, campuswide encryption, and tests to determine how vulnerable networks are. "For the organization itself, it is like a multiheaded hydra," Mr. Nikhinson says. "There are so many things going on at once. Depending on the characteristics of the event, there are usually five or six expensive things that are going to make up the response process." Price tags vary depending on the nature of the incident where and how the breach occurred and the number of records affected. The capacity of in-house information-technology and communications staffs also figures heavily in the final bill. Contracting for outside help typically means additional costs starting in the tens of thousands of dollars. "The first thing you might think about is forensics," says Cathy Bates, chief information officer at Appalachian State University and a member of the Higher Education Information Security Council. "Do you have the capability to do it in-house, or will you need to call in forensics expertise? That might be your first outlay of cash. It can be expensive. But again, it really depends on the type of security breach that you are working with."
3 Page 3 of 8 Timothy P. Ryan, managing director of the cyber-investigations practice at Kroll Inc. and a former FBI agent, says he has worked on some forensics investigations at colleges that were completed in two weeks and others that took months. Hiring an outside forensics team to investigate a small breach can be done for "under $50,000," he says, with costs for larger incidents escalating from there. Data breaches in higher education cost colleges an average of $111 per record a figure that calculates in the damage to the institution s reputation according to a 2013 study published by the Ponemon Institute, which studies cybersecurity and data protection. The average per-record cost across industries including government, health care, and retail is $136, the study found. Titled "2013 Cost of Data Breach Study: Global Analysis," the report included 277 organizations in nine countries and focused on breaches involving 1,000 to 100,000 records. "There are probably a lot of data breaches in higher education that go undetected, probably more so than in other industries," says Larry Ponemon, founder and chairman of the institute. "The universities are not aware of data leakage and the harm that can result. It can cost universities a lot of money." Indiana University has spent about $75,000 on an information call center since officials announced its security lapse, says a spokesman, Mark Land. The university also spent about $6,200 mailing notifications to 6,200 affected people for whom it did not have addresses. Staff time spent on the security lapse has totaled about 700 hours, Mr. Land says. The university does not budget for potential data breaches and does not have cybersecurity insurance, he adds. "While this will end up costing the university from a financial standpoint, our biggest concern is making sure we do everything we can to answer questions and to provide support for those affected by the potential data exposure," he says, "and to ensure
4 Page 4 of 8 that we strengthen our processes so that this sort of thing does not happen again.". Linda Donlin, at the North Dakota University system, says the forensics investigation there was done at no cost to the university by the Multi-State Information Sharing and Analysis Center, which serves state, local, tribal, and territorial governments. The university system is spending about $200,000 on identity-theft protection services and a call center, she says. Costs related to data-security lapses dating to 2011 at the Maricopa County Community College District, in Arizona, could climb to $17.1-million, says Tom Gariepy, a district spokesman. Trustees have approved contracts including $2.25-million for Oracle to repair the network, up to $2.7-million in legal expenses, and up to $7-million for notification and credit-monitoring services, among other costs. He also confirms that the district has received notice of a class-action lawsuit. Breaches Kept Mum High-profile data breaches cost institutions more than dollars and cents, according to college officials and data-security experts. There are also what some describe as "opportunity losses" and "reputational costs." These can include the embarrassment of having to explain an incident to parents, alumni, trustees, and prospective students. Mr. Ryan, the Kroll investigator, notes that in many states, reporting requirements center on credit-card, health-care, and personally identifiable information. Cases involving theft of research and intellectual property by foreign hackers are often kept mum, he says. The public hears of no more than about half of all data breaches that occur at colleges and universities in the United States, Mr. Ryan estimates. "When it comes to higher education, a lot of it is reputation," says Mr. Ryan. "The Ivy Leagues have a certain reputation to maintain.
5 Page 5 of 8 If they are besieged by a number of breaches, there is a loss of reputation there. For the same reason schools want winning sports teams, they don t want to be that school that is constantly getting breached." Cynthia J. Larose, an attorney in Boston with the firm Mintz Levin who advises colleges on data-security-breach compliance and response, says reputational costs are real but hard to pin down. "It is probably much harder for institutions of higher ed to quantify than it is for retailers, because retailers can see it in their stock price, they can see it in their sales," Ms. Larose says. "Target can directly track a drop in fourth-quarter sales," she says, referring to a case in which hackers accessed as many as 40 million debit-card and credit-card accounts used in the retailer s transactions from November 27 to December 15, "Will enrollment drop at the University of Maryland because of this?" she says of the recent breach there. "I kind of doubt it. The alumni-fund-raising office might see a downturn in giving I don t know. That would be an interesting metric to track." Keeping Costs Down Cybersecurity insurance is both expensive and hard to get, says Ms. Bates, of Appalachian State. "The experience that I have had a couple of times in working with insurance companies that offer cyberinsurance is that they have a checklist of what you need to show you have in place with your security practices," she says. "Very often you have to have such a strong security posture before you can even be allowed to get the insurance that it would take you a lot of work on your part to be able to even be eligible." She does see many colleges working to build in-house forensics expertise, or to establish channels through which to reach out and get it quickly should the need arise.
