![Default Article Featured Image_laptop-newspaper-global-article-090623[95].jpg](https://images.contentstack.io/v3/assets/bltd4dd5b2d705252bc/blt61f52659e86e1227/64ff207a8606a815d1c86182/laptop-newspaper-global-article-090623[95].jpg?width=3840&quality=75&format=pjpg&auto=webp)
While recent large-scale data breaches have garnered much attention worldwide, smaller breaches at colleges and universities have also had a significant impact, prompting scrutiny, criticism and, in some cases, new legislation.
The Privacy Advisor
caught up with Foley & Lardner senior counsel Peter McLaughlin at the recent Practical Privacy Series event in Boston, Mass. McLaughlin, who recently published a book about protecting personally identifiable information in higher education, shared his perspective on the current landscape.
Reports of data breaches and incidents of data loss seem to make the headlines almost every day. Recently, hackers have compromised the databases of video gaming networks and advertising businesses as well as the e-mail accounts of top-level government employees. Simultaneously, reports of lost laptops and memory sticks loaded with sensitive data and personally identifiable information can often seem like a common occurrence. Businesses and government agencies are not alone in needing to secure data and manage risk. Institutions of learning—particularly those in higher education—are constantly threatened by breaches and data loss. The University of Hawaii has been criticized for
that exposed Social Security numbers and other sensitive data in approximately 260,000 records, accounting for more than half of the state’s reported data breaches. These breaches have even prompted
in the state of Hawaii. Earlier this year, three universities sustained
that combined to affect more than 125,000 current and former faculty, staff and students. According to Peter McLaughlin, CIPP, 20 percent of reported data breaches in the U.S. originate from educational institutions, the majority of which stem from higher educational organizations. McLaughlin, senior counsel at Foley & Lardner, adds, “I doubt higher education consists of 20 percent of the economy.” So where is the disconnect? “Universities have tremendous amounts of information about us,” says McLaughlin. In
Protecting Personally Identifiable Information: A Guide for College and University Administrators
, he notes that “colleges and universities present fertile ground for (data breaches and loss) because of the substantial information and a typically inconsistent means for protecting that data.” Colleges and universities collect and process a vast amount of diverse and, very often, personal information. In addition to standard identifiable information, they may have sensitive financial and/or health information of students, employees and alumni. Schools face a variety of privacy laws; not only do they need to comply with FERPA but also they must know when to comply with the Health Information Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) and the federal Red Flags Rule. McLaughlin says “one of the difficulties with U.S. data security laws is that information may be governed by different rules depending on the context.” In one context, a retail credit card transaction would fall under GLBA, whereas a credit card transaction at a university health center would need to comply with HIPAA. Consequently, universities need to have employee awareness and a system in place to mitigate risk. Additionally, McLaughlin points out that “one-third of all identity theft victims are college students.” Students are prime targets because they tend to have disposable income, do not check their credit histories and change their addresses often. The onus educational institutions have in handling student privacy may well be in a state of flux. In May, the Department of Education
changes to the 1974 Family Educational Rights and Privacy Act (FERPA). The proposed amendments “would give colleges and universities more latitude to share student-level information with state agencies and others, without student consent,” according to
Inside Higher Ed
. Often, the loss of sensitive data can be avoided. Some experts argue that frequency of data breaches stress the need for
university staff on the importance of protecting personal information. In his book, McLaughlin writes, “While formal training is important, ongoing awareness efforts can sometimes be equally effective when the goal is to help people understand how privacy and security affects their role within the institution.” “The purpose of higher education is for the sharing of knowledge,” McLaughlin points out. Yet, there’s a fine balance between fostering the sharing of information for the purposes of education with that of privacy rights and information security. McLaughlin notes that university officials are “doing the best they can with the resources they have,” but more urgency needs to be communicated to stakeholders. He says that with tightened budgets and limited resources, privacy professionals in higher education institutions need to “understand how to use their resources more intelligently.” With an array of state and federal regulations as well as the concerns surrounding student privacy, educational institutions have many obstacles to navigate. “Because any post-incident review or criticism will come with the benefit of hindsight,” writes McLaughlin, “the more that a school can appreciate its risk, the better it will be able to responsibly manage the institution’s resources.”
