Another Lesson for Higher Education Institutions about the Importance of Cybersecurity Investment

Key Takeaway

A Massachusetts class action claim underscores that institutions of higher education will continue to be targets for cybercriminals – and class action plaintiffs know it.

Background

On January 4, 2023, in Jackson v. Suffolk University, No. 23-cv-10019, Jackson (Plaintiff) filed a proposed class action lawsuit in the U.S. District Court for the District of Massachusetts against her alma matter, Suffolk University (Suffolk), arising from a data breach affecting thousands of current and former Suffolk students.

The complaint alleges that an unauthorized party gained access to Suffolk’s computer network on or about July 9, 2022.  After learning of the unauthorized access, Suffolk engaged cybersecurity experts to assist in an investigation. Suffolk completed the investigation on November 14, 2022.  The investigation concluded that an unauthorized third party gained access to and/or exfiltrated files containing personally identifiable information (PII) for students who enrolled after 2002.

The complaint further alleges that the PII exposed in the data breach included students’ full names, Social Security Numbers, Driver License numbers, state identification numbers, financial account information, and Protected Health Information.  While Suffolk did not release the total number of students affected by the data breach, the complaint alleges that approximately 36,000 Massachusetts residents were affected.  No information was provided about affected out-of-state residents.

Colleges and Universities are Prime Targets for Cybercriminals

Unfortunately, Suffolk’s data breach is not an outlier.  Colleges and universities present a wealth of opportunities for cyber criminals because they house massive amounts of sensitive data, including employee and student personal and financial information, medical records, and confidential and proprietary data.  Given how stolen data can be sold through open and anonymous forums on the Dark Web, colleges and universities will continue to remain prime targets for cybercriminals.

Recognizing this, the FBI issued a warning for higher education institutions in March 2021, informing them that cybercriminals have been targeting institutions of higher education with ransomware attacks.  In May 2022, the FBI issued a second alert, warning that cyber bad actors continue to conduct attacks against colleges and universities.

Suffolk Allegedly Breached Data Protection Duty

In the complaint, Plaintiff alleges that Suffolk did not follow industry and government guidelines to protect student PII.  In particular, Plaintiff alleges that Suffolk’s failure to protect student PII is prohibited by the Federal Trade Commission Act, 15 U.S.C.A. § 45 and that Suffolk failed to comply with the Financial Privacy Rule of the Gramm-Leach-Bliley Act (GLBA),  15 U.S.C.A. § 6801.  Further, the suit alleges that Suffolk violated the Massachusetts Right to Privacy Law, Mass. Gen. Laws Ann. ch. 214, § 1B, as well as its common law duties.

How Much Cybersecurity is Enough?

To mitigate cyber risk, colleges and university must not only follow applicable government guidelines but also  consider following industry best practices to protect student PII.

In particular, GLBA requires a covered organization to designate a qualified individual to oversee its information security program and conduct risk assessments that continually assess internal and external risks to the security, confidentiality and integrity of personal information.  After the risk assessment, the organization must address the identified risks and document the specific safeguards intended to address those risks.  See 16 CFR § 314.4.  

Suffolk, as well as other colleges and universities, may also want to look to Massachusetts law for guidance about how to further invest in its cybersecurity program.  Massachusetts was an early leader among U.S. states when, in 2007, it enacted the “Regulations to safeguard personal information of commonwealth residents” (Mass. Gen. Laws ch. 93H § 2) (Data Security Law).  The Data Security Law – still among the most prescriptive general data security state law – sets forth a list of minimum requirements that, while not specific to colleges and universities, serves as a good cybersecurity checklist for all organizations:

  1. Designation of one or more employees responsible for the WISP.
  2. Assessments of risks to the security, confidentiality and/or integrity of organizational Information and the effectiveness of the current safeguards for limiting those risks, including ongoing employee and independent contractor training, compliance with the WISP and tools for detecting and preventing security system failures.
  3. Employee security policies relating to protection of organizational Information outside of business premises.
  4. Disciplinary measures for violations of the WISP and related policies.
  5. Access control measures that prevent terminated employees from accessing organizational Information.
  6. Management of service providers that access organizational Information as part of providing services directly to the organization, including retaining service providers capable of protecting organizational Information consistent with the Data Security Regulations and other applicable laws and requiring service providers by contract to implement and maintain appropriate measures to protect organizational Information.
  7. Physical access restrictions for records containing organizational Information and storage of those records in locked facilities, storage areas or containers.
  8. Regular monitoring of the WISP to ensure that it is preventing unauthorized access to or use of organizational Information and upgrading the WISP as necessary to limit risks.
  9. Review the WISP at least annually or more often if business practices that relate to the protection of organizational Information materially change.
  10. Documentation of responsive actions taken in connection with any “breach of security” and mandatory post-incident review of those actions to evaluate the need for changes to business practices relating to protection of organizational Information.

