If your school’s Director of IT told you today that one of your school’s talented, creative, and ambitious students hacked into your school’s IT network and accessed the database in which your school stores student grades, tuition data and donor information, including financial account numbers, … what would you do?
As more and more independent schools move towards electronic storage of vital student, employee and donor records, we continue to receive reports of data breaches similar to the one described above. Sometimes the hacker is not a student, but a disgruntled former employee, or a stranger who is looking for financial account numbers. Other times, the data breach is not intentional but results from an accidental loss of a laptop or a USB flash drive containing personal information.
Data breaches can have a significant impact on an independent school’s relationships with its students, alums, and their families, as well as with faculty, staff and other employees. After a breach, the affected individuals typically experience reduced trust in the institution, given the apparent inability to safeguard sensitive, personal information. While the appropriate response to a data breach depends on the facts of the situation and applicable state and federal laws, below is a broad, step-by-step framework that may help your school prepare for and respond to a data breach.
1. Promptly Notify Your School’s Legal Counsel.
As soon as you discover a data breach, it is crucial to notify your school’s legal counsel. Among other considerations, the school may be subject to data breach notification requirements that require prompt action to be taken. Your legal counsel should be able to help you and your school’s crisis management team comply with any applicable notification requirements and devise a comprehensive strategy for responding to the data breach.
As of the writing of this article, 46 states, as well as the District of Columbia, Guam, Puerto Rico and the Virgin Islands, have enacted laws that require notification in the event of a data breach. Generally, these laws apply only when certain types of information are compromised. For example, Massachusetts law imposes notification obligations when there is a security breach or unauthorized acquisition or use of “personal information,” defined as a Massachusetts resident’s “first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password…” On the other hand, for example, Missouri law defines “personal information” more broadly, as also including medical information or health insurance information combined with “an individual’s first name or first initial and last name.”
State data breach notification laws vary in a number of other ways, including who must be notified of a data breach, the information that must be included in the notification, and the types of notification methods that are acceptable. For example, while Missouri law allows “telephonic notice” of a data breach to affected consumers (so long as the notice is provided directly to the consumer), telephonic notice is not sufficient under the Massachusetts data breach law.
Depending on the information compromised in a data breach, your school may also be required to comply with the data breach laws of other states. For example, if your school experiences a data breach involving names and Social Security numbers of Massachusetts residents, your school is obligated to comply with the Massachusetts data breach law, even if the school is located outside of Massachusetts. Therefore, when assessing your school’s notification obligations, it is important to consider (in consultation with your legal counsel) the residencies of all affected individuals, and all of the various data breach laws that may be applicable. Since many independent schools draw students from other states, data breaches often require notifications to be sent around the country.
In addition to notification requirements under state laws, other data breach notification requirements may also apply, depending on your school’s operations and the types of information compromised. For example, if your school’s health center experiences a data breach, and if it is a covered entity under the Health Insurance Portability and Accountability Act (“HIPAA”), then you may be required to provide notification in accordance with the federal Health Information Technology for Economic and Clinical Health Act (“HITECH Act”). Additionally, your school may also be a party to contracts that require it to provide notification of breaches to the other contracting parties. For example, if your school’s health center treats students from a neighboring school, the contract with that school may require you to notify it of a data breach affecting its students.
Therefore, after experiencing a breach, it is vital that your school promptly strategize with its legal counsel about the plan for responding to the breach.
2. Quickly Assess The Nature And Scope Of The Breach.
In order to identify any applicable notification requirements, your school must quickly assess the nature and scope of the data breach, including the type(s) of information compromised and the parties affected by the breach. Generally, this requires identifying and examining all of the affected data and devices, as well as interviewing any individuals who may have information about the breach. During this fact-gathering process, your school’s legal counsel should provide you with guidance on preserving evidence relating to the breach and documenting the steps taken to contain and investigate the breach.
Legal counsel should also be involved in the fact-gathering, so as to provide protection under the attorney-client privilege, to the greatest extent possible. The nature and scope of the available protection will vary under state law and with the circumstances. However, generally, having an attorney involved will offer some protection, whereas there will be no such protection if an attorney is not involved.
