Another Lesson for Higher Education Institutions about the Importance of Cybersecurity Investment

Key Takeaway

A Massachusetts class action claim underscores that institutions of higher education will continue to be targets for cybercriminals – and class action plaintiffs know it.

Background

On January 4, 2023, in Jackson v. Suffolk University, No. 23-cv-10019, Jackson (Plaintiff) filed a proposed class action lawsuit in the U.S. District Court for the District of Massachusetts against her alma matter, Suffolk University (Suffolk), arising from a data breach affecting thousands of current and former Suffolk students.

The complaint alleges that an unauthorized party gained access to Suffolk’s computer network on or about July 9, 2022.  After learning of the unauthorized access, Suffolk engaged cybersecurity experts to assist in an investigation. Suffolk completed the investigation on November 14, 2022.  The investigation concluded that an unauthorized third party gained access to and/or exfiltrated files containing personally identifiable information (PII) for students who enrolled after 2002.

The complaint further alleges that the PII exposed in the data breach included students’ full names, Social Security Numbers, Driver License numbers, state identification numbers, financial account information, and Protected Health Information.  While Suffolk did not release the total number of students affected by the data breach, the complaint alleges that approximately 36,000 Massachusetts residents were affected.  No information was provided about affected out-of-state residents.

Colleges and Universities are Prime Targets for Cybercriminals

Unfortunately, Suffolk’s data breach is not an outlier.  Colleges and universities present a wealth of opportunities for cyber criminals because they house massive amounts of sensitive data, including employee and student personal and financial information, medical records, and confidential and proprietary data.  Given how stolen data can be sold through open and anonymous forums on the Dark Web, colleges and universities will continue to remain prime targets for cybercriminals.

Recognizing this, the FBI issued a warning for higher education institutions in March 2021, informing them that cybercriminals have been targeting institutions of higher education with ransomware attacks.  In May 2022, the FBI issued a second alert, warning that cyber bad actors continue to conduct attacks against colleges and universities.

Suffolk Allegedly Breached Data Protection Duty

In the complaint, Plaintiff alleges that Suffolk did not follow industry and government guidelines to protect student PII.  In particular, Plaintiff alleges that Suffolk’s failure to protect student PII is prohibited by the Federal Trade Commission Act, 15 U.S.C.A. § 45 and that Suffolk failed to comply with the Financial Privacy Rule of the Gramm-Leach-Bliley Act (GLBA),  15 U.S.C.A. § 6801.  Further, the suit alleges that Suffolk violated the Massachusetts Right to Privacy Law, Mass. Gen. Laws Ann. ch. 214, § 1B, as well as its common law duties.

How Much Cybersecurity is Enough?

To mitigate cyber risk, colleges and university must not only follow applicable government guidelines but also  consider following industry best practices to protect student PII.

In particular, GLBA requires a covered organization to designate a qualified individual to oversee its information security program and conduct risk assessments that continually assess internal and external risks to the security, confidentiality and integrity of personal information.  After the risk assessment, the organization must address the identified risks and document the specific safeguards intended to address those risks.  See 16 CFR § 314.4.  

Suffolk, as well as other colleges and universities, may also want to look to Massachusetts law for guidance about how to further invest in its cybersecurity program.  Massachusetts was an early leader among U.S. states when, in 2007, it enacted the “Regulations to safeguard personal information of commonwealth residents” (Mass. Gen. Laws ch. 93H § 2) (Data Security Law).  The Data Security Law – still among the most prescriptive general data security state law – sets forth a list of minimum requirements that, while not specific to colleges and universities, serves as a good cybersecurity checklist for all organizations:

  1. Designation of one or more employees responsible for the WISP.
  2. Assessments of risks to the security, confidentiality and/or integrity of organizational Information and the effectiveness of the current safeguards for limiting those risks, including ongoing employee and independent contractor training, compliance with the WISP and tools for detecting and preventing security system failures.
  3. Employee security policies relating to protection of organizational Information outside of business premises.
  4. Disciplinary measures for violations of the WISP and related policies.
  5. Access control measures that prevent terminated employees from accessing organizational Information.
  6. Management of service providers that access organizational Information as part of providing services directly to the organization, including retaining service providers capable of protecting organizational Information consistent with the Data Security Regulations and other applicable laws and requiring service providers by contract to implement and maintain appropriate measures to protect organizational Information.
  7. Physical access restrictions for records containing organizational Information and storage of those records in locked facilities, storage areas or containers.
  8. Regular monitoring of the WISP to ensure that it is preventing unauthorized access to or use of organizational Information and upgrading the WISP as necessary to limit risks.
  9. Review the WISP at least annually or more often if business practices that relate to the protection of organizational Information materially change.
  10. Documentation of responsive actions taken in connection with any “breach of security” and mandatory post-incident review of those actions to evaluate the need for changes to business practices relating to protection of organizational Information.

An organization not implementing any of these controls should consider documenting the decision-making process as a defensive measure.  In implementing these requirements and recommendations, colleges and universities can best position themselves to thwart cybercriminals and plaintiffs alike.

© Copyright 2023 Squire Patton Boggs (US) LLP

Affirmative Action Policy Upheld By Supreme Court

affirmative action supreme courtRace may be taken into account when public universities and colleges admit students, ruled the U.S. Supreme Court today. For the second time, the Court was asked to decide whether the University of Texas at Austin’s admissions policy, which uses a variety of affirmative action factors to increase the diversity of its student population, violates the Equal Protection Clause of the Constitution. In a 4-to-3 decision (with Justice Kagan taking no part in the decision), the Court ruled that the race-conscious admissions program in question is lawful under the Equal Protection Clause. Fisher v. University of Texas at Austin, 579 U.S. __ (2016).

White Applicant Denied Admission Challenged Policy

Abigail Fisher, a white applicant who was denied admission to the University of Texas at Austin, sued the University alleging that its use of racial preferences in undergraduate admissions decisions is unconstitutional. She asserted that by including race in its admissions decisions, the University disadvantaged her and other Caucasian applicants.

The District Court in Texas that considered Fisher’s claims ruled in favor of the University, and the Fifth Circuit Court of Appeals agreed. Fisher appealed to the Supreme Court and in 2013, the Court kept her claims alive by sending them back to the Fifth Circuit so that the University’s admissions policy could be evaluated under the proper strict scrutiny standard. The Fifth Circuit reexamined the policy but came up with the same result, ruling in favor of the University. Fisher appealed to the Supreme Court again.

Court Finds Compelling Interest In Diversity of Students

In Fisher I, the Court ruled that the University’s affirmative action process, in which race was only one factor in assigning a numerical admissions score, needed to further a constitutionally permissible and substantial purpose or interest in order to meet the strict scrutiny standard. In today’s decision, the Court found that the University’s desire to provide its students the educational benefits that flow from having a diverse student body was a compelling interest sufficient to overcome the strict scrutiny standard.

Fisher had argued that the University failed to state more precisely what level of minority enrollment would constitute a “critical mass” at which time race would no longer need to be an admissions consideration. The Court rejected Fisher’s argument, stating that the educational benefits promoted by a diverse student body should not be reduced to pure numbers, especially in light of the fact that the University is prohibited from having a quota for minority student enrollment.

The Court also rejected Fisher’s assertion that the University had already achieved “critical mass” of minority enrollment, finding that the University had studied both statistical and anecdotal evidence that showed that race-neutral programs had not achieved its diversity goals. In addition, the Court rejected Fisher’s position that there were other workable race-neutral means of meeting the University’s educational goals.

University Must Continue to Evaluate Use Of Race In Admissions 

Although a slim majority of the Court upheld the University’s ability to use race as a factor in its admissions policy, the Court wrote that the University has a continuing obligation to satisfy the burden of strict scrutiny in light of any changing circumstances. It stated that the University must conduct periodic reassessments of its admissions program and continue to examine data to ensure that “race plays no greater role than is necessary to meet its compelling interest” in promoting the educational benefits advanced by diversity among students.

