Colleges and universities often store large amounts of sensitive research data. Some of that data could be highly classified, triggering an obligation to provide notice to a government entity, such as the Department of Defense. Educational institutions also maintain disciplinary files about both students and employees, which could cause significant embarrassment to the school and the individuals involved if stolen by a threat actor and posted to the dark web, even if legal notification obligations are not triggered given the type of information involved.
Data protected under FERPA is accessed in most ransomware incidents.
Although FERPA recommends (but does not require) schools send notification letters to students whose education records are stolen/subject to unauthorized release, it requires schools to include a notation in student files. Additionally, postsecondary institutions that participate in federal student aid programs must report actual and suspected data breaches to the Department of Education Office of Federal Student Aid (FSA), which generally requests periodic or ongoing reporting of the institution’s response to the incident.
Systems are often decentralized, making it difficult to identify data.
Many businesses can readily identify where their most important and sensitive data are stored. Educational institutions—especially large research universities—often have sensitive data stored throughout a decentralized infrastructure. For example, the IT team may have little or no insight regarding the sensitivity or nature of the data that is maintained on the school of engineering’s servers. In the immediate aftermath of a ransomware incident, this makes it much more difficult to assess what data was compromised and what devices need to be restored to regain access to the data in the event of encryption.
Leadership structures are not conducive to quick decision-making.
Early in the incident response process, a ransomware victim may need to quickly decide what vendors to engage, whether to pay a ransom, and how to communicate both internally and externally about the incident. Delaying these decisions could result in prolonged service interruptions, data loss, and reputational harm. Consequently, it is vital that educational institutions have an incident response plan in place that clearly defines who is responsible for making specific decisions. Regularly practicing the plan through tabletop exercises is a great way to identify areas that can be updated or improved.
Ransom payment prohibitions.
In 2022, North Carolina passed a law prohibiting state agencies and local government entities (including state universities, community colleges, and public school districts) from paying ransoms or even communicatingwith ransomware threat actors. Florida also enacted a law prohibiting state agencies from paying a ransom. New York, Pennsylvania, and other states are considering similar laws.
Educational institutions need to be transparent but avoid over-sharing at the outset of the incident response process.
Most educational institutions take pride in their culture of transparency, which they consider vital to maintaining the trust of students, employees, and the school community at large. During the incident response process, however, it is important that schools be measured in their messaging. Accordingly, it is important that in their ransomware incident response plans, educational institutions articulate a communications strategy that balances their commitment to being open and transparent with the need to avoid messaging pitfalls that could potentially damage their reputation and erode the trust of their community.
Public records laws.
Key decisions in the response process occur “behind closed doors.” Upon discovering the incident, for example, educational institutions must determine when to notify the school community and what information to divulge in that communication. Similarly, schools often need to perform cost-benefit assessments regarding whether it is worth paying a ransom to prevent the threat actor from publishing school data on the dark web. Although some communications about these decision points might be protected from disclosure by the attorney-client communications privilege, others (like ransom negotiation transcripts and public relations strategies) may need to be produced in response to a public records request.