Boston College High School, a private independent Catholic High School serving more than 1,400 students in grades 7 to 12, needed a more effective process for protecting and securing the personal information of its students, faculty, staff, and donors. Strict Massachusetts privacy legislation requires any organization that maintains personal information to protect all personal and sensitive personal data. Schools face stiff penalties if not in compliance. The ability to search structured and unstructured data was a top priority.
The school prioritized a proactive data privacy protection process with the most highly recommended data protection solution, Spirion, at the helm.
Boston College High School processes personal employee, student, and donor information. With Spirion, the school understands user habits and can course-correct the mishandling of sensitive data.
Industry Challenge: Protect student privacy and comply with regulations
Because of the massive amount of personal data they handle, including financial information, SSNs, and health records, educational institutions are prime targets of cybercriminals. According to Identity Theft Resource Center, more than 2.2 million records were exposed in over 100 education-related breaches in 2019.
While cybercriminals are hard at work searching for vulnerabilities, educational institutions are striving to maintain the trust of students and their families by ensuring their personal data is safe. Boston College High School must follow Massachusetts law, which defines personal data as a first name or initial with the last name and a connection with a social security number, passport number, or driver’s license number. Additionally, the Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records, strictly defining personal information and establishing the process for managing and protecting this data.
The Need: Protecting sensitive data with proactive data privacy
Boston College High School prioritizes proactive data privacy and security. “Boston College High employees process sensitive data every day, including files that contain student, employee, and donor information, such as passports, credit cards, and bank invoices,” says Jennifer McLarnon, Chief Information Officer at Boston College High. “In our efforts to prioritize privacy, we require rules, regulations, and processes to identify, remediate, and ensure data is always secure and private.”
The Solution: A data protection solution coupled with data security policies
The school was acutely aware of the need to protect the institution from costly fines and reputation damage should a breach occur. The IT department met with each department to understand what type of data they use and how they use it. In partnership with Margaret Paget an attorney at the Kurker Paget law firm, the school began creating security policies, processes, training tools, and solidifying its data retention schedule.
This analysis and policy creation exposed the need for a better overall understanding of the school’s data. The team chose Spirion based on price point and functionality. Soon after implementing the product, the school had complete visibility and control of their personal and sensitive personal data footprint.
The Results: Reduce the risk of misuse and theft
The ability to locate personal information reduces the risk of misuse or theft for Boston College High School. McLarnon’s team utilizes their new insights into personal data across its network to understand user behaviors, revise processes, and institute policies. The team rapidly acts upon any personal data discovered.
“Moving to Spirion opened the risk and data protectionconversation across the entire campus. Our initial need to identify, understand, and protect data has sparked further progress in policies around where personal data can reside, as well as purchasing Box to replace our file server, and the implementation of two-factor authentication,” shares McLarnon. “Spirion has helped us identify our gaps, blind spots, and the behaviors of data owners. We not only reduce the risk of unauthorized data access, but we can modify user behavior, our processes, and policies to ensure we protect data before a breach occurs.”