[BreachExchange] Michigan State Data Breach and the Value of Preparedness

[Audrey McNeil]

http://www.natlawreview.com/article/michigan-state-data-
breach-and-value-preparedness

Michigan State University’s announcement earlier this month that hackers
had gained access to a school database of about 400,000 records highlights
why colleges and universities are such tempting targets for hackers and
just how important it is to prepare for a data breach.

Reports indicate that the university discovered the breach on Nov. 13 when
a ransom demand was made for stolen data. This demand allowed the
university to identify the breach and quickly take action, limiting the
hacker’s access to only 449 records. And while those records included the
names and social security numbers of students and staff, they did not
include full academic, financial, or health records, according to the
university

Affected individuals are being notified and offered credit monitoring and
other services. While the number of records involved is small, the cost to
the university likely will not be. A recent study sponsored by IBM found
that a data breach costs an organization nearly $7.01 million on average.

This is Michigan State’s second data breach this year and its fourth
significant incident since 2012, according to cyber security blog Security
Affairs. In October hackers stole and posted on the website Pastebin the
user names, logins, phone numbers and email addresses for individuals in
the university’s system.

A similar ransomware breach was announced on Dec. 1 at Carleton University
in Canada.  Details about that breach are still emerging, but early
indications are that the university will be able to restore its systems
without paying ransom.

These events highlight the increasing prominence of ransom demands in
cybercrime. Cybercriminals are shifting focus away from mass theft of
payment card information and personal data – usually from large retailers
and insurers – and are turning their focus to smaller, data dependent
entities where stolen data or entire IT systems can be held hostage.

In light of these trends, educational institutions can expect to see
increasing threats from cybercriminals and in turn expect to see increasing
legal responsibilities. As such, it is critical for colleges and
universities have in place detailed data breach response plans developed in
consultation with highly qualified cybersecurity professionals, including
legal counsel.

An experienced data management and cybersecurity attorney will advise on:

Creation of a Data Breach Response Team

Training and table top exercises for board of directors and other key
personnel

Identifying the organization’s statutory data privacy obligations and the
notifications required in case of breach

Identifying and managing the scope of data protection obligations under
non-disclosure agreements and other contracts with third parties

Ensuring that appropriate data protection and cyber security clauses are
include in vendor contracts

Assessing cyber insurance policies, terms and exclusions

Managing internal investigations of breaches, with an emphasis on
maintaining attorney client privilege for communications during those
investigation

Managing investigations by regulatory agencies including the Office of
Civil Rights in Department of Health and Human Services (HIPAA), States’
attorney generals, and the Family Policy Compliance Office of the U.S.
Department of Education (FERPA)

According to privacyrights.org, there have been over 800 data breach
incidents at educational institutions and 15,000,000 records breached at
educational institutions since tracking began.

Cybercriminal have an unfair advantage over their victims:  It takes only
one mistake for cybercriminals to get into a system, victims must protect
against all vulnerabilities.  But thoughtful planning and vigilance can
dramatically limit how much damage cybercriminals cause when a breach
occurs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161206/ccc614a9/attachment.html>