Educational institutions are hacked on a regular basis, and the problem shows no signs of getting better anytime soon. Both K-12 schools and colleges and universities, are victims. “Why?” you might ask. “Aren’t cyber criminals after credit card numbers and bank accounts?” Well, yes. But there is a lot of other highly valuable information in schools’ networks that the bad guys want too, like Social Security numbers and birth dates that are connected to names – data that is valuable on the black markets where hackers buy and sell.
Plus, virtually all independent K-12 schools, colleges, and universities charge tuition, leading to the storage of potentially sensitive credit card and banking data on school networks.
User error and rogue employees also contribute to the digital security problems faced by educational institutions, so data is sometimes exposed for non-monetary reasons too.
Exacerbating the cyber vulnerabilities of schools and colleges is their practice of extensively outsourcing vendors for network functionality, which has caused an inordinately high 30% of all reported breaches to educational institutions.
Because schools account for 20% of all non-governmental breaches since 2005, it is no wonder that insurance carriers consider schools a high hazard from a cyber-standpoint.
Here are a few examples of recent education data breaches:
Networks at the University of Maryland were hacked in January 2014, resulting in the records of 310,000 current and former students being exposed. The university has set aside more than $6 million to pay for victims to receive credit monitoring services.
Park Hill School District in Kansas City, Missouri, reported a breach in July 2014 when a former employee accessed sensitive student and employee data, downloaded it, and then transferred it to a home computer. The data was then inadvertently published on the Internet. Over 10,000 people were affected; breached records included Social Security numbers and employee evaluations.
In June 2014, over 35,000 students at numerous campuses of the Riverside Community College District in California had their sensitive information exposed, including Social Security numbers and academic records, when an employee mistakenly emailed records via a non-secure system to an incorrect email address.
Doing an Internet search for “university data breach” or “school district data breach” will show numerous other cases.
In the past, many educational institutions have opted to forgo cyber insurance due to budget constraints. However, that trend is changing as data security threats become more commonplace.
Exposures to loss are many and varied, ranging from loss of paper files and stolen laptops to unauthorized access into networks and databases. Expenses incurred in the event of a breach include state-required victim notification, computer forensic investigation, and public relation costs, in addition to various fines and penalties.
Cyber coverage for educational institutions is a challenge. However, with the proper risk management advice and the ability to accurately portray the specifics of the account to the underwriter, favorable terms and pricing are currently available.
INSUREtrust has been specializing in cyber-related insurance since 1997, and we navigate agents and their clients through the intricacies of this coverage every day.
Over the past ten years, INSUREtrust has written more than $100 million in premiums and paid more than $30 million in claims. Insurers are looking for business, and we can find competitive pricing and terms for almost any risk.