6 Page 6 of 8 One way to keep costs down is to have standing relationships and contracts with service companies that can be activated if an incident occurs, Ms. Bates says, noting that many colleges and universities already have such arrangements in place. As much as they keep those responsible for colleges data security up at night, news of significant data breaches can help information-technology and data-security officials make their case with top administrators and trustees. "It can t be a conversation that is led by the IT department, and too often it is," says Joseph Krause, a managing director at Coalfire Systems Inc., an information-technology-security firm that works with higher-education clients. "So this kind of notice, this kind of public exposure for a highprofile breach, helps elevate the conversation out of the IT group and into the executive level and into the boardroom." Those working on data-security issues in higher education say they have a particularly challenging task in preserving the open, accessible culture characteristic of the American university while also establishing strong security. They expect to see more headlines in the coming months like the ones out of Maryland. The problem of data breaches in higher education, many say, is likely to get worse. "Higher ed is an active target," Ms. Bates says. "It is not like people are accidentally happening upon us. They are actively pursuing us and trying to get our data." "I think all of us are actively looking at ways to not only be preventive but to deal with this in the best possible way that we can," she says. "You feel the weight of the whole situation your shoulders. You really want to try and create the best outcome you can for anyone who may be impacted, as well as for the university."
7 Page 7 of 8 6 Comments DarwinWeeps A particular irony with research universities is that they often have cybersecurity programs and research centers. This is true for both Maryland and Indiana: Colleges and universities, with tens of thousands of users of in-house systems and users of varying sophistication, are probably easy targets for phishing attacks. Former PhD. student Please note the University of Maryland offered its students free credit monitoring...indiana University told students like myself that it is the students' problem not the problem of Indiana University. Indiana University accepted no responsibility and continues not to provide students with free credit monitoring for the 11 month breach. Doesn't that make you want to enroll there? "It can t be a conversation that is led by the IT department, and too often it is," says Joseph Krause, a managing director at Coalfire Systems Inc., an information-technology-security firm that works with higher-education clients. This is the most important insight in the article. As usual, the focus is on a retrospective post mortem. Prospective approaches are about information management, not simply technical security. Remember the clue, "follow the money"? In information privacy and security, it is "follow the data." Once an institution flips the emphasis from technology to information, not only will the entire institution mature to "industry level standards" so that we, in higher education, do not always have to countenance the criticism that our sector is particularly vulnerable and porous, but we can lower risk while enhancing our missions. frederick James I am grateful and proud that my second job after the Army was to bulletproof the first online student registration system at Florida Institute of Technology. My overriding thought then, and decades later at George Washington University for the Y2K effort, was that if my fellow students would spend their energy in helping build the systems rather than hacking in to break them, everyone would be a lot better off. It seems so juvenile to try and penetrate a system covertly and so noble to use your talent to build and enhance. My suggestion and leadership challenge is to channel and guide all that energy in a positive direction. My advice to all those misguided Geniuses sitting before their computer in those dimly lit, smoke filled rooms.. Aim high. Come out into the light, be good and do good. jabberwocky12 There is probably a lot more of this going on than is reported here. In most
PROTECTING SMALL BUSINESSES AGAINST EMERGING AND COMPLEX CYBER-ATTACKS HEARING BEFORE THE SUBCOMMITTEE ON HEALTH AND TECHNOLOGY OF THE COMMITTEE ON SMALL BUSINESS UNITED STATES HOUSE OF REPRESENTATIVES
Responding to a Data Breach Communications Guidelines for Merchants Responding to a Data Breach Communications Guidelines for Merchants It all comes down to one word: TRUST. How merchants respond to data
Data Breach Response Guide By Experian Data Breach Resolution 2013-2014 Edition Trust the Power of Experience. 2013 ConsumerInfo.com, Inc. Table of Contents Introduction 3... Data Breach Preparedness 4...
Information security awareness initiatives: Current practice and the measurement of success July 2007 Preface The European Network and Information Security Agency (ENISA) is a European Union Agency created
IBM Global Technology Services Managed Security Services Research Report IBM Security Services 2014 Cyber Security Intelligence Index Analysis of cyber attack and incident data from IBM s worldwide security
HIPAA SECURITY AND POLICIES AND PROCEDURES 1 HIPAA SECURITY AND POLICIES AND PROCEDURES By: Michele Cuper THESIS FOR MASTERS DEGREE INFORMATION ASSURANCE CAPS 795 DAVENPORT UNIVERSITY PRESENTED TO: DR.
