Managing the Risk of Data Breach

As educational institutions have embraced technology, managing and protecting confidential data and personal information have presented a major challenge to business officers and their IT staff. In a recent report by internet security software company Panda Security, over 64% of K-12 schools state that they have experienced at least two security breaches in the past year ("Panda Security Kindergarten-12 Education IT Security Study").

Depending upon the nature and scope of a data breach, schools can be exposed to a variety of claims: lawsuits seeking damages for invasion of privacy, negligence, violation of federal statutes governing the handling of customer, employee or health information, lawsuits over the misappropriation of sensitive or secret business information, investigations by governmental authorities and, potentially, other claims. Schools may also be at risk for business interruption/extra expense if they must shut down certain online systems or websites in order to contain (or determine the method of) the attack. Other costs may be incurred related to informing families, faculty, staff and third parties of data breaches pursuant to state notification laws, establishing call centers and providing guidance to those affected by the data breach.

From an insurance standpoint, traditional liability policies have not been designed to pick up these new types of exposures and present a gap to the school's insurance and risk management program. There are new products available, however, that look to address these gaps and in particular address the exposures represented by a data breach. Typically referred to as Network Security or Data Breach policies, they provide coverage for the following exposures:

The policy also responds to first party costs related to a security failure. A typical security failure would include an instance where sensitive personal information is lost and the insured is subject to laws which require the insured to notify those affected. Costs covered would include:

Typical events that can lead to this type of coverage being needed are electronic hacks or non electronic breaches such as lost paper files, backup tapes, laptops, as well as social engineering or phishing. If this type of coverage is not part of your current insurance program, it may prove worthwhile to obtain a quote from your broker given the expanding number of claims that are being reported.

From a proactive and risk management standpoint, Campus Safety recommends the following best practices for preventing a data breach and protecting personally identifiable information (PII):

1. Conduct a Risk Assessment

Before any solution is implemented, it is important to know your network's vulnerabilities. Schools must understand what type of information might get exposed, who might expose it, how and where it could be exposed, and what applications use it. Once the vulnerability assessment is completed, its results should be communicated to school leadership so they understand the risks involved and are more likely to support proposed solutions.

2. Categorize the Data

Schools must then identify and categorize what types of facilities have what level of security. It is important to establish a classification standard: Confidential, restricted and public. Sensitive, private or other mid-levels can be added if needed. Software solutions are available to scan for specific types of data that are risky, such as Social Security numbers and credit card numbers. These tools help schools prevent the transfer of sensitive data to unauthorized devices.

3. Determine Who Has Access

School administrators and IT professionals must also determine who has access to various types of data, and access should be granted on a need-to-know basis. Access control can be established based on an individual's role in the school (role based access control or RBAC).

4. Manage Your Faculty and Staff

One common error institutions make when developing their data breach prevention strategies is assuming employees do not constitute a threat. Beyond conducting background checks on staff, there must be enough IT support so that the school can satisfy the expectations stemming from laws like the Health Insurance Portability and Accountability Act (HIPAA).

5. Control the Admin Rights

Controlling the administrator rights of a computer reduces the chances of an insider intentionally or unintentionally downloading malware or malicious code. "If you limit admin privileges or you have two users on a device, one of which is Robert Admin versus just Robert, then when you are operating as Robert and you accidentally click on a Web site that is trying to download something bad to your computer, you are protected," says Penn State's Chief Privacy Officer David Lindstrom. "If you need to download software, then you go in as Robert Admin because you are doing it on purpose." According to Lindstrom, however, this practice is often misunderstood. "They think it will make them somehow less of a user when it is really a piece of self protection and institution protection."

6. Take a Multi-Layer Approach

A single technology cannot provide complete protection. It is critical that schools have firewalls, anti-virus software, anti-spam, intrusion prevention (IPS), network access control (NAC) and possibly IP white lists. IPS monitors all network traffic for malicious or unwanted behavior, and blocks or prevents those activities. NAC provides an end point inspection of devices being connected to the network, while white lists provide a list of known bad IP addresses. Of course, all of these solutions have weaknesses. NAC, for example, won't protect a network from Trojans and viruses introduced to the network via a thumb drive by an authorized user. To make up for NAC's weaknesses, IPS and firewalls are good overlays.

