A Massachusetts class action claim underscores that institutions of higher education will continue to be targets for cybercriminals – and class action plaintiffs know it.
On January 4, 2023, in Jackson v. Suffolk University, No. 23-cv-10019, Jackson (Plaintiff) filed a proposed class action lawsuit in the U.S. District Court for the District of Massachusetts against her alma matter, Suffolk University (Suffolk), arising from a data breach affecting thousands of current and former Suffolk students.
The complaint alleges that an unauthorized party gained access to Suffolk’s computer network on or about July 9, 2022. After learning of the unauthorized access, Suffolk engaged cybersecurity experts to assist in an investigation. Suffolk completed the investigation on November 14, 2022. The investigation concluded that an unauthorized third party gained access to and/or exfiltrated files containing personally identifiable information (PII) for students who enrolled after 2002.
The complaint further alleges that the PII exposed in the data breach included students’ full names, Social Security Numbers, Driver License numbers, state identification numbers, financial account information, and Protected Health Information. While Suffolk did not release the total number of students affected by the data breach, the complaint alleges that approximately 36,000 Massachusetts residents were affected. No information was provided about affected out-of-state residents.
Unfortunately, Suffolk’s data breach is not an outlier. Colleges and universities present a wealth of opportunities for cyber criminals because they house massive amounts of sensitive data, including employee and student personal and financial information, medical records, and confidential and proprietary data. Given how stolen data can be sold through open and anonymous forums on the Dark Web, colleges and universities will continue to remain prime targets for cybercriminals.
Recognizing this, the FBI issued a warning for higher education institutions in March 2021, informing them that cybercriminals have been targeting institutions of higher education with ransomware attacks. In May 2022, the FBI issued a second alert, warning that cyber bad actors continue to conduct attacks against colleges and universities.
In the complaint, Plaintiff alleges that Suffolk did not follow industry and government guidelines to protect student PII. In particular, Plaintiff alleges that Suffolk’s failure to protect student PII is prohibited by the Federal Trade Commission Act, 15 U.S.C.A. § 45 and that Suffolk failed to comply with the Financial Privacy Rule of the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C.A. § 6801. Further, the suit alleges that Suffolk violated the Massachusetts Right to Privacy Law, Mass. Gen. Laws Ann. ch. 214, § 1B, as well as its common law duties.
To mitigate cyber risk, colleges and university must not only follow applicable government guidelines but also consider following industry best practices to protect student PII.
In particular, GLBA requires a covered organization to designate a qualified individual to oversee its information security program and conduct risk assessments that continually assess internal and external risks to the security, confidentiality and integrity of personal information. After the risk assessment, the organization must address the identified risks and document the specific safeguards intended to address those risks. See 16 CFR § 314.4.
Suffolk, as well as other colleges and universities, may also want to look to Massachusetts law for guidance about how to further invest in its cybersecurity program. Massachusetts was an early leader among U.S. states when, in 2007, it enacted the “Regulations to safeguard personal information of commonwealth residents” (Mass. Gen. Laws ch. 93H § 2) (Data Security Law). The Data Security Law – still among the most prescriptive general data security state law – sets forth a list of minimum requirements that, while not specific to colleges and universities, serves as a good cybersecurity checklist for all organizations:
Designation of one or more employees responsible for the WISP.
Assessments of risks to the security, confidentiality and/or integrity of organizational Information and the effectiveness of the current safeguards for limiting those risks, including ongoing employee and independent contractor training, compliance with the WISP and tools for detecting and preventing security system failures.
Employee security policies relating to protection of organizational Information outside of business premises.
Disciplinary measures for violations of the WISP and related policies.
Access control measures that prevent terminated employees from accessing organizational Information.
Management of service providers that access organizational Information as part of providing services directly to the organization, including retaining service providers capable of protecting organizational Information consistent with the Data Security Regulations and other applicable laws and requiring service providers by contract to implement and maintain appropriate measures to protect organizational Information.
Physical access restrictions for records containing organizational Information and storage of those records in locked facilities, storage areas or containers.
Regular monitoring of the WISP to ensure that it is preventing unauthorized access to or use of organizational Information and upgrading the WISP as necessary to limit risks.
Review the WISP at least annually or more often if business practices that relate to the protection of organizational Information materially change.
Documentation of responsive actions taken in connection with any “breach of security” and mandatory post-incident review of those actions to evaluate the need for changes to business practices relating to protection of organizational Information.
An organization not implementing any of these controls should consider documenting the decision-making process as a defensive measure. In implementing these requirements and recommendations, colleges and universities can best position themselves to thwart cybercriminals and plaintiffs alike.
About this Author
Ericka Johnson is an associate in the Government Investigations & White Collar Practice. She represents companies and executives in, among other things, Foreign Corrupt Practices Act (FCPA) internal investigations, enforcement actions, defense matters and compliance before the US Department of Justice and similar authorities. She assists multinational companies in developing and implementing effective anticorruption compliance policies and strategies for domestic and international operations. As part of her compliance practice, Ericka also advises companies on cybersecurity risks,…
Julia B. Jacobson is a Partner in Squire Patton Boggs’ Data Privacy, Cybersecurity & Digital Assets Practice. For over 20 years, a world-class roster of national and multinational clients has turned to Julia for practical and tactical advice and counsel on privacy and cybersecurity compliance strategies, data breach response, technology transactions and marketing initiatives.
A significant portion of Julia’s practice is devoted to advising clients on an array of privacy, cybersecurity, data breach and data governance matters. She assists…
Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com intended to be a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional. NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us.
Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.
The National Law Review – National Law Forum LLC 3 Grant Square #141 Hinsdale, IL 60521 Telephone (708) 357-3317 or toll free (877) 357-3317. If you would ike to contact us via email please click here.