Prioritizing the data privacy of students, faculty, administrators, parents, alumni, and donors may be difficult in today's economic climate, but it is the right thing to do.
It seems fitting that almost fifty-eight years ago to the day, President John F. Kennedy gave his historic Moon Shot speech on the fifty-yard line at Rice Stadium, making the following proclamation:
We meet at a college noted for knowledge, in a city noted for progress, in a State noted for strength, and we stand in need of all three, for we meet in an hour of change and challenge, in a decade of hope and fear, in an age of both knowledge and ignorance. The greater our knowledge increases, the greater our ignorance unfolds.1
As humanity continues to push the digital frontiers of its existence—aided by the change and challenges of new technologies such as artificial intelligence, robotics, IoT, and quantum computing—Kennedy's message, delivered September 12, 1962, is as valid today as it was then. This year, the digital universe is expected to reach 44 trillion gigabytes,2 an astonishing footprint comprising "nearly as many digital bits as there are stars in the universe."3
In our rapidly expanding digital universe, the data privacy of students, faculty, administrators, parents, alumni, donors, and people everywhere are under increasing assault. Cyber breaches now occur every thirty-nine seconds,4 no doubt fueled by the unprecedented global pandemic and resulting overnight shift to online learning and working from home, which serve to further enrich the potential attack surface.
Just as they were back then, today's stakes are equally high: the fundamental human right to data privacy. In the words of JFK, "We set sail on this new sea because there is new knowledge to be gained, and new rights to be won, and they must be won and used for the progress of all people." The battle for data privacy rights is worth winning.
If information is the lifeblood of modern society, then personal data is the digital embodiment of the human self. With this core belief comes the responsibility to protect every individual's right to data privacy and security—even above and beyond the baseline requirements of privacy laws and regulations.
The Dichotomous Data Requirements of Higher Education
Higher education's collaborative nature necessitates wide open and accessible networks for teaching, learning, research, and information sharing. Certainly, the broad adoption of massive open online courses (MOOCs), which rely on data collection, further amplifies the need. Today's academic institutions must carefully balance seemingly opposing requirements for data access and privacy to allow academic freedom to flourish while ensuring the protection of personal data and intellectual property.
On one side of the campus, faculty members are educating students, which often means encouraging them to visit websites that corporate America would undoubtedly block. The other side of campus houses business operations, administration, and massive amounts of student data—from financial aid applications to student success initiatives—which are governed by the full gamut of banking, health care, and student privacy laws and regulations. Such openness and rich data serve to fuel education innovation, shape curricula, enhance the overall student experience, and improve graduation rates, but they also provide easy entries for hackers.
To allow data to drive growth in a boundless digital frontier, higher education institutions must maintain an open flow of information that is protected from misuse—intentional or unintentional. With so much data at risk—from students' personal information, protected health information (PHI), and credit card numbers to faculty research—institutions must take a proactive stand and implement measures to prevent attacks.
Privacy Takes Center Stage
When higher education institutions collect sensitive personal information, they possess the most invaluable assets of their student body, faculty, and administration. A breached student record offers a comprehensive view of a student's life, including personal demographic data, academic records, financial information, and medical data. Worse still, the data is retained for years after the student parts ways with their institution.
Due to the massive amounts of data maintained, educational institutions rank fourth only behind finance, health care, and public administration in the number of data breaches. According to the Identity Theft Resource Center, more than 2.2 million sensitive records were exposed in over one hundred education-related breaches in 2019 alone.5
The rise in higher education cyber breaches has led lawmakers to further regulate how large institutions collect and secure student data. From GDPR, CCPA, and HIPAA to PCI, FERPA, and GLBA, higher education institutions are accountable for complying with the full alphabet soup of data security jurisdiction regulations when collecting, storing, using, and safeguarding personal data.
With privacy breaches and pending privacy legislation capturing daily headlines, it should come as no surprise that privacy rose to the number two position for the first time in the EDUCAUSE 2020 Top 10 IT Issues report.6
An Existential Philosophy of Privacy
Recent landmark legislation, such as the EU's General Data Protection Regulation (GDPR) enacted two years ago and the California Consumer Privacy Act (CCPA), which took effect earlier this year, has prompted many CISOs at colleges and universities to reflect on the meaning behind data privacy. They see the sweeping legislation not as a burden but as an opportunity to look at their privacy programs in total and to conscientiously consider how they interact with their data using GDPR and CCPA as good and healthy guides.