An organization not implementing any of these controls should consider documenting the decision-making process as a defensive measure.  In implementing these requirements and recommendations, colleges and universities can best position themselves to thwart cybercriminals and plaintiffs alike.

© Copyright 2023 Squire Patton Boggs (US) LLP

Name, Image and Likeness: What Higher Education Institutions Need to Know for Legal Compliance

More than a year has passed since the NCAA v. Alston ruling and roll-out of the NCAA Name, Image and Likeness Interim Policy. What processes should institutions have in place, and what situations should they be on the lookout for at this point in the NIL game? While institutions cannot provide compensation to student-athletes or potential student-athletes in exchange for use of a student’s NIL, below are items counsel at higher institutions should have on their radar.

Review and Approval of NIL Agreements

The NCAA Interim Policy does not require student-athletes to disclose NIL agreements and/or opportunities to their institutions. In the State of Michigan, however, pursuant to House Bill 5217, beginning December 31, 2022, student-athletes must disclose proposed NIL opportunities or agreements to the institution at least seven days prior to committing to the opportunity or contract. For the institution, this means there needs to be a process in place by which student-athletes submit opportunities or agreements to the institution and the institution does a timely and thorough review of the submission. The institutional representative reviewing the submissions must be knowledgeable of the institution’s active contractual obligations and only sign off on the student-athlete’s potential NIL opportunity or contract once confident there is no conflict with an existing institutional contract. This is most likely to come up in agreements with exclusivity terms, such as sports apparel and campus-wide pouring rights agreements. If there is a conflict, the institution needs to articulate the specific conflict to the student-athlete so they can negotiate a revision, which is then subject to additional review and potential approval by the institution.

Institutions are the Regulating Bodies

Institutions in states that require submission of NIL opportunities by student-athletes need to pay close attention when reviewing submissions because the NCAA has placed most of the NIL regulatory burden on institutions. Specifically, institutions are obligated to report potential violations of NCAA policy. Among other potential violations, institutions must report possible abuses on the prohibition of pay-for-play and improper inducements of potential student-athletes and current student-athletes. Essentially, in addition to spotting potential conflicts between NIL agreements and current institution agreements, institutions need to review NIL agreements to determine if a student-athlete is being compensated for athletic achievement and/or for their enrollment or continued enrollment at a particular institution. Any indication that the student-athlete’s NIL agreement will be void if they no longer participate on an athletic team requires the institution to complete due diligence and determine the appropriateness of the arrangement in light of the NIL policy. Institutions are ultimately responsible for certifying the eligibility of student-athletes, and the presence of the previously mentioned terms place the agreement in direct violation of the language in the NIL Interim Policy and corresponding NCAA guidance.

Institutional Staff Members

It is in the best interest of institutions to train their staff members on appropriate interactions with boosters because the NCAA holds institutions responsible for the “impermissible recruiting activities engaged in by a representative of athletics interest (i.e., a booster).” Staff members need to understand the actions they are permitted to take and conversations they are permitted to have, as failure to do so could land them deep in the gray area of NIL.

  • An institutional staff member cannot directly or indirectly communicate with a potential student-athlete on behalf of a booster or NIL entity.
  • An institutional staff member cannot enter into agreements with an NIL entity to secure NIL deals between the entity and potential student-athletes.
  • An institutional staff member cannot “organize, facilitate or arrange” a meeting or any conversations between an NIL entity and a potential student-athlete, which includes transfer students coming from other institutions.

Financial Aid

Institutions should ensure they are not influencing how a student-athlete uses their compensation. Specifically, institutions should not direct student-athletes to use their NIL compensation for financial aid. Student-athletes’ financial aid is not impacted by compensation they would receive from NIL agreements. Financial aid limitations exclude compensation which also extends to NIL compensation. However, if a student receives NIL compensation, this may impact need-based financial aid.

