A Bunch of Colleges Were Just Breached, But Now What?


[social_warfare]

Last week threat intelligence company Recorded Future revealed the news a Russian hacker breached the databases of more than 60 universities and agencies — including nearby University of Tennessee — in an attempt to sell his methods of unauthorized access to these databases on the dark web. While details remain scant on the severity of the breaches, people are naturally left wondering what kind of confidential information may have been exposed. In the unfortunate event that personally identifiable information (“PII”) of university students was in fact stolen, what kind of liability do schools have and what are the rights of students under federal or state law? The answer may surprise you. Family Educational Rights and Privacy Act The most logical starting point in any discussion on data security for schools begins with the Family Educational Rights and Privacy Act1 (or “FERPA”). Enacted in 1974, the government intended for this federal law to protect the privacy of student educational records and the PII those records […]

Continue Reading

New IBM Cyber Security Report: Healthcare and Financial Institutions Among the Most Attacked


[social_warfare]

A recent report published by IBM’s Security Services offers valuable insight into the current landscape of cybersecurity risk. Through the aggregation of client data from 2015, the report provides topical information on subjects ranging from the most frequently attacked industries to the commonality found between types of attackers and their attacks. As the report makes abundantly clear, no business, especially those in the healthcare and financial sectors, remains exempt from cybersecurity threats. According to the report, the five most attacked industries in 2015 were as follows: Healthcare Manufacturing Financial Services Government Transportation HEALTHCARE Healthcare’s occupation of the top spot should come as no surprise. 2015 was so replete with healthcare data breaches that many, IBM included, described it as “the year of the healthcare breach.” Subsumed within the United States Health and Human Services (HHS), the Office of Civil Rights (OCR) enforces the Healthcare Insurance Portability and Accountability Act (otherwise known as HIPAA). As part of its enforcement duties, the OCR provides online notification for every breach of unsecured protected health information […]

Continue Reading

Tennessee Amends Its Cybersecurity Law


[social_warfare]

As one of the forty-seven states with cybersecurity breach notification laws, the Tennessee legislature just amended its previously existing law. Since California in 2002, states have undertaken the act of imposing security breach notification obligations on entities that own and possess personal information. With the enactment of a more encompassing and definitive breach notification protocol, Tennessee has taken a small step forward in prioritizing data security. THE CURRENT LAW Codified at T.C.A. § 47-18-2107 under the Tennessee Identity Theft Deterrence Act of 1999 and entitled, “Release of Personal Information,” Tennessee follows a statutory framework common to states around the country. The statute begins by defining personal information, breach of security, and information holder. “Personal information” is unencrypted information concerning a person’s individual’s first name or first initial and last name, in combination with any one or more of the following: (i) social security number; (ii) driver’s license number; (iii) account number, credit or debit card number, combined with any security, access, or […]

Continue Reading