Simon Fraser University in BC, Canada, announced that it was hit by a data breach earlier this month. The breach, which resulted from a February 27th ransomware attack, exposed the personal information of recent students, staff, faculty, and alumni.
SFU staff have reached out to those affected and taken measures to prevent future breaches. Still, this incident – occurring just a month after Data Privacy Day – underscores the importance of protecting private data. It’s also a reminder that the education industry faces a steeper uphill battle than most on this front.
Here are three reasons why academic institutions should be particularly concerned about protecting personal data.
Schools are Hot Targets
To be kept private, data must be kept secure. And academic institutions have a troubling track record when it comes to data security.
A 2018 report by SecurityScorecard ranked the education industry dead last in terms of cybersecurity readiness. A study by Malwarebytes published the following year found schools to be one of the most popular cyberattack targets. There’s no shortage of evidence to support both claims. Last year, Louisiana had to declare a state of emergency due to cyberattacks against its school boards. According to ZDNET, more than 500 schools in the US were hit by ransomware attacks in the first nine months of 2019 alone. And with vulnerability to cyberattacks comes vulnerability to data breaches, as the recent incident at SFU demonstrates.
Schools aren’t oblivious to these issues. According to EDUCAUSE, information security has been the top priority in academic IT for years. As of this year, privacy holds second place. So academic institutions recognize the risks they face and are working to mitigate them. But as long as these institutions remain such popular and vulnerable cyberattack targets, their private data will be under constant threat.
Privacy Laws are Proliferating
Ensuring data privacy isn’t just a security concern. It’s also increasingly a legal concern.
In 2018, the European Union introduced the General Data Protection Regulation (GDPR). Widely considered the most comprehensive privacy law ever passed, the GDPR guarantees unprecedented rights and protections to EU citizens, establishes strict guidelines for handling personal data, and lays out harsh penalties for organizations that don’t comply. The GDPR is likely a sign of things to come. Similar laws are proliferating around the world. The California Consumer Protection Act (CCPA), for example, came into effect on the first of this year.
This trend should concern the education industry more than most for one simple reason – cost. Schools are famous for operating under tight budgets. And these new laws come with crippling financial penalties for noncompliance. The CCPA, for example, mandates fines of up to $7,500 per record breached. In the event of a large data breach, this could add up to a staggering amount of money, especially for institutions that already struggle to balance budgets
The Cloud Complicates Compliance
The ongoing transition of software to the cloud is creating new technical challenges to protecting data and complying with privacy regulations.
The sync tools used to provision access to some cloud products raise significant privacy concerns. These tools work by creating accounts for everyone in an organization’s directory, giving the whole organization instant access to a product. This turnkey approach keeps things simple from an IT perspective. However, it requires allowing a piece of software to access basic personal information about all members of an organization and pull that information into an outside system – without those individuals’ consent or knowledge.
One could argue that these mass-imports of PII violate the GDPR’s stipulations on informed consent. Still, it’s a risk some schools may be tempted to take. Because the most obvious alternative is to have IT manually manage access to cloud products. This may be a viable option for private businesses, where all employees are typically licensed to use the same products until they leave the company. But for academic institutions, where product eligibility is often based on course load and can change with every new semester and course transfer, it can require a prohibitive amount of time and effort.