FERPA

Many public institutions have made the argument that FERPA precludes them from disclosing NIL agreements without a release executed by the student-athlete. If a copy of an NIL agreement or summary of an NIL opportunity is provided to the institution by the student-athlete, this becomes a record of the university per the definition of FERPA and is likely part of the student-athlete’s educational record. There may be a particular circumstance in which a FERPA exception would apply to a request, but there is no broad FERPA exception that would apply in this situation. Institutions might find it strategic to include their stance on FERPA in an NIL policy to ensure all requests for NIL agreements are handled consistently.

International Students

International students can receive NIL compensation but with some caveats. In its documentation, the NCAA directs international student-athletes to their institution’s Designated School Official for “guidance related to maintaining their immigration status and tax implications.” As a result, institutions should make sure the individual(s) is/are well equipped to provide answers regarding NIL from international students.

Five Steps to Become a Well-Organized and Compliant Institution

  1. Have an NIL policy and procedures that are followed consistently and made available to student-athletes for reference and consultation;
  2. Have a process in place to review NIL agreements between the institution’s student-athletes and outside entities or individuals (if located in a state that requires student-athletes to make such disclosures);
  3. Have trained its staff (especially athletics staff) on what actions can and cannot be taken in relation to student-athletes’ NIL opportunities;
  4. Have trained its student-athletes on available resources; and
  5. Have a team of institutional staff members ready to pivot if additional laws are enacted by their state, if additional guidance is provided by the NCAA or if federal legislation is enacted.
© 2022 Varnum LLP

U.S. Government Pursues More Aggressive Action to Curb Espionage at Universities

The U.S. Governmental Accountability Office (GAO) thinks the FBI and other agencies are not doing enough to address the espionage threat on U.S. university campuses. It issued a report, “Enforcement Agencies Should Better Leverage Information to Target Efforts Involving U.S. Universities” on June 14, 2022, urging the FBI, the Department of Homeland Security, and the Department of Commerce to step up their outreach efforts to address the threat. Commerce, DHS, and FBI have all concurred with GAO’s recommendations. As a result, U.S. colleges and universities to face yet another organizational risk: an increase in campuses visits by export control and law enforcement agents.

The threat: U.S. export control laws consider the disclosure to non-U.S. persons of technology, software, or technical data to be exports, even if the disclosure occurs in the United States.

The overwhelming majority of non-U.S. persons studying and working at U.S. universities are not security risks and are valued members of their academic organizations. But U.S. intelligence agencies have long warned that foreign state actors actively acquire sensitive national security data and proprietary technology from U.S. universities.

A lot of the technology flow abroad from U.S. universities is perfectly legal, for two reasons: First, most university research, even in cutting-edge technology, is exempt from export controls under an exemption known as “fundamental research.” Second, even in cases where the fundamental research exemption does not apply, it takes time for the U.S. government agencies to add new items to the export control lists they enforce; namely the U.S. Munitions List, administered by the U.S. Department of State, Directorate of Defense Trade Controls; and the Commerce Control List, administered by the U.S. Department of Commerce, Bureau of Industry and Security.

But at the same time, either through inadvertence or outright espionage, unlawful transfers of technology to foreign nationals take place. A 2006 report by the U.S. Office of the National Counterintelligence Executive found that a significant quantity of export controlled U.S. technology is released to foreign nationals in the United States unlawfully each year.

Clash of values: One important issue for higher education in addressing trade controls compliance is cultural in nature. U.S. universities value open, collaborative environments which drive and accelerate innovation. For those institutions, the idea of cutting off information flows conflicts with those cultural norms. By contrast, U.S. export controls aim to protect U.S. national security by hindering the flow of sensitive information to potential adversaries.

GAO’s recommendations: The GAO report recommends that U.S. trade control agencies take more aggressive steps to curb foreign access to sensitive technologies at U.S. universities. The recommendations include steps to enhance risk assessment and ranking of universities by risk, and steps to increase agency cooperation in planning and conducting outreach visits to universities. As a direct result of this report, U.S. universities are going to receive more visits from U.S. government agents.

