College officials wary of ‘cyber insurance' for private data

Officials at both of Hidalgo County’s public institutions of higher learning said they would rather rely on preventive measures than buy costly “cyber insurance” to protect against threats to their data security.

Representatives from the University of Texas-Pan American and South Texas College said they were confident in the rigor of their information security systems.

They see little value in cyber liability policies, which other higher education institutions across the nation have purchased to offset large expenses following a data breach.

“Rather than spending money at the back end, use your resources to prevent (risk),” said Bob Lim, UTPA vice president of information technology. “There’s better use in working to fight intrusion than being scared of it.”

UTPA’s network receives about 4 million attacks a year, Lim said. But adding new layers to security would be better than buying what might be an unused insurance policy.

Members of STC’s board of trustees also said they trusted their security network on July 26, when they voted to gather more information before making a decision on a $50,000 cyber liability policy.

Steven Bourdon, STC chief information security officer, said conversations with other college IT departments confirmed his belief that cyber insurance was better suited for e-commerce organizations.

“The number one thing for us is reputation,” he said. “If there is a breach, how would you monetize the effect on reputation?”

Like Lim, Bourdon said his department constantly evolves to change encryption technology, firewalls and antivirus protection as online threats become more complex.

Both also said constant vulnerability assessments proved the integrity of their security systems, but should things go wrong, both colleges had plans in place to inform affected individuals of a breach.

“At the end of the day, prevention is just the best bet,” Bourdon said.

Yet making that kind of risk assessment is not a good plan, said David Navetta, founding partner of Information Law Group, a firm involved with privacy, security and technology law.

“To try to just throw money at prevention instead of thinking about what could go wrong, that decision process is not the right one to make,” Navetta said. “I think most organizations, not even just universities, with personal information would consider this.”

Navetta recently wrote about a $3.35 million price tag for a June 2008 theft of over 1.7 million individuals’ personal information at the University of Utah.

The university swallowed almost $700,000 in breach notification costs and spent millions of dollars more on credit monitoring, phone banks, personnel response and more.

“That apparently was a voluntary kind of expense incurred on the part of the university,” Navetta said. “But that is one possible activity an educational institution might have to make in order to mitigate lawsuits or liability down the road.”

UTPA and STC did not suffer such costs — or lawsuits — after their own data incidents.

In 2007, a UTPA employee lost a portable hard drive with 1,500 full-time employees’ information on it.

A university gardener found and returned it days later.

And last fall, an STC employee unintentionally transferred a document with 130 students’ Social Security numbers over a peer-to-peer program on her personal computer.

An online monitoring service ultimately discovered and alerted STC officials about the document. No credit abuse was reported in either case.

Both schools said they restrict access to private data and often train staff and students on better use of technology like e-mail and mobile storage devices.

Raising awareness helps prevent such incidents as users learn how easy it is to be exploited, said Jesse Rivera, associate vice president for privacy and security at UTPA.

“It’s not just technology but it’s the human beings sitting in front of the computer,” Rivera said. “We have to be vigilant in raising everyone’s use of technology when they handle private information.”

____

Neal Morton covers education and general assignments for The Monitor. He can be reached at (956) 314-0896.