Data Breach Lawsuit Against Yale Provides Lessons for Other Universities

Yale University. (Photo: Wikimedia Commons)

A breach at Yale University that could have compromised data on 119,000 alumni, faculty and staff raises lessons for other universities and other complex organizations, reminding them of the risks associated with data security.

Yale discovered the breach this past summer, and personal information was possibly compromised between April 2008 and January 2009, according to a class action lawsuit filed in U.S. District Court for the District of Connecticut. The breach involved names, Social Security numbers, dates of birth, email addresses and physical addresses, according to a report from the Connecticut Law Tribune. Yale, the lawsuit maintains, also “improperly retained personal information.” The lawsuit was filed on behalf of Andrew Mason, who attended a summer program at Yale during 2005, following an earlier lawsuit filed by another former student in response to the breach.

Commenting on the litigation and breach, Danielle Vanderzanden, co-chair of the data privacy practice group at Ogletree, Deakins, Nash, Smoak & Stewart, told Legaltech News the breach and related action raise concerns for all universities and other organizations.

“This is a concern not only for universities, but also for any organization that retains personally identifiable information,” she said.

The Problem at Hand

Vanderzanden said that “universities constitute fertile ground for hackers because they maintain extensive PII relating not only to employees, applicants and students, but also to employee dependents and applicant and student parents.”

For example, these may include names, bank account numbers, Social Security numbers, debit or credit card numbers“ or other information sufficient to put an individual at risk for identity theft,” Vanderzanden said.

Michael Olivas, who directs the University of Houston's Institute for Higher Education Law and Governance, warned too that “it is not only personal data and messages that are at risk. … At large research institutions, there can be compromised research study data, scientific laboratory findings, intellectual property compromises, and health and medical patient records.”

Vanderzanden said larger universities, with affiliated hospitals and other professional services providers maintain even more sensitive information, such as health care information protected by the Health Insurance Portability and Accountability Act. Also, large universities may have different units under a single university umbrella “but rely on different computer servers and information security professionals and practices. Such diversity may lead to inconsistency in application of security measures and practices and availability of technological resources,” Vanderzanden said.

“Generally speaking, universities are repositories of personal data and research and development, and thus are targeted by cyber thieves,” Jeffrey Poston, co-chair of Crowell & Moring's privacy and cybersecurity practice group, said. He added that, because “universities do so much research, they hold trade secrets that are attractive to both private and state actors, including both Russia and China.”

“Because universities are culturally open, it can be more difficult to impose rigid privacy and cybersecurity controls, especially when compared to more traditional businesses,” Poston said.

How Universities Can Protect Themselves

Overall, Vanderzanden warned that cybercrime “is on the rise” and that hackers are “very effective at obtaining access to PII. … Minimizing data breach risks in any organization requires physical, technical and personnel measures that focus on identifying security risks, protecting against intrusion, detecting vulnerabilities, responding to a breach and recovering from any breach.”

In response, Vanderzanden recommends universities should:

• Establish or evaluate a university's privacy team. The team should include representatives from legal, human resources, information technology/information security, government relations and media/public relations divisions.
• Identify and assess applicable regulations.
• Undertake a privacy risk assessment. That includes determining what type of information the university collects and how it uses such information. A guiding principle is that an organization should collect only the information it needs, and information should be kept only as long as necessary. To develop the requirements, review statutory, regulatory or industry requirements or standards.
• Ensure access to sensitive information is limited to individuals with a current, legitimate business purpose for the access. Also, identify how information is received, used, managed and shared within the university or with third parties. The information should be classified based on its sensitivity.
• Accurately describe its collection and retention practices.
• Give employees adequate training and conduct penetration testing to identify employees who may pose a security risk. Employees can help limit breaches by being wary of phishing emails or refraining from replying to email inquiries seeking PII. The transmission of PII should be limited to secure methods of transfer and require approval by more than one employee. Employees should be bound by data security policies and codes of conduct that protect the confidentiality of sensitive information.
• Review technical measures such as authentication protocols, encryption, firewalls, password practices, multifactor authentication and anti-virus protection.
• Review technical measures designed to alert the university to unauthorized access to sensitive information.
• Audit contracts with third parties to ensure they protect sensitive information with reasonable technical, personnel and physical protections.
• Review the university's breach response plan and ensure the university is prepared to contact forensic experts, legal resources and public relations professionals in the event of a breach. Conducting breach response drills to ensure preparedness is an effective way of identifying gaps in the university's breach preparedness protocol.

“Information security and privacy absolutely need to be addressed at the highest levels,” Vanderzanden added. “Ensuring that the board and the executive team supports effective measures is critical. … Without board-level support, maintaining data security is very, very difficult.”

Looking at the larger picture, Vanderzanden explained that “managing cybersecurity requires a multidisciplinary approach, and far too few organizations have the technical, physical and personnel resources required to be effective.”

Olivas specifically recommended that training for employees should be widely available and start in areas where breaches are the most likely, such as the registrar's office, admissions, financial aid or the bursar's office.

Organizations also should realize that a lot of money is at stake because of these kinds of breaches. “The theories of liability asserted in the Mason v. Yale complaint have been asserted in numerous other data breach class action lawsuits around the country, and the financial stakes are high,” Vanderzanden said. “In fact, the settlements approved in such cases the past several years are regularly measured in the tens of millions of dollars.”

She also pointed out that “settlement-related costs” are “only a fraction of the true harm to an organization that experiences a breach.” Organizations can experience “adverse publicity and damage to consumer confidence,” she said.