Practical takeaways:

  • Universities: Consider reevaluating your risk. The threat has evolved, and the U.S. government response is also evolving. A risk evaluation using modern tools such as a premortem can help you know where to dedicate resources to update your export control policies, procedures, and training. Any unlawful escape of technology or technical data are much more likely to be detected and punished under the new regime, in part based on the GAO report. Organizations have to evolve with the threat.
  • Students, faculty, and administrators: Consider how to jealously guard your academic freedom, but be wary of the national security risks of sensitive technology falling into the wrong hands.
  • Research sponsors: More and more U.S. university research is sponsored by U.S. companies and government agencies. Research sponsorship agreements play a major role in striving for both national security and academic goals of the U.S. university system. Sponsors need to be sensitive to how these agreements are drafted. Sponsors must be aware of the espionage threat to their technology. But imposing too many restrictions in the contract may undermine the applicability of the fundamental research exemption and hinder the success of the project.

Conclusion: In the face of organizational threats, institutions do best when they heed their values. In the realm of protecting sensitive technology, we must constantly evolve with the threat. But we must also continue to carefully balance national security considerations with our bedrock values of academic freedom and openness.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.

Back to School: Preparing for Campus Unrest

In the wake of the deadly Charlottesville protests, institutions of higher education are under heightened pressure to prepare their campuses for disruption and unrest.  Many colleges and universities have open campuses, enjoy historic visibility in their communities, and place a high value on free speech, expression, and the exchange of ideas, exposing them to unique challenges in planning for protests and civil disobedience.  As this academic year begins, it is critical that campus administrators equip themselves and their communities to manage and, when appropriate, to take affirmative steps to prevent campus unrest, whether initiated by student groups or third parties.

The proactive development of sound and well-thought out policies that balance the value of speech with the institution’s compelling interests in safety and preventing the disruption of campus operations is the foundation for successful management of these situations.  Now more than ever, it is important, even for institutions that have not experienced significant campus unrest in the past, to develop a model response to campus unrest and determine whether institutional policies permit and support this model.

Institutions should review their policies to determine (1) what procedures are in place for managing and monitoring student protests and demonstrations; and (2) how much authority they have to limit or condition access to their campus by third parties.  Thoughtfully drafted campus facilities use, protest, and demonstration policies can effectively set expectations and establish procedures for regulating picketing, protesting, and demonstrating on campus by students and third parties.  But they are not the only policies that demand attention, review, and coordination.  Other policies that may dictate how and to what extent an institution can control or limit civil disobedience on campus may include:

  • Campus trespass policies;

  • Policies that describe the purpose and use of campus;

  • Facilities use and event policies;

  • Academic freedom and other speech or expression policies;

  • Tabling, bulletin board, leafletting, or chalking policies;

  • Emergency response and other communications policies;

  • Student organization policies;

  • Policies that describe or limit the carrying and use of weapons on campus; and

  • Student codes of conduct.

In reviewing their policies, administrators should consider how they limit access to campus, including the rhetoric used to describe the institution’s values, which groups and individuals can reserve and use delineated spaces, and whether campus streets are publicly accessible or can be limited with regard to pedestrian and automobile traffic.  Institutions should ensure that their facilities use policies contain clear and publicized registration procedures requiring sufficient notice of all pertinent details of a proposed event.  Policies must also permit action to move or shut down an event in the event of an emergency, violation of policy, or disruptive conduct, and to undertake disciplinary and law enforcement action where appropriate.

Any number and configuration of campus constituencies can be affected by regulations on campus speech.  Administrators should be mindful of who their institutional policies are intended to target—students or third parties—and draft their policies to clearly cover only the intended targets.  Administrators should also be aware of unintentional targets, considering, for example, how the policies will apply when a student group brings a third party to campus or when the protesters are alumni.

Institutions should be wary of a one-size-fits-all approach.  While it can be instructive to review other schools’ policies, what works for a large, public institution will almost certainly not work for a small, private institution.  In particular, while public institutions must remain keenly aware of the First Amendment implications of limiting speech on campus, private institutions must be careful that their policies do not inadvertently grant students and third parties “rights” that they are not otherwise due and may be difficult for the institution to support.

Now is the time—even if your academic year has already begun—to examine, revise and coordinate implementation of pertinent policies so that administrators may smoothly, safely, and consistently address campus access, facilities use, and potential unrest as it may develop.

This post was written by  Beth Tyner Jones and Liz LeVan Riley and Rebecca C. Fleishman of  Womble Carlyle Sandridge & Rice, PLLC.
More analysis at the National Law Review.