New York Attorney General Letitia James recently announced two agreements related to data breaches with entities that operate in the education industry. In both instances the entities paid the ransom and received evidence of deletion of the stolen data.
Most recently, on October 5, 2023 the Office of the Attorney General (OAG) announced a $49.5 million multistate settlement with a donor management software company over a 2020 data breach. According to OAG the breach impacted the data of thousands of nonprofit institutions, including colleges and universities. James noted in the press release announcing the settlement that “there is no excuse for a cloud company to have poor data security measures.” The investigation concluded that the company failed to implement reasonable security and fix known security gaps, and that the company neglected to provide timely, accurate information to its customers which in turn significantly delayed notification to impacted individuals. According to OAG, the company downplayed the severity of the incident and led its customers to believe that notification was not required, despite sensitive information such as Social Security number, financial information, and protected health information being impacted.
OAG also announced in September 2023 that it reached an agreement with a private college to invest $3.5 million in data security to protect student data. The agreement comes in response to a 2021 data breach the college suffered that affected nearly 100,000 New Yorkers who were current and prospective students, faculty, and alumni. In its press release, OAG stated that “companies and universities alike must do a better job at safeguarding the personal information with which they are entrusted.”
According to OAG’s press release, in November 2021 a hacker gained access to the college’s technical infrastructure and ultimately encrypted data including Social Security numbers, bank and credit card numbers, passport numbers, driver’s license numbers, and medical information. OAG’s investigation found that the college failed to use mutli-factor authentication for accounts, encrypt sensitive data, and update security policies and firmware in response to new security threats.
OAG concluded that the college failed to adequately safeguard personal information, and as part of the agreement the college must invest $3.5 million over the next six years to better protect personal information, including by:
- Maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats;
- Encrypting all personal information, whether stored or transmitted, between documents, databases, or elsewhere;
- Maintaining reasonable policies to perform security updates and patch management;
- Enabling multifactor authentication for users logging into the college’s networks;
- Scanning for vulnerabilities and potential weaknesses; and
- Publicly sharing the college’s plan on the purpose of personal information it collected, retained, and timeline for deletion.
Three of the last four settlements from New York, including one with an online sporting goods retailer and one with a healthcare company, have cited a failure to encrypt personal information indicating a renewed focus on encryption from OAG. Encryption of sensitive customer information is further included in OAG’s data security guide, released in April 2023.