Information for registrants Continuing professional development and your registration Contents Introduction 2 About this document 2 CPD and HCPC registration: A summary of CPD and the audit process 2 CPD
The Emergence of Cybersecurity Law Prepared for the Indiana University Maurer School of Law by Hanover Research February 2015 INDIANA UNIVERSITY BLOOMINGTON MAURER SCHOOL OF LAW TABLE OF CONTENTS Executive
Consumer Federation of America s Guide to Navigating the Auto Claims Maze: Getting the Settlement You Deserve You ve just be involved in a fender bender with another vehicle. Your car is damaged but drivable.
2013 Cost of Data Breach Study: Global Analysis Benchmark research sponsored by Symantec Independently Conducted by Ponemon Institute LLC May 2013 Ponemon Institute Research Report Part 1. Executive Summary
TELSTRA CYBER SECURITY REPORT 2014 Security insights, trends and impact to Australian organisations EXECUTIVE SUMMARY The internet presents a world of social connectivity, economic growth and endless opportunities
A REPORT BY HARVARD BUSINESS REVIEW ANALYTIC SERVICES Meeting the Cyber Risk Challenge Sponsored by ABOUT ZURICH INSURANCE GROUP Zurich Insurance Group (Zurich) is a leading multi-line insurance provider
Your Business www.nylovessmallbiz.com A Guide to Owning and Operating a Small Business in New York State A Guide To Owning and Operating a Small Business in New York State Contents CHAPTER 1: Foundations
What you should know about IN ONTARIO This booklet contains information about the law as it was at the time it was written. The law can change. Check the Ministry of the Attorney General website at http://www.attorneygeneral.jus.gov.on.ca
Cyber risk in retail Protecting the retail business to secure tomorrow s growth Table of contents Foreword 3 Four issues come to the fore 4 Compliance does not always equal risk management 5 Breach response
THE FUTURE OF CYBER-SECURITY _ THREATS AND OPPORTUNITIES Global Corporate Venturing Cyber-security is growing as the digital world continues to expand. In this five-part supplement, Global Corporate Venturing
HR Series for Employers Succession Planning Retaining skills and knowledge in your workforce Catalogue Item # 759914 This publication is available to view or order online at alis.alberta.ca/publications.
2013 INFORMATION SECURITY BREACHES SURVEY Technical Report Survey conducted by In association with INFORMATION SECURITY BREACHES SURVEY 2013 technical report Commissioned by: The Department for Business,
Legal Process Outsourcing A Workbook for In-House Counsel Table of contents What might I outsource, and why? Why outsource legal processes? (Hint: If you are not sure, don t.)...2 Ways in which in-house
20 INFORMATION MANAGEMENT & COMPUTER SECURITY 3,2 Promoting security awareness and commitment Phil Spurling Alcoa encourages people to be honest Introduction When we talk about promoting computer security
1 TABLE OF CONTENTS 1 4 MUST-HAVES IN COVER LETTERS TO COLLEGE COACHES 2 WRITING A RESUME THAT COLLEGE COACHES WANT TO SEE 3 7 QUESTIONS TO ASK WHEN CALLING A COACH FOR THE FIRST TIME 5 5 THINGS TO CHECK
Time Matters for the PI Attorney 6/14/2006 Robert Gray GrayLint Enterprises, Inc. Personal Injury Case Management...1 Time Matters Things You Might Like...2 Time Matters Things You Might Not Like...3 Other
Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: April 2013 Ponemon Institute Research Report
Special Advertising Supplement TEXAS LAWYER ROUNDTABLE SERIES ROSS CUNNINGHAM DAVID GRANT JULIE E. GRANTHAM APRIL 20, 2009 VOL. 25 NO. 3 Studies have shown that the average U.S. company faces more than
Succession Planning: Managing The Transition From Start To Finish Mark Bassingthwaighte, Esq. Mark Bassingthwaighte, Esq. is a Risk Manager for ALPS. He is available to answer risk management questions
Convincing Your CFO That Network Security Is An Investment by Keith Bromley First Edition Copyright 2015 Ixia. All rights reserved. This publication may not be copied, in whole or in part, without Ixia
How to Win Your Injury Case By Brian Beckcom Table of Contents Disclaimer What It Means to Win (or Lose) Your Case How to Get the Most Out of This Book The Ten Most- Asked Questions Ten Questions People
Eight Important Questions for Eleven Community College Leaders: An Exploration of Community College Issues, Trends & Strategies by the SOURCE on Community College Issues, Trends & Strategies May 2011 Support
REPORT General counsel: vague about value? A survey and discussion paper Contents 01 Foreword 02 Flashback: The GC value pyramid 05 Key findings 06 Adding value 08 Case study: Daragh Fagan, General Counsel