Three Justices Dissent

Chief Justice Roberts, as well as Justices Thomas and Alito, disagreed with their four colleagues in the majority. Justice Thomas wrote that “a State’s use of race in higher education admissions decision is categorically prohibited by the Equal Protection Clause.” Justice Alito separately wrote that the University had failed to show that its race-conscious plan was narrowly tailored to serve compelling interests so “[b]y all rights, judgment should be entered in favor of [Fisher.]”

Had Justice Antonin Scalia not passed away in February, he almost certainly would have voted along the lines of the dissenters. That would have resulted in an evenly divided court at 4-to-4. Justice Kagan did not participate because she had participated in the government’s part of the case when she was U.S. Solicitor General prior to being appointed to the Court. A 4-to-4 decision would have meant that the Fifth Circuit’s decision would stand, so the University would still have prevailed—but the decision would have had no precedential impact outside of the Fifth Circuit. But now, with Justice Scalia’s absence, the Supreme Court decision upholding the constitutionality of a race-conscious affirmative action plan is a precedential ruling that applies nationwide.

Affirmative Action in the Employment Context

Even though the Fisher case examined affirmative action in higher education admissions programs, the decision may have ripple effects in the employment context. By upholding the use of race-conscious affirmative action plans, the Court may have limited or foreclosed some constitutional challenges to affirmative action in employment policies as well. But race-based programs will still need to meet strict scrutiny standards to pass constitutional muster. Employers seeking a diverse workforce through the use of affirmative action plans will need to articulate the compelling interest that supports their use of race as a consideration in hiring, backed up by data and other evidence that no other race-neutral means are available to achieve the employer’s goal. As such, employers seeking to implement such policies should still proceed with caution.

Copyright Holland & Hart LLP 1995-2016.

Michigan Bill Would Bar Student-Athlete Unionization

Jackson Lewis Law firm

With a National Labor Relations Board decision on whether football players at Northwestern may proceed with their unionization efforts looming, Michigan is considering a bill that would prevent student-athletes from similarly attempting to unionize.

The bill, sponsored by Rep. Al Pscholka, would prevent student-athletes at Michigan’s public universities from exercising collective bargaining rights based on their participation in a university sports team. It states, “a student participating in intercollegiate athletics on behalf of a public university in [Michigan]…is not a public employee entitled to representation or collective bargaining rights….”

Michigan has seven public universities competing at the Division I level. The bill would bar student-athletes at these universities from engaging in unionization efforts similar to the ones undertaken by the football players at Northwestern.

While none of the seven universities has faced a union organizing campaign from any of its student-athletes, prompting one opponent of the bill, Rep. Andy Shor, to describe the bill as a solution to a nonexistent problem.

“I don’t understand the tremendous rush on this,” Shor said. “We’re taking an action that addresses something that’s happening in Evanston, Illinois.”

However, if the Board finds in favor of the football players at Northwestern, universities across the country likely will face similar unionization efforts from other student-athletes. Michigan’s may be an attempt to get out in front of such efforts.

According to Ramogi Huma, the president of the organization spearheading the unionization campaign at Northwestern, the College Athletes Players Association, Michigan’s bill is “backhanded confirmation that student-athletes are state employees by including them in a list of workers who can’t bargain effectively.” However, the bill does not categorize student-athletes as employees and, indeed, it states that “individuals whose position does not have sufficient indicia of an employer-employee relationship” are also prevented under the bill from engaging in collective bargaining.

Huma also warned that if the bill passes, it would have a negative impact on the ability of Michigan’s public universities to recruit student-athletes because prospective student-athletes interested in being part of a union could elect instead to go to either private universities in Michigan or universities in states with no restrictions on their unionization efforts.

Thus far, none of the seven Division I public universities in Michigan have commented publicly on the bill. However, the bill likely is being closely followed by them as well as public universities in other states and major athletic conferences, such as the Big Ten, home to Northwestern, Michigan, Michigan State, and Ohio State.

OF