Close

See How IT Leaders Are Tackling AI Challenges and Opportunities

New research from CDW reveals insights from AI experts and IT leaders.

Click Here to Read the Report
Apr 22 2025
Security

Debunking Myths About Data Breach Disclosures in Higher Ed

How much information is too much to disclose when your institution’s data is compromised?
Karen Scarfone
by

Karen Scarfone is the principal consultant for Scarfone Cybersecurity. She provides cybersecurity publication consulting services to organizations and was formerly a senior computer scientist for the National Institute of Standards and Technology (NIST).

Sooner or later, every university will experience a breach of its student data, which includes all sorts of personally identifiable information. Data breaches involve not only digital information but also paper records, recordings of human speech and other forms of communication. And while we tend to think of data breaches as being intentional, with attackers plotting to steal information, many data breaches are accidental, such as a university employee accidentally emailing a sensitive document to the wrong people.

Every university must be prepared to quickly detect and handle its data breaches, and that includes disclosing breaches of sensitive student data to the appropriate parties in a timely manner. Here are some facts and fallacies about disclosing data breaches at universities.

Click the banner below to find out how cyber resilience can impact your institution’s reputation.

x-cyberresillience3-static-2024-na-desktop x-cyberresillience3-static-2024-na-mobile

 

Fallacy: FERPA Mandates Data Breach Notifications

All universities in the U.S. must comply with the Family Educational Rights and Privacy Act and its requirements to safeguard student privacy. Those requirements don’t actually include data breach notifications; FERPA only requires universities to document exposure of each student record so that students reviewing their own records will see that documentation.

What’s more, FERPA only applies to students’ educational records. FERPA doesn’t address student privacy concerns or data breaches involving student medical records, employment records or other student-related data.

Fact: It’s Important to Plan Ahead for Data Breach Disclosure

Data breach laws are evolving rapidly. The applicable laws for a particular data breach may vary based on the type of data breached; the number of students whose data was breached; the location of the university; and the cities, states or countries where the affected students reside or hold citizenship. Many of the applicable laws may require that affected students be notified of a data breach promptly, perhaps within a matter of days.

DISCOVER: How incident response plans help higher ed institutions build cyber resilience.

Each university should work closely with its legal counsel to develop a data breach response plan that outlines clear requirements and guidelines, including:

  • What constitutes a breach of student educational records
  • How soon data breaches need to be disclosed after they occur or are discovered
  • Who needs to be notified of a data breach and what method of notification should be used
  • What the time frame is for the disclosures (usually a maximum time to issue notifications)

Regardless of the details of laws from various jurisdictions, it’s always a recommended practice to disclose data breaches to affected students. The U.S. Department of Education has a data breach response checklist for educational institutions.

Fallacy: Always Notify Law Enforcement of Data Breaches

In most cases, applicable data breach laws don’t require that law enforcement be notified about a breach. Remember that many breaches are accidental and do not involve any criminal activity. For example, a university employee accidentally emailing some students’ sensitive personal information to a group of colleagues might technically constitute a data breach, but no crime has been committed, so there is no role for law enforcement.

Even when it appears that the data breach is criminal in nature, the university’s legal counsel and leadership should work together to decide if law enforcement will be contacted about the breach, then perform any such notifications. Others within the university should not decide on their own to involve law enforcement.

Fact: Having Procedures for Data Breach Notifications Is Invaluable

As soon as your university’s incident response team has confirmed that a data breach has occurred, the data breach response plan should be activated. That means performing the procedures developed in advance for supporting the plan. There’s no time once a breach occurs to develop a response from scratch and perform notifications. Affected students need to be notified as quickly as possible, potentially within a few days, depending on the jurisdictions involved. At the same time or shortly after students are notified, the university community and the public should also be notified that a breach has occurred and that all affected students have been contacted.

READ MORE: Executing an incident response plan requires regular practice.

Every university should have data breach notification procedures that specify how the response plan’s roles and responsibilities will be executed. Procedure development should include representatives of all roles, from university leadership and legal counsel to incident response team members and media and public relations personnel.

Fallacy: Data Breach Notifications Should Include All Available Details

A university’s data breach notification procedures should make it clear what information should and should not be shared through the notifications. Generally, notifications should focus on explaining what student information may have been compromised, what actions students may want to take to protect themselves and what resources the university is providing to aid students. Discussing how the data breach occurred, especially if it involves exploitation of vulnerabilities that are still being remediated, should typically be omitted from initial notifications to avoid additional data breaches leveraging the same vulnerabilities.

As incident response activities continue and more information comes to light about the nature of the data breach, additional rounds of notifications may be appropriate to give affected students more information about the potential impact of the data breach on them, as well as to indicate at a high level how the data breach occurred and what steps the university is taking to prevent similar incidents from occurring again.

Ridofranz/Getty Images

More On

Related Articles