Colleges and universities collect and maintain a vast amount of sensitive personally identifiable information (PII). As a result, these institutions have become the target of data breaches and cyberattacks over the past few years.
Several lawsuits alleging claims of negligence, breach of contract, breach of fiduciary duty, and other state law violations were recently filed against a public community college in Michigan following a widespread data breach. The lawsuits serve as an important reminder that colleges and universities must not only remain vigilant in adequately protecting PII but they must have an effective response plan in place in the unfortunate event that PII is compromised.
The recently filed lawsuits (including a federal class action) involve the alleged disclosure of PII relating to more than 700,000 individuals, including prospective, current, and former students and employees of the college. According to one theory, the plaintiffs allege that the college failed to satisfy the data security commitments stated in the college’s Privacy Statement, allegedly forming the basis for a breach of contract. Under another theory, a prospective student alleges that she provided her name and social security number to the college as a condition of admission and, as a result, an express or implied agreement to safeguard the data was formed. Another theory involves both common-law negligence and negligence per se based upon Section 5 of the Federal Trade Commission Act (FTCA), which governs data security and prohibits “unfair or deceptive acts or practices in or affecting commerce.”i Among other theories, the lawsuits allege that the college breached its contractual obligations to protect PII by failing to encrypt or otherwise safeguard the data, and the college’s failure to safeguard PII constituted unfair or deceptive practices according to the FTCA.
The lawsuits further allege that despite the college becoming aware of the potential cybersecurity incident in March 2023, it did not provide notification to potential victims until June 2023, nearly three months later. As described in the lawsuit filings, the college immediately retained a third-party information technology specialist and commenced an investigation upon learning of the potential data breach, but the three-month notification delay allegedly harmed the plaintiffs.
The college’s liability is unknown at this time since the lawsuits remain pending. However, what is known is that a cyberattack can undoubtedly result in dire consequences, including litigation. Having an adequate written information security program in place to protect and safeguard PII is the first step in minimizing the risk of a data breach and resulting litigation. To that end, higher education institutions should routinely review internal procedures for compliance oversight. As part of their information security programs, higher education institutions should implement controls reasonably designed to:
- Ensure that PII is only used by or disclosed to those authorized to receive or view it
- Maintain PII in an encrypted or secure format
- Re-encrypt PII after it has been modified or changed
- Delete PII when no longer needed based on a predetermined purge cycle or purge schedule, subject to any retention requirements of applicable law
Higher education institutions should also designate an individual or team of individuals who are trained on data-security practices to analyze and implement the appropriate response to any potential data breach, including directing the breach-notification process. Response teams must also be aware of other regulatory requirements, including those under the Family Educational Rights and Privacy Act (FERPA).ii There is no formal notification or disclosure requirement under FERPA, but FERPA requires higher education institutions to create a record of the data breach and maintain that record.
In addition, higher education institutions should review their contracts and online terms for consistency and adequacy of contractual protection. For example, institutions may require applicants to click-to-accept certain application terms as a condition of submitting an application. Generally, institutions should implement legal terms (e.g., privacy policies, privacy statements, terms of use, and college application terms) that limit their liability and reduce the risk of claims based on theories other than breach of the legal terms.
If you have any questions regarding this alert, please contact Renato Smith, Data Security & Technology Practice Area co-chair, at rsmith@barclaydamon.com; Brittany Lawrence, partner, at blawrence@barclaydamon.com; Joshua Maddox, summer associate, at jmaddox@barclaydamon.com; or another member of the firm’s Higher Education Team or Data Security & Technology Practice Area.
iSee 15 U.S.C. § 45(a)(1).
iiSee 20 U.S.C. § 1232g and 34 C.F.R. Part 99.