Universities Use "Self Help" to Fight Off Hackers

September 2, 2013

The Wall Street Journal reported late last month ("U.S. Universities Fight Off Hackers", By Riva Gold, Aug. 27, 2013) that a number of U.S. colleges and universities have started to enlist the efforts of their faculty and students to bolster efforts at cyber security in response to an increase in recent cyber attacks.  Those efforts include encouraging, and in some cases enforcing, the use of complex passwords or changing passwords frequently; administering a cyber security exam as a condition to obtaining a university email address; implementing multi-step authentication systems for certain university apps; learning about and using native encryption capabilities; and instructions on how to spot 'phishing' attempts.

CLIENT TIP:  Massachusetts has one of the strictest regulatory environments for data privacy and cyber security.  Effective in 2010, 201 CMR 17:00 et. seq., Standards for the Protection of Personal Information of Residents of the Commonwealth, broadly applies to anyone who "own[s] or license[s] personal information about a resident of the Commonwealth of Massachusetts."  The scope of the persons covered by the regulations, the information subject to them, and the duties and standards on those entrusted with personal information are sweeping.  The steps taken by the institutions in the WSJ article have not reached the level of "best practices".  Nevertheless, these institutions - some of whom learned tough lessons through cyber security and privacy breaches - have reasoned that the vigilance of students and faculty (however imperfect) is a manageable and cost-effective supplement to standard-operating-procedure, especially compared to the financial, reputational, and security consequences of a breach to the institution.