Skip to Main Content
Services Talent Knowledge
Site Search
Menu

Alert

Our attorneys stay on top of changes in legislation, agency regulations, case law, and industry trends—then craft timely legal alerts to keep clients up to date on legal developments important to their business.

July 28, 2023

Key Takeaways From a Recent College Data Breach

Colleges and universities collect and maintain a vast amount of sensitive personally identifiable information (PII). As a result, these institutions have become the target of data breaches and cyberattacks over the past few years. 

Several lawsuits alleging claims of negligence, breach of contract, breach of fiduciary duty, and other state law violations were recently filed against a public community college in Michigan following a widespread data breach. The lawsuits serve as an important reminder that colleges and universities must not only remain vigilant in adequately protecting PII but they must have an effective response plan in place in the unfortunate event that PII is compromised. 

The recently filed lawsuits (including a federal class action) involve the alleged disclosure of PII relating to more than 700,000 individuals, including prospective, current, and former students and employees of the college. According to one theory, the plaintiffs allege that the college failed to satisfy the data security commitments stated in the college’s Privacy Statement, allegedly forming the basis for a breach of contract. Under another theory, a prospective student alleges that she provided her name and social security number to the college as a condition of admission and, as a result, an express or implied agreement to safeguard the data was formed. Another theory involves both common-law negligence and negligence per se based upon Section 5 of the Federal Trade Commission Act (FTCA), which governs data security and prohibits “unfair or deceptive acts or practices in or affecting commerce.”i Among other theories, the lawsuits allege that the college breached its contractual obligations to protect PII by failing to encrypt or otherwise safeguard the data, and the college’s failure to safeguard PII constituted unfair or deceptive practices according to the FTCA.

The lawsuits further allege that despite the college becoming aware of the potential cybersecurity incident in March 2023, it did not provide notification to potential victims until June 2023, nearly three months later. As described in the lawsuit filings, the college immediately retained a third-party information technology specialist and commenced an investigation upon learning of the potential data breach, but the three-month notification delay allegedly harmed the plaintiffs. 

The college’s liability is unknown at this time since the lawsuits remain pending. However, what is known is that a cyberattack can undoubtedly result in dire consequences, including litigation. Having an adequate written information security program in place to protect and safeguard PII is the first step in minimizing the risk of a data breach and resulting litigation. To that end, higher education institutions should routinely review internal procedures for compliance oversight. As part of their information security programs, higher education institutions should implement controls reasonably designed to: 

  1. Ensure that PII is only used by or disclosed to those authorized to receive or view it 
  2. Maintain PII in an encrypted or secure format
  3. Re-encrypt PII after it has been modified or changed 
  4. Delete PII when no longer needed based on a predetermined purge cycle or purge schedule, subject to any retention requirements of applicable law

Higher education institutions should also designate an individual or team of individuals who are trained on data-security practices to analyze and implement the appropriate response to any potential data breach, including directing the breach-notification process. Response teams must also be aware of other regulatory requirements, including those under the Family Educational Rights and Privacy Act (FERPA).ii There is no formal notification or disclosure requirement under FERPA, but FERPA requires higher education institutions to create a record of the data breach and maintain that record. 

In addition, higher education institutions should review their contracts and online terms for consistency and adequacy of contractual protection. For example, institutions may require applicants to click-to-accept certain application terms as a condition of submitting an application. Generally, institutions should implement legal terms (e.g., privacy policies, privacy statements, terms of use, and college application terms) that limit their liability and reduce the risk of claims based on theories other than breach of the legal terms. 

If you have any questions regarding this alert, please contact Renato Smith, Data Security & Technology Practice Area co-chair, at rsmith@barclaydamon.com; Brittany Lawrence, partner, at blawrence@barclaydamon.com; Joshua Maddox, summer associate, at jmaddox@barclaydamon.com; or another member of the firm’s Higher Education Team or Data Security & Technology Practice Area.
                                                                    
iSee 15 U.S.C. § 45(a)(1).
iiSee 20 U.S.C. § 1232g and 34 C.F.R. Part 99.
 

Featured Media

Alerts

RAPID Action: NYS Office of Energy Renewable Energy Siting and Transmission Announces Draft Regulations for New Transmission Siting Framework

Alerts

NYSDEC Issues Draft Freshwater Wetlands General Permit

Alerts

USPTO Updates Audit Program

Alerts

NYS DOL Publishes Long-Awaited FAQs on Paid Prenatal Leave Law

Alerts

Update on Massachusetts Pay Transparency Law Disclosures and EEO Reporting Requirements in 2025

Alerts

Massachusetts Employers Required to Provide Job Applicants Notice That Use of a Lie Detector Test Is Unlawful

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out