Dealing with a patchwork of state data breach notification laws can be challenging. Dealing with state laws, federal regulations, and the GDPR can be even more difficult. But that may be the situation for Savannah College of Art and Design (SCAD), a private school in Georgia that enrolls students from other states and has a location in France.
According to Avos Locker, SCAD was attacked approximately two weeks ago, and a large amount of data was exfiltrated. Unlike some ransomware attacks, the college’s network was not encrypted; only data was exfiltrated.
In this case, Avos provided a sample of the exfiltrated data with a list of more than 69,000 files. The files appear to consist of routine college business such as personnel-related files and student files with personal information. Many of the filenames contained descriptions that included people’s names and clues as to the content of the files (e.g., passports, payroll-related information, bank statements, personal statements, recommendation letters, etc.)
One of the student files included as part of the sample was a spreadsheet with more than 60,000 records for former and current students. The fields include the student’s ID, first and last name, student number, Social Security Number, class year, local phone number, postal address, email address, father’s name, and date of birth. The Social Security numbers appeared to be more likely for those students in class years 2009 – 2015; the SSN field was generally empty for students who enrolled more recently.
Several other student-related files in the sample concern behavioral and disciplinary issues. One of the tables contained more than 15,000 records going back to 2005. Many of those records were the kind of minor infractions to be expected among college students. Still, it is unfortunate that names were attached to incidents in some cases, and in other cases, one could figure out the student involved because other tables contain their name paired with their student ID and student number.
Avos did not reveal the amount of its ransom demand to destroy the stolen data. According to a statement they made to DataBreaches, SCAD did negotiate a bit but seemed to be more trying to buy time.
No reply was received from SCAD to an inquiry about their response to the incident.
Notification Issues
Although it is a private college, SCAD’s site indicates that its students have rights under FERPA. FERPA does not require schools to send individual notification letters or breach notifications. FERPA does require a school to make a notation in a student’s record about the release of student information if that information was not “directory information” that would be publicly available.
Student personal information aside, there may also be the issue of student financial aid. If those records were acquired, that might implicate the federal Gramm Leach Bliley Act, which imposes security and breach notification requirements. DataBreaches could not determine whether that law might apply from the file list in this case.
But in addition to any FERPA and possible GLBA requirements, there is also Georgia state law and the GDPR. DataBreaches will not speculate about whether Georgia’s data breach notification law exempts SCAD or if SCAD has notification obligations to students, faculty, and staff under Georgia law. As to the GDPR, if DataBreaches understands that law correctly, any students attending school in the EU (such as at SCAD’s location in France) are covered by the GDPR. However, EU persons who attend school in the U.S. are not covered by the GDPR.
This report may be updated if more information becomes available.
Sept. 8 Update: The school has issued a statement about the breach, according to their local news media.