CISO Bob Eckman, who is responsible for implementing the controls that maintain the safety of 400,000 active identities at Kent State University, agrees. "What these laws have forced us to do is to take a more critical look at our programs, not from a purely institutional perspective of data and intellectual property protection, which are important to us, but to look at data privacy from the individual's perspective and what it means to them as a person. At the end of the day, it's all about maintaining the trust of our constituents."
For Eckman, privacy and protection are two sides of the same coin. He believes you cannot have privacy without protection, and protection really cannot exist without privacy. "In my mind, data privacy in and of itself should mean security; it should mean compliance; it should mean protection defense in depth; it should encompass all those things."
For Kent State, Baseline Security Is Not Enough
To achieve his holistic view of data privacy, Eckman and his team implemented not just the baseline security requirements of GDPR, GLBA, FERPA, and other regulations, but they also developed a defense in depth (DiD) model that is multilayered. He explains: "It is based on an understanding of the risk that the data has, not just for our organization, but the risk that the data poses to the rights of the individual and what it means to both them and to us."
Kent State implemented Spirion and other appropriate levels of security to meet requirements that ensure confidentiality, integrity, and the availability of their data. He says, "When we interact with our data, we need to understand where that data resides, why it resides there, and who has access to it."
Time and again, baseline security has been proven not to be sufficient enough to stop data breaches. Many organizations have implemented millions of dollars' worth of security improvements, yet they still fail. Why is that? Eckman believes it's because they don't have control of their data. They don't know where their data lives or how it got there.
"It's 100 percent about authorized versus unauthorized access," Eckman affirms. "I can provide any level of protection I want to. But if I allow for an unauthorized person to gain access to the data, I violate multiple regulations, which, quite frankly, is avoidable. A simple risk assessment that takes into account a context-based approach to data can go a long way in helping institutions understand who has their data, who is moving it, where is it going, and how it got there."
California State Goes Above and Beyond, Not Because It's Easy
Ed Hudson, chief information security officer at California State University (CSU), could not agree more. "You cannot protect data if you don't know where it is." The Cal State system is the largest four-year public university in the country, with almost half a million students, twenty-three campuses, and nearly fifty thousand employees.
Several years ago, the CSU system confronted its cumbersome, manual information auditing process. While the team was asking staff, faculty, and students the right questions—what kind of data do you have, what do you use it for, and how do you protect it—they needed a more efficient and accurate method of identifying and protecting server and endpoint data.
It began using Spirion to automate personal data discovery, classification, and protection across all twenty-three CSU campuses, which has helped to mature its data privacy protection model. Spirion also equips the CSU system with the ability to quickly respond to auditors with accurate data inventory and movement reports that span all twenty-three campuses and all environments.
Instituting the data protection program was a massive endeavor, but Hudson and the CSU team are committed to preventing misuse and reducing the risk associated with personal data. "You can't avoid an important project just because it is difficult," says Hudson. "We have a responsibility to our students, staff, and faculty who trust us to secure their data. I don't want to find myself on a witness stand saying, 'Oh, I didn't implement the most optimal security procedures because it was hard.'"
Protect What Matters the Most
Eckman and Hudson's tenacious commitment to protecting the privacy of their constituents is similar to JFK's galvanizing challenge that spurred American astronauts to walk on the moon:
We choose to go to the moon. We choose to go to the moon in this decade and do the other things, not because they are easy, but because they are hard, because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one which we intend to win.
In today's sprawling big-data landscape, academic institutions at the forefront of effective data protection prioritize their limited resources to find and protect what matters most—personal and sensitive data. It may not be easy. But it is the right thing to do. Will you accept the challenge?
Schedule time to speak with a data privacy architect on developing a privacy plan for your educational institution.
Notes
- John F. Kennedy, "Moon Speech," speech, Rice Stadium, Houston, TX, September 12, 1962. ↩
- Vernon Turner, The Digital Universe of Opportunities: Rich Data and the Increasing Value of the Internet of Things, [https://www.emc.com/leadership/digital-universe/2014iview/index.htm] research report (Hopkinton, MA: Dell EMC, April 2014). ↩
- Ibid. ↩
- Michael Cukier, "Study: Hackers Attack Every 39 Seconds, 2020," University of Maryland A. James Clark School of Engineering (website), February 9, 2007. ↩
- "10,000 Breaches Later: Top Five Education Data Breaches," Identity Theft Resource Center, 2019. ↩
- Susan Grajek and the 2019–2020 EDUCAUSE IT Issues Panel, "2020 Top 10 IT Issues," EDUCAUSE Review Special Report, January 27, 2020. ↩
© 2020 Spirion