While many colleges and universities had long ago moved away from paper records toward electronic data systems and web-based applications to store, process, and deliver educational courses and retain student data, a community college in the midwest had several
departments which had not. Most of the records contained significant amounts of personally identifiable information that needed to be appropriately protected and managed.
All educational organizations have a legal and ethical responsibility to protect the privacy and security of their student’s personally identifiable information. The Family Educational Rights and Privacy Act (FERPA) protects personally identifiable information from educational records regardless of whether student records are paper or electronic; however, the best practices to protect the data do differ depending on the technology used by the institution to maintain the records.
At this midwest community college, breaches of electronically-stored data were a growing concern for the college President and administrators of multiple campuses and departments. While the college had not yet experienced a data breach on campus, the administration was proactively addressing policies and procedures to avoid potential student data breaches. The administration sought to implement privacy and security best practices targeted to their unique concerns and data systems. Shale Team met with the college President to formulate a strategy and to communicate outcomes and tactics for the college’s departmental staff members. The first step was to define and identify potential data breaches for the college, which would be any instance in which there is an unauthorized release or access of personally identifiable information or other information not suitable for public release.
Data breaches can take many forms including:
- Hackers gaining access to data through a malicious attack
- Lost, stolen, or temporarily misplaced equipment (e.g., laptops, mobile phones, portable thumb drives, etc.)
- Employee negligence (e.g., password list publicly accessible, technical staff misconfiguring a security service or device, etc.)
- Policy and/or system failure (e.g., a policy that doesn’t require multiple overlapping security measures)
For colleges like this midwest college, breaches resulting in unauthorized access to personally identifiable information are especially serious, as the leaked information can be used by criminals to make fraudulent purchases, obtain loans or establish lines of credit, and even obtain false identification documents. To ensure effective and consistent incident response, Shale Team recommended building the college’s response strategy around the following core components for each department:
1. Policy - Wrote data breach response policies.
2. Plan - Developed strategy for implementing the data breach policy and created a breach response plan.
3. Procedures - Implemented procedures derived from the breach response plan and codify specific tasks, actions, and activities.
The college and Shale Team established and implemented a clear data breach response plan outlining the college’s policies and procedures to protect the privacy of their student data. The administration recognized that waiting until a crisis occurs is too late to formulate a strategy and quickly implement a plan because response activities in the mist of a crisis are typically fastpaced and stressful. Issues, questions, and decisions may all have potentially serious consequences on the response effort and the privacy of those affected by the breach.
In preparation for a data breach, the administration charged each department lead with conducting periodic reviews to prepare staff members to make decisions and respond quickly to issues. By establishing a robust response capability well in advance, the college decreased the pressure on the responders and reduced potential errors. As a best practice, the college conducts recurring tests, drills, and incident response exercises to help ensure they are prepared to respond to a breach swiftly and efficiently.