Printed from BusinessInsurance.com

Universities trying to safeguard sensitive student, parent data

Posted On: Oct. 14, 2015 12:00 AM CST

MINNEAPOLIS — Universities have been requiring and retaining students' and parents' sensitive financial and medical information for decades and are taking steps to safeguard it from hackers.

“Institutions have a lot of data, and they have been collecting it in some cases for 100 years. We have 1 million Social Security numbers, and we are trying to purge our system. It includes parent data for student loans, and it's also from past students as well as current students,” Brian Kelly, Hamden, Connecticut-based chief information security officer at Quinnipiac University said Tuesday during the University Risk Management & Insurance Inc.'s conference in Minneapolis.

While many cyber attacks have focused on PCs, he said such attacks also are targeting the Apple Inc. operating system.

“At our college and many other universities, we are seeing a big shift of traffic onto Macs, which many think are immune to viruses, but botnets and specific software, malware, is out there that is written just to attack Apple computers. IPads and iPhones are also no longer considered safe when compared to other computers,” Mr. Kelly said.

Jason Glasgow, Hartford, Connecticut-based cyber risk product manager at The Travelers Cos. Inc. advised university risk managers to review their institution's third-party data agreements and who would be held accountable in a cyber attack.

“Make sure you look at your vendors and cloud provider contracts, because somewhere it will say that they are not responsible for the breach or loss of your data. You are defined as the owner of the data, which is how the law will look at it,” Mr. Glasgow said.

Buying cyber insurance can cover the cost of a data breach, but going through the insurance requirements beforehand is a good way to prevent or reduce attacks, he said.

“Looking at your answers to the questions asked by the underwriter is a great risk management exercise. Questions like: Do you train your employees and students when to use computers and to understand the risk? What kind of information are you storing about your customers? How sensitive is the information? What would happen if your website were inoperable for a period of time, would third parties suffer from an economic loss?”