Data Breach Lawsuit Against Yale Provides Lessons for Other Universities
The Mason v. Yale complaint has demonstrated the financial issues at stake for universities with data breaches, but there are steps they can take to protect themselves immediately.
November 02, 2018 at 11:00 AM
6 minute read
|
A breach at Yale University that could have compromised data on 119,000 alumni, faculty and staff raises lessons for other universities and other complex organizations, reminding them of the risks associated with data security.
Yale discovered the breach this past summer, and personal information was possibly compromised between April 2008 and January 2009, according to a class action lawsuit filed in U.S. District Court for the District of Connecticut. The breach involved names, Social Security numbers, dates of birth, email addresses and physical addresses, according to a report from the Connecticut Law Tribune. Yale, the lawsuit maintains, also “improperly retained personal information.” The lawsuit was filed on behalf of Andrew Mason, who attended a summer program at Yale during 2005, following an earlier lawsuit filed by another former student in response to the breach.
Commenting on the litigation and breach, Danielle Vanderzanden, co-chair of the data privacy practice group at Ogletree, Deakins, Nash, Smoak & Stewart, told Legaltech News the breach and related action raise concerns for all universities and other organizations.
“This is a concern not only for universities, but also for any organization that retains personally identifiable information,” she said.
|The Problem at Hand
Vanderzanden said that “universities constitute fertile ground for hackers because they maintain extensive PII relating not only to employees, applicants and students, but also to employee dependents and applicant and student parents.”
For example, these may include names, bank account numbers, Social Security numbers, debit or credit card numbers“ or other information sufficient to put an individual at risk for identity theft,” Vanderzanden said.
Michael Olivas, who directs the University of Houston's Institute for Higher Education Law and Governance, warned too that “it is not only personal data and messages that are at risk. … At large research institutions, there can be compromised research study data, scientific laboratory findings, intellectual property compromises, and health and medical patient records.”
Vanderzanden said larger universities, with affiliated hospitals and other professional services providers maintain even more sensitive information, such as health care information protected by the Health Insurance Portability and Accountability Act. Also, large universities may have different units under a single university umbrella “but rely on different computer servers and information security professionals and practices. Such diversity may lead to inconsistency in application of security measures and practices and availability of technological resources,” Vanderzanden said.
“Generally speaking, universities are repositories of personal data and research and development, and thus are targeted by cyber thieves,” Jeffrey Poston, co-chair of Crowell & Moring's privacy and cybersecurity practice group, said. He added that, because “universities do so much research, they hold trade secrets that are attractive to both private and state actors, including both Russia and China.”
“Because universities are culturally open, it can be more difficult to impose rigid privacy and cybersecurity controls, especially when compared to more traditional businesses,” Poston said.
|How Universities Can Protect Themselves
Overall, Vanderzanden warned that cybercrime “is on the rise” and that hackers are “very effective at obtaining access to PII. … Minimizing data breach risks in any organization requires physical, technical and personnel measures that focus on identifying security risks, protecting against intrusion, detecting vulnerabilities, responding to a breach and recovering from any breach.”
In response, Vanderzanden recommends universities should:
- Establish or evaluate a university's privacy team. The team should include representatives from legal, human resources, information technology/information security, government relations and media/public relations divisions.
- Identify and assess applicable regulations.
- Undertake a privacy risk assessment. That includes determining what type of information the university collects and how it uses such information. A guiding principle is that an organization should collect only the information it needs, and information should be kept only as long as necessary. To develop the requirements, review statutory, regulatory or industry requirements or standards.
- Ensure access to sensitive information is limited to individuals with a current, legitimate business purpose for the access. Also, identify how information is received, used, managed and shared within the university or with third parties. The information should be classified based on its sensitivity.
- Accurately describe its collection and retention practices.
- Give employees adequate training and conduct penetration testing to identify employees who may pose a security risk. Employees can help limit breaches by being wary of phishing emails or refraining from replying to email inquiries seeking PII. The transmission of PII should be limited to secure methods of transfer and require approval by more than one employee. Employees should be bound by data security policies and codes of conduct that protect the confidentiality of sensitive information.
- Review technical measures such as authentication protocols, encryption, firewalls, password practices, multifactor authentication and anti-virus protection.
- Review technical measures designed to alert the university to unauthorized access to sensitive information.
- Audit contracts with third parties to ensure they protect sensitive information with reasonable technical, personnel and physical protections.
- Review the university's breach response plan and ensure the university is prepared to contact forensic experts, legal resources and public relations professionals in the event of a breach. Conducting breach response drills to ensure preparedness is an effective way of identifying gaps in the university's breach preparedness protocol.
“Information security and privacy absolutely need to be addressed at the highest levels,” Vanderzanden added. “Ensuring that the board and the executive team supports effective measures is critical. … Without board-level support, maintaining data security is very, very difficult.”
Looking at the larger picture, Vanderzanden explained that “managing cybersecurity requires a multidisciplinary approach, and far too few organizations have the technical, physical and personnel resources required to be effective.”
Olivas specifically recommended that training for employees should be widely available and start in areas where breaches are the most likely, such as the registrar's office, admissions, financial aid or the bursar's office.
Organizations also should realize that a lot of money is at stake because of these kinds of breaches. “The theories of liability asserted in the Mason v. Yale complaint have been asserted in numerous other data breach class action lawsuits around the country, and the financial stakes are high,” Vanderzanden said. “In fact, the settlements approved in such cases the past several years are regularly measured in the tens of millions of dollars.”
She also pointed out that “settlement-related costs” are “only a fraction of the true harm to an organization that experiences a breach.” Organizations can experience “adverse publicity and damage to consumer confidence,” she said.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Authenticating Electronic Signatures
- 2'Fulfilled Her Purpose on the Court': Presiding Judge M. Yvette Miller Is 'Ready for a New Challenge'
- 3Litigation Leaders: Greenspoon Marder’s Beth-Ann Krimsky on What Makes Her Team ‘Prepared, Compassionate and Wicked Smart’
- 4A Look Back at High-Profile Hires in Big Law From Federal Government
- 5Grabbing Market Share From Rivals, Law Firms Ramped Up Group Lateral Hires
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250