College and universities, like many other businesses and organizations, defend against millions of cyberattacks each day. Most recently, Penn State’s College of Engineering discovered a multi-year long cyberattack seeking usernames and passwords of students, faculty, and staff. The University hired consultant Mandiant to investigate the breach. Mandiant discovered two separate attackers and determined that at least one was from China.

Hackers often target colleges and universities because they are rich sources of information. First, large universities have personal information files on thousands of individuals – students, faculty, and staff members. Additionally, the university likely has personal financial data for tuition payments and ticket sales. Most significantly, however, universities have valuable intellectual property and technology research files, the result of work by professors, graduate students and their sponsoring company collaborators. Much of the research is not yet protected by patent filings and so is very vulnerable to theft.

Because of Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99), a federal law that protects the privacy of student’s personal information, higher educational institutions have policies and practices in place to educate and safeguard against the transfer of student data. However, these efforts have not generally focused on defending against a cyberattack. Additionally, the organizations also have a large number of users with password protected access to some or all of their IT systems, and thus hackers have many opportunities to exploit vulnerabilities in the system to gain access.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kathleen Porter Kathleen Porter

Kathy Porter’s practice straddles the areas of intellectual property, business transactions, trade regulation, and Internet law and includes import/export control issues, such as compliance and enforcement, competition, privacy, and data security. She counsels businesses on the development and implementation of data security and…

Kathy Porter’s practice straddles the areas of intellectual property, business transactions, trade regulation, and Internet law and includes import/export control issues, such as compliance and enforcement, competition, privacy, and data security. She counsels businesses on the development and implementation of data security and privacy practices to comply with the patchwork of laws and rules applicable to the collection, use, safeguarding, sharing, and transfer of protected or personal data. She regularly structures arrangements with promoters, marketers, website exchanges, and other third parties for the purchase, sale, sharing, and safeguarding of personal data. Kathy prepares and negotiates representations, warranties, and indemnities regarding personal or protected data and privacy and data practices. She also assists clients with privacy audits and works with third-party certification organizations to obtain certification of companies’ privacy practices. She guides clients through internal investigations to assess and address notice and other obligations regarding privacy breaches. Kathy often works closely with our litigation attorneys to manage external investigations such as those by federal or state regulators. Read her rc.com bio here.