under attack! minimizing the risk and mitigating the
TRANSCRIPT
a
PRESENTED AT
Education Law Association 64th Annual Conference
November 7‐10, 2018
Cleveland, Ohio
Under Attack!
Minimizing the Risk and Mitigating the Impact of Cybercrime
Mari McGowan
Mari McGowan Director/Shareholder Abernathy, Roeder, Boyd & Hullett, P.C. 1700 Redbud #300 McKinney, TX 75069 (214)‐544‐4000
UNDER ATTACK! MINIMIZING THE RISK AND MITIGATING THE IMPACT OF CYBERCRIME
TABLE OF CONTENTS
I. INTRODUCTION ...................................................................................................1 II. OVERVIEW OF CYBERCRIMES .............................................................................2
A. BUSINESS E-MAIL COMPROMISE & CEO FRAUD ............................................2 B. PHISHING & EXTRACTION PROGRAMS .............................................................5 C. RANSOMWARE ................................................................................................6 D. DENIAL OF SERVICE ATTACKS ........................................................................7 E. CYBER EXTORTION ........................................................................................8
III. APPLICABLE LAW ...............................................................................................8 A. VENDORS, BANKS, AND THIRD PARTIES ...........................................................8
IV. PREVENTION EFFORTS & BREACHES .................................................................13 A. FBI-RECOMMENDED PREVENTION EFFORTS ................................................13 B. CYBER RISK ASSESSMENTS ............................................................................16 C. BREACHES ...................................................................................................17
V. CONCLUSION .....................................................................................................20
1
I. Introduction
In the fall of 2017, a Johnston, Iowa parent received an anonymous text message:
“Your child still looks so innocent. Don’t let your child go outside.”1 Time went on, and
the messages became more threatening – and more specific.2 The texts mentioned the child
by the correct name and school that the child attended.3 More and more parents received
the anonymous messages, which increasingly became more graphic.4 The group that
claimed responsibility for the hacks posted the students’ phone numbers and names online,
encouraging predators to target them.5 District officials shut down eight schools so law
enforcement could conduct sweeps with bomb-sniffing canines. 6 Meanwhile, parents
began receiving similar messages at districts in Texas and Montana. In Montana, the
Columbia Falls School District received a seven-page ransom letter demanding $75,000 in
Bitcoin in exchange for a promise to not release student data obtained from the district’s
computer system.7 Several dozen schools closed for three days in response to the threats.8
Ultimately, a group named “Dark Overlord” took responsibility for the attacks.9
The heavy-handed moniker almost induces laughter, but these attacks represent a serious
threat to American colleges and school districts. Other such examples of recent cyber-
attacks include the 2015 UCLA Medical System breach, where hackers gained access to
the data of 4.5 million people.10 At Ohio State University, a cyber-attack exposed the data
of more than 760,000 individuals, costing the school over $4 million to investigate and
1 Moriah Balingit & Valerie Strauss, Education Department warns of new hacker threat as ‘Dark Overlord’ claims credit for attacks on school districts, WASHINGTON POST (Oct. 26, 2017), https://www.washingtonpost.com/news/answer-sheet/wp/2017/10/26/education-department-warns-of-new-hacker-threat-as-dark-overlord-claims-credit-for-attacks-on-school-districts/?utm_term=.a0613d3a387b. 2 Id. 3 Id. 4 Id. 5 Id. 6 Id. 7 Id. 8 Id. 9 Id. 10 Jose Pagliery, UCLA Health hacked, 4.5 million victims, CNN (July 17, 2015, 6:47 PM), http://money.cnn.com/2015/07/17/technology/ucla-health-hack/index.html
2
remedy. 11 As colleges and school districts become increasingly dependent upon
technology, the threat posed by cyber-attacks will likewise expand. What can colleges and
school districts do to protect themselves from cyber-attacks and other forms of cybercrime?
This paper examines some of the most common forms of cybercrime, and provides an
overview of best practices for preventing and mitigating the damage caused by cyber-
attacks.
II. Overview of Cybercrimes
A. Business E-mail Compromise & CEO Fraud
The Federal Bureau of Investigation’s Internet Crime Complaint Center (“IC3”)
defines “business e-mail compromise,” or BEC, as “a sophisticated scam targeting
businesses working with foreign suppliers and/or businesses that regularly perform wire
transfer payments. The scam is carried out by compromising legitimate business e-mail
accounts through social engineering or computer intrusion techniques to conduct
unauthorized transfers of funds.” 12 Put more simply, the criminals using business e-mail
compromise rely on deception.13 Victims commonly report using either wire transfer or
checks as a payment method, and criminals will use the preferred method of their victim’s
normal business practices.14 The FBI reported a 1,300% increase in identified exposed
losses between January 2015 and June 2016.15
Entities perpetuating business e-mail compromise scams attempt to identify the
individuals and protocols necessary to perform wire transfers within a particular business
or organization’s operating environment. 16 Victims may receive “phishing” e-mails
requesting additional details regarding the targeted organization or individual, such as
11 Tamar Lewin