If criminal activity is suspected (e.g., the data breach is apparently the result of a break-in or hacking), then it is often appropriate (even if not expressly required by law) to notify law enforcement officials of the data breach, so that they may guide or lead the investigation process, as well as provide input as to the timing of notification to affected parties. For example, if a student hacks into the school’s computer network, law enforcement may be interested in speaking with the student and the student’s parents before the school speaks to them or notifies them (and the rest of the school community) about the data breach. Generally, we recommend designating the school’s legal counsel or a trusted member of the school’s crisis management team as the primary contact for law enforcement and any relevant government agencies. The school should ensure that its designated contact has up-to-date information at all times concerning the school’s investigation of, and response to, the data breach.
3. Provide Required Notifications And Be Ready For Questions.
Once your school has assessed the data breach, it should provide all legally required notifications in a timely manner, with the assistance of legal counsel. In addition to notice to the affected individuals, many states’ laws also require notification to designated government agencies and consumer reporting agencies. For example, under the North Carolina data breach law, in addition to notifying the affected residents of North Carolina, an independent school that experiences a security breach must notify the Consumer Protection Division of the North Carolina Attorney General’s Office. Moreover, if pursuant to the North Carolina data breach law the school provides notification to more than 1,000 people at one time, the school also must notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis (e.g., Equifax, Experian).
Whenever possible, the affected individuals should first learn of the data breach through the school and not through the media. As your school provides any legally required data breach notifications, it is important to have a clear strategy for addressing questions that are likely to result from the notifications. While, in most cases, schools that experience a data breach are not required to provide free credit monitoring to the affected individuals, doing so may be helpful from a public relations perspective and give your community the sense that your school is committed to doing the right thing.
4. Use The Data Breach As A Learning Opportunity.
Hindsight is 20/20, and thus after your school’s response to a data breach has concluded, it is helpful to analyze exactly what went wrong and how the school can improve its policies and procedures to prevent future data breaches. For example, does the school have a written policy regarding data security? Was the policy followed in this particular case? If not, why not? Should an employee who did not follow the school’s policy be disciplined? Does the school have an acceptable use policy for its students? Was the policy violated? Should the student who violated it be disciplined? Asking these and other questions may help your school minimize the likelihood of another breach.
Earlier this year, a school experienced a data breach when a faculty member left a USB flash drive containing students’ names, social security numbers and other sensitive information in his car. The car was broken into, and the USB flash drive was stolen. After the breach, the school examined its policies and decided not to discipline the employee, because its policies at the time of the breach did not prohibit employees from transporting unencrypted student information on portable devices. As this example suggests, adopting a comprehensive data security policy can help your school not only minimize the likelihood of a breach, but also respond appropriately if a breach occurs.
Among other things, your school’s data security policy should specify security precautions employees must take when accessing, storing and transporting personal information. Additionally, the policy should discuss the school’s strategy for protecting personal information that is accessed or stored by the school’s third-party service providers. For example, the school may contract with a third party to administer its employees’ flexible spending accounts. If the school provides that third-party administrator with personal information regarding its employees, the school may need to include a provision in the contract requiring the administrator to protect such information in accordance with all applicable laws and to notify the school if the security of the information is breached.
In addition to adopting written policies pertaining to data security, it is also helpful for schools to provide employees with regular training about their policies and procedures for protecting personal information and responding to data breaches. Employees should be informed of the potential consequences of their non-compliance with the school’s data security policies and procedures, and the potential impact their non-compliance may have on the school’s relationships with the school community. Similarly, students should be informed about the acceptable and unacceptable uses of technology and the consequences of violating the school’s technology policies and procedures.
As with many areas of compliance, preparation is key to preventing and being ready to respond effectively to data breaches. We encourage schools to work with experienced counsel and IT professionals to update their data security policies and procedures and to prepare for the possibility of responding to a data breach.
A previous version of this article appeared in the Sept./Oct. 2013 NBOA Net Assets (NBOA). The Firm is grateful to NBOA for its support in publishing this article.