• avatar

    Share This:

    • Share on Facebook
    • Share on Google Plus
    • Share on Linkedin
    • RSS
    « Back to Blogs
    July 2017

    Don't Take the Bait: Defending Institutional Data From Phishing

    Don't Take the Bait: Defending Institutional Data From Phishing

    Between 2012 and June 2017, educational institutions publicly disclosed more than 200 data breaches. Nearly half of these incidents were the result of hacking, malware, or phishing. Phishing is a type of email attack in which a scammer attempts to obtain confidential information for malicious reasons by posing as a trustworthy entity. This is typically achieved by sending email messages with a forged sender address—a practice known as spoofing.

    While educational institutions are common targets for phishing attacks, there are steps you can take to minimize the risk that the attack will be successful, reducing the likelihood of litigation.

    Two recent UE claims highlight the risks associated with phishing-related data releases. An HR administrator received what she thought was a legitimate email from the university’s president, requesting the W-2 form of every employee. W-2 forms contain confidential personal information, including an employee’s name, mailing address, income, and Social Security number. The email header displayed the president’s name, although the actual sender’s email address was a few characters off. Unfortunately, the administrator sent unencrypted PDF files containing the W-2s of more than 1,300 current and former employees. An HR administrator at another institution responded to a similar email, compromising the sensitive information of approximately 3,000 employees.

    Both of these successful phishing attacks resulted in numerous instances of identity theft, including fraudulent tax return filings, attempts to open credit card accounts, and an alleged attempt to open a mortgage in an employee’s name.

    Keeping Your Institution (and Data) Off the Hook

    Consider the following strategies to help your institution minimize the risk of a phisher rowing away with your data:

    • Provide cybersecurity training for employees with access to sensitive information at least annually, and train other employees periodically.
    • Implement information-transfer protocols such as following up on email requests with a phone call to, or preferably, a face-to-face conversation with the person requesting the confidential information.
    • Spread awareness of these schemes. Consider warning university employees and/or students about known phishing attacks as soon as possible through appropriate email lists or social media.
    • Remind employees to watch for an increase in phishing requests just prior to tax season.

    Shortly after the two universities mentioned above notified employees of the data breaches, class action lawsuits were filed, alleging breach of contract, negligence, invasion of privacy, and unfair business practices. Since not all claimants actually suffered identity theft, the lawsuits allege damages based on the potential harm caused by the ongoing increased risk of identity theft enabled by the data breaches.

    You Took the Bait. Now What?

    If your institution does fall victim to a phishing attack, you can take the following steps to minimize the impact and decrease the likelihood of litigation:

    • Notify those whose information has been released as soon as possible. Most states have compulsory data breach notification laws. The applicable requirements depend on the residence of affected employees, not just the institution’s home state. Be sure to follow all statutory requirements and work with experienced counsel when deciding how and to whom to give notice.
    • Consider providing credit monitoring services to affected employees and set up hotlines for concerned employees to call for assistance.
    • Inform appropriate law enforcement authorities of the crime, even if it is unlikely they can track down the fraudsters. State statutes allow institutions to delay notification if law enforcement determines it will impede the investigation.


    Privacy Rights Clearinghouse’s Chronology of Data Breaches
    Data Breach Prevention and Response: A Guide for Business Officers

    Protecting K-12 Student Data Privacy in a Changing Learning Environment

    By Kelsey Feeheley, associate claims counsel


    Add Comment

    Text Only 2000 character limit

    Page 1 of 1