In the event of a ransomware attack, there are a host of legal frameworks that could potentially be implicated. Whether those laws apply often depends on the nature of the data that the threat actor accessed and/or acquired. In this installment, we address the laws that could be implicated when an educational institution suffers a ransomware attack.
State Laws. All 50 U.S. states, the District of Columbia and three U.S. territories have enacted data breach notification statutes, each with varying definitions of “personal information” and requirements regarding notice to individuals and state regulators when an entity has experienced a breach of the security of its systems. Determining which state data breach notification statutes apply largely depends on where the affected individuals reside. Consequently, postsecondary institutions may face broader obligations, as there is a greater likelihood such an organization maintains information for individuals who reside in multiple states. If personal information of individuals residing in multiple states was subject to unauthorized access or acquisition in connection with the ransomware incident, then more than one state’s laws may apply.
Family Educational Rights and Privacy Act (FERPA). FERPA applies to all institutions that receive federal aid and is intended to protect the rights of students and ensure the privacy and accuracy of education records of students who are or have been “in attendance” at an institution (either in person or through remote means). Unlike state data breach notification statutes, FERPA does not include a requirement to notify individuals in the event education records are subject to unauthorized release, but it does contain a provision requiring an institution to maintain a record for each unauthorized disclosure. Some states, however, such as New York, have enacted laws that require public elementary and secondary schools to notify any student (or the student’s parents or guardians if the student is under 18 years of age) when any information that can be used to identify the student, whether directly (e.g., the student’s name, parents’ names, address or Social Security number) or indirectly when linked with other information (e.g., date of birth or mother’s maiden name), is accessed by an unauthorized party.
Federal Trade Commission’s (FTC) Safeguards Rule. It should be noted that notification may be necessary for postsecondary institutions under the FTC’s Safeguards Rule, which concerns financial aid records.
Student Aid Information Gateway (SAIG) Agreements. Postsecondary educational institutions should also be mindful of their SAIG agreements, which include a provision requiring schools to notify the Department of Education when there is a breach of student records and information under certain circumstances.
Health Insurance Portability and Accountability Act (HIPAA). Some institutions may also be subject to HIPAA, particularly if they are associated with a medical school or hospital. It is also important to note that for organizations that maintain a self-insured health plan, the information associated with the plan’s administration may also be subject to HIPAA.
Defense Federal Acquisition Regulation Supplement (DFARS). The DFARS contains a set of cybersecurity standards that are administered by the Department of Defense (DoD). The DFARS may apply to any organization that is subject to a DoD contract. In the context of educational institutions, this may be applicable to research or facilities necessary to perform defense contracts. The DFARS defines Controlled Unclassified Information (CUI) as “federal non-classified information the U.S. government creates or possesses or that a nonfederal entity (such as a university or college) receives, possesses or creates for, or on behalf of, the U.S. government that requires information security controls to safeguard or disseminate.” Research data and other project information that a college or university receives, possesses or creates during the performance of federally funded research may be CUI. If the CUI is accessed or acquired by a threat actor in connection with a ransomware attack (or any other data security incident), the institution is required to provide notice to the DoD and any prime or subcontractors that have DFARS requirements as part of their contract.
Freedom of Information Act (FOIA). In conjunction with the strategies outlined above pertaining to internal and external messaging, public educational institutions should be aware that certain communications regarding an incident may be subject to a FOIA request. Therefore, organizations should be mindful of the information and analysis that are reduced to writing.
*** In summary, there are many key factors and critical facts for all educational institutions to consider in preparation for a likely inevitable cybersecurity incident. BakerHostetler’s Digital Assets and Data Management Practice Group contains attorneys who have extensive experience assisting clients in all industries with preparing for and responding to such incidents.