Just in Time Research: Data Breaches in Higher Education
This “Just in Time” research is in response to recent discussions on the EDUCAUSE Higher Education Information Security Council (HEISC) discussion list about data breaches in higher education. Using data from the Privacy Rights Clearinghouse, this research analyzes data breaches attributed to higher education. The results from this review will be used to inform EDUCAUSE research, programs, products, and services.
Hardly a day goes by without a media report about a data breach that exposes the personally identifiable information (PII) of individuals. While much of the news regarding data breaches focuses on the harm to affected individuals, data breaches also harm the organization experiencing the breach. Potential direct financial costs of a data breach include legal representation, fines (depending on the nature of the breach), and the expense of notifying affected individuals. Organizations also face losses in reputation and consumer confidence. Particularly important for higher education institutions are reputational consequences, which could result in a loss of alumni donations and even a reduction in the number of students choosing to apply to or attend the institution.
Access the full report here (pdf, 7 pp.).
The research is based on the Privacy Rights Clearinghouse chronology, which relies heavily on the Open Security Foundation DataLossDB project, DataBreaches.net, and PHIprivacy.net – all three of which I am involved in. In addition, they use HHS’s public breach tool and NAID.