Data breach here, date breach there, data breach everywhere? Every day we are learning about the importance of and risks associated with cybersecurity. Those risks are not limited to big corporations or even the private sector. Schools, of all levels, are increasingly faced with cybersecurity-related questions and potential for liability, and they are beginning to seek coverage for those risks. But educational institutions as policyholders have issues in addition to those affecting large, company-wide databases that are usually considered when procuring cyberinsurance policies. Educational institutions as policyholders must ensure that any coverage they procure covers these risks.
In many ways, schools are uniquely vulnerable to the risks associated with unsecure technology. Not only do students love to interact with education apps and computer programs, but teachers are often given considerable autonomy when deciding what their classroom and lessons will look like. There are few fields where non-supervisory employees have as much discretion over which programs they will use to store, analyze, and share their clients’ data as teachers do with their students.
Vendors of online programs realize this, often employing creative marketing maneuvers designed to entice teachers into trying their products, such as offering apps to teachers for free, and only charging for upgraded features or school subscriptions. While this model helps put new and innovative ways of learning into the classroom, and helps teachers adapt to the needs of their students, it also can mean that sensitive student data is being fed to a constantly revolving line-up of untested and unsecure online learning services. We are accustomed to worrying about social security numbers and credit card numbers being compromised, but education information brings the risk of exposure to a different and more personal level. Grades, disciplinary notes, learning diagnoses, phone numbers, addresses, and other identifying information are all at risk of being exposed.
Lawmakers have taken note of the potential for data breaches in the education context, and more and more states have passed laws that require certain security safeguards to be undertaken by schools and vendors offering online based learning programs. For example, recently enacted New York Education Law §2-d prescribes both required protections that a vendor must provide against security breaches and a script for responses in the event of a security breach, including notification of the unauthorized release, reimbursement of any costs associated with notification, and a penalty of up to the greater of five thousand dollars or ten dollars per student, teacher, and principal whose information was released.
Unfortunately, although such laws could go a long way toward generally incentivizing compliance with cybersecurity best practices, they may fail to protect against a very important risk factor: the teacher. State laws often apply only to contracts between vendors and the schools (the New York Law, for example, specifically applies to contacts between a vender and an “educational agency,” which is not defined to include teachers). Data breaches from the actions of a teacher, who identifies an app, loads it onto personal or classroom computer or device, and inputs student data, do not appear to be addressed under the new law.
This can pose serious questions for the policyholder when considering such risks and the allocation of any potential liability. Not only may some online learning services try to exploit such a loophole to get around requirements to enact more stringent cyber security requirements, but it is not clear what schools can do to mitigate the risk. A top down implementation and approval process for new programs, especially if conducted in large and complicated school system hierarchies, may be too slow in a world where new and supposedly better options pop up weekly. Plus, schools are often already overburdened, and responsible for maintaining the security of other school-wide electronic data systems, from human resources to tracking of state and federal testing results.
Insurers have begun to recognize the potential risks and have begun to market policies that are aimed directly at schools. These policies take into consideration problems arising from breaches of a school’s network that causes an unauthorized release of data, an interruption in instruction, or both. Policyholders are also being encouraged to seek protection against risks associated with lost or stolen teacher laptops, which often house sensitive student information, or liability created by school personnel who post information or pictures of students to a public website without parental approval. And, of course, schools have to worry about all the typical cyber risks associated with running a company, such as protecting confidential HR records from data breach.
Schools have begun to take note and are emerging as a new breed of policyholder. Ann Arbor Public Schools recently purchased a $1 million dollar cyberinsurance policy to protect against such risks.
All insured educational institutions should review their traditional insurance policies, including Commercial Crime Policies, Employment Related Practices Policies, Data Processing Policies, and Computer Fraud Policies to determine whether coverage may exist for data breaches. Any gaps in coverage should be identified and supplemented as necessary to ensure that schools are adequately protected from these emerging risks.
Especially since courts have not yet had a chance to provide any guidance on the new cybersecurity specific school laws, this remains a gray area with uncertain liabilities that may or may not be covered under traditional policies. In light of such uncertainties, policyholders would be well advised to do their homework and verify that the insurance matches the need.