NIST Privacy Framework : Our Essential Data Protection Guide

Close

Meeting higher education data privacy challenges

By early April 2020, college campuses were unusually quiet as students were sent home and faculty members set up Zoom classes from their living rooms. The absence of in-person activity on campus had been replaced by a flurry of online activity. Even though the library, classrooms and dorms were empty, institutes of higher learning generated more data than ever before, as online classes replaced face-to-face learning and professors pivoted to digital assignments and exams.

It was a stark reminder that colleges are a treasure trove of data. Even before the pandemic forced a quick teaching and learning digital transformation, universities collected, stored, and transmitted personal information and intellectual property of students and their parents, faculty and staff, alumni and boards of directors, big money donors and anyone who bought tickets to campus events. Knowing that the average person generates 1.7MB of data per second, even a small campus is going to create a lot of data. Not only does the private data need to be safeguarded, the new number of endpoints that need protection is staggering.

Too often, however, cybersecurity – let alone data privacy – was more of an afterthought in higher education. There was little cohesion to how departments and individuals used and stored data or how information was secured. This led to universities being an easy target for cyber attacks and data breaches. In 2019, more than 2 million records were exposed within education, according to the Identity Theft Resource Center.

But attitudes surrounding data privacy have changed. There is more awareness surrounding the risks of exposing private data and individuals want to know what’s being done by organizations to protect their Personally Identifiable Information (PII.) And no longer can higher education be lackadaisical in how it approaches cybersecurity and privacy; in 2018, the Department of Education mandated that any college or university receiving federal student aid must report all data breaches, no matter how small.

Institutes of higher education are stepping up their efforts to improve data privacy and data protection, looking at data privacy from the perspective of the individual and how a privacy failure impacts them. But data privacy must go hand-in-hand with security and compliance. To gain the protection they need, universities are turning to Spirion for help.

Kent State University: The university, which has more than 400,000 digital identities to protect, needed more than the baseline security required by a data privacy regulation; it also wanted an in-depth defense to offer a multi-layered approach for data protection. Bob Eckman, the school’s CISO, wanted to know every detail of the data – where it lived, how it got there, its availability, its integrity. Eckman says that Spirion has given Kent State the visibility it needs to effectively manage its overall data protection processes and initiatives. The single-pane-of-glass view to understanding what is happening in all spaces and devices in the environment is game-changing.

California State University: CSU encompasses 23 campuses, making it the largest four-year system in the country, but it was using an outdated manual information auditing process to account for all the data generated. With Spirion, CSU automated the data discovery, classification, and protection process, as well as using the software to provide accurate and automated data inventory for audits. Without the right tools, delivering effective data privacy and security is hard, but CISO Ed Hudson said that’s no excuse, especially if data is breached and compromised. Locating, classifying, and protecting data has become a routine part of the cybersecurity program in the CSU system. It all goes back to a simple idea: If you don’t know what you have, you can’t protect it.

Virtual learning will continue to generate a large amount of data. But even as students begin to return to the classroom, schools will continue to collect data from the multitude of devices connected to the network. Personal data of students, staff, donors, and others will still be collected and stored. And all of this data needs to be protected. Higher learning institutions have a duty to protect the personal information of the people who bring the campus to life, and that includes using the most efficient tools to meet every facet of data privacy compliance and security.