Community Colleges and Data Security

One normally does not think of a community college or junior college to be a place where data breaches would be of concern. That is of course until it happens, and then the realization hits at just how closely these institutions are intertwined with their communities. A data breach reaches deep within the communities from which they draw their students, in which the college’s employees reside and from which many of the professors/instructors are drawn.

Prevendra - Community College data breachesThis is magnified when a breach event is mishandled. Take the recent instance concerning the data breach at Maricopa County Community College District (MCCCD). The school learned they had been breached on April 29, 2013, but only revealed the breach to those affected on November 26, 2013, an inexplicable delay.  What was exposed in the MCCCD breach? The breached data included names, dates of birth, social security numbers, and bank account information. The MCCCD is in the process of notifying approximately 2.5 million students, suppliers and employees, all of whom will now be faced with a potential identity theft risk. The number is large, the MCCCD comprises ten campuses and hosts approximately 265,000 students per year. In late November, the MCCCD said they expect to spend approximately $7 million to notify those affected, provide credit monitoring services and to staff a call center as a result of the April breach.

How did the MCCCD learn of the breach? The Federal Bureau of Investigation (FBI) informed the MCCCD someone was offering to sell its data online – outsiders had garnered remote access to the MCCCD’s computer systems.  MCCCD Chancellor Rufus Glasper apologized for the security lapse which permitted the breach, and MCCCD spokesman noted that the district is disciplining several information technology employees, “We’ve attributed that lack of security to the failures of certain people with IT responsibilities who did not live up to the expectations that we placed on them,” he said.

While the MCCCD example may include both a technological breach of the school’s IT infrastructure, and time is required to evaluate and isolate, the MCCCD choosing not to reveal the compromise of the personal identifying data to those who were now at risk within 30 days of discovery, is indicative of either failure to follow established notification processes or absence of a data breach plan. One would like to assume every college has a data and privacy policy which adheres to the compliance requirements of the Family Educational Rights and Privacy Act (FERPA) which protects the privacy of student education records, while at the same time protecting the personal information of employees, vendors, and others engaged with the schools.

In April 2013, Kathleen Styles, Chief Privacy Officer of the U.S. Department of Education, commented in an interview with Daniel Solove (Professor of Law at GW Law School), in which she discussed protecting data at schools. The prerequisite, the data must be stored in a secure manner, with the onus on the school to determine the proper balance of “physical, technological, and administrative controls to prevent unauthorized access.” When asked about cloud storage, she again noted the information must be stored securely. She continued with the following data points to be followed when contracting services from the cloud:

  • The school or district must directly control the contractor’s use and maintenance of education records;
  • — The contract has to be for services or functions the school or district would have otherwise used its employees to perform;
  • — The contractor must meet the criteria for “school officials” with “legitimate educational interests,” as published by the school or district in its annual FERPA notification of rights; and
  • — The contractor must be subject to FERPA use and re-disclosure limitations, meaning that the contractor has to use the FERPA-protected information for the purpose for which it received it, and that the contractor may re-disclose that information if permitted under the terms of the contract (and, of course, provided that the school or district itself may re-disclose under FERPA).

Styles concluded, “schools and districts are responsible for the protection of their data, regardless of where they are stored. It doesn’t matter whether the records are located in a locked file cabinet, in a server on the school premises, or on a server in the cloud.

The MCCCD example involves approximately 2.5 million individual’s identities was no doubt a financial windfall to the criminal elements who conducted the breach. Each compromised record has a street value of approximately $11 each ($27.5 million in total for the criminals who took the data, if they are able sell each record on the criminal underground identity market (See Dell’s Secure Works piece, “Underground hacking economy is alive and well” for the value of identities, and compromised computers on the criminal market), which no doubt was detected by the FBI. The MCCCD has earmarked $7 million toward the remediation, the MCCCD’s final sum may be significantly more, as the average cost of remediation in the U.S. following a data breach is $180/record and the MCCCD has budgeted $2.80/record.

The takeaway for all educational institutions, not just community colleges, empower your Chief Security Officer (CSO) and Chief Information Security Officer (CISO) with sufficient resources to not only protect your infrastructure; but also to invest in employee education. Far too often, data security and awareness programs fall into the operational expense category of “nice to have.” Incidents such as that which the MCCCD experienced demonstrate the need for having a breach response plan and training. Training which isn’t just once and done, but a constant. The personal identifying information is precious and it is incumbent upon everyone to keep it protected and  secure. If your school does not have a CSO or CISO, and many don’t, obtain the services of a Virtual CSO.


[x_feature_headline type=”left” level=”h2″ looks_like=”h2″ icon=”exclamation-circle”]Data breaches in higher education[/x_feature_headline]

2,500,000 records – Maripoca Community College – Maripoca County, Arizona

125,000 records – Kirkwood Community College – Cedar Rapids, Iowa  

90,000 records – University of Washington – Seattle, Washington

14,000 records – Mercer County Community College – West Windsor Township, NJ  

3,300 records – Tallahassee Community College – Tallahassee, FL

1000 records – El Paso Community College – El Paso, Texas 

129 records – Oakland Community College – Southfield, MI