7. Encrypt Information

Encryption is the process by which information is rendered unreadable to anyone who doesn't have appropriate authorization, and it is highly recommended by network security experts. Encrypting laptop hard disks and other portable devices is recommended, although many organizations do not take this step. "You need to have an encryption system on the machine so when the portable device is removed, it is encrypted with the same password," says Lindstrom. "If you do this, when you take it home or to another machine, it is protected in between." Encryption, however, has its pitfalls. Rogue employees can easily work their way around this solution. Terence Spies, who is chief technology officer for Voltage Security, recommends encryption at the application layer, which encrypts data in a self-defending way. "By encrypting documents and database entries so they can only be decrypted in a policy-controlled way at the application layer, that data is encrypted at all other layers - on the network, disk, USB token, etc." he says. "The data defends itself, as opposed to having to travel over protected channels." He also recommends channel and container encryption (Virtual Private Networks [VPN], Secure Socket Layer [SSL], whole-disk encryption) as a secondary mechanism.

8. Track Portable Devices

Because laptops, PDAs, cell phones and other portable devices are often the sources of data breaches, managing this equipment is critical. Some companies have removed the drivers and physically blocked USB ports to prevent usage. Cell phones in some organizations are not allowed in buildings. Although these kinds of extreme measures might not be appropriate in the school environment, encryption and RBAC with two factor access control (when possible) are excellent solutions. SSL or VPNs can also be used to transmit sensitive information.

9. Monitor Inexpensive Assets

Although items like thumb drives are relatively inexpensive to purchase, they can contain a lot of valuable information that, if lost or stolen, can cost an organization dearly. It is very important to keep an accurate inventory "even if the assets do not rise to a level of expense that might fall under the capital asset category," says Lindstrom. "It isn't about the device, it's about the information." Additionally, identifying high value data and defending it with encryption can free IT staff of the burden of trying to track every PC and peripheral device.

10. Maintain Physical Access Control

Of the 71 reported incidents from Jan. 3-June 11, only 18 were the result of hackers. Many, if not most of the remaining incidents resulted from laptops, portable hard drives, thumb drives or some other piece of computer equipment being stolen or lost. This highlights the need for physical access control. "When people steal machines, we find they take the ones that are easy [to remove]," Lindstrom comments. Simple solutions like locking office doors, installing card access control to a building or office, locking a device to a work station, locking filing cabinets, logging off a computer or having an auto log off functionality can help to greatly reduce the number of data breaches experienced by a campus. Anti-theft solutions that remotely track the location of a stolen laptop and destroy files is another option.

11. Dispose of Records Properly

Because many breaches are the result of dumpster diving, it is important to shred, burn or pulverize paper files. Additionally, disks, DVDs and old computers should be erased before being discarded.

12. Implement Policies

Faculty and staff must be educated on the security policies of a campus, why they are important and how to protect confidential information. The policies should cover telecommuting, and how staff should store and access data from their homes. Audits can be conducted to determine compliance to these policies. It should be noted, however, that often non-compliance is unintentional because faculty/staff frequently don't understand their institutions' privacy and security policies, or the policies are cumbersome. It is recommended that schools conduct an annual audit of the full IT security function; a quarterly audit or assessment of information samples for integrity (back-up tapes, financial and HR database reviews, and random file testing); and weekly sample audits of the appropriate use of the Web, E-mail and shared drive resources. Third-party IT security experts can help with this process. Other appropriate processes include using "strong" passwords that change regularly (although this is debated in some circles) and password-activated screen savers.

13. Manage Your Vendors

There are many instances when security breaches are not the fault of schools, but of the outside contractors tasked with either storing, moving or destroying the records. To guard against this type of threat, schools should interview vendors and review their security policies regarding employee background screening and data management. Regular audits of contractors and security validations are also recommended. One of the best ways of protecting data is to mask or de-identify the information that goes to vendors. There are a variety of solutions that will encrypt data so outside contractors get data that is internally consistent but doesn't contain genuine Social Security Numbers or other identifying information. Often, this type of data is all that a vendor needs but if they need more, that data needs to be handed out in a very careful way with clear commitments as to how it will be handled while in use and how it will be erased.

Ronald C. Wanglin
Chairman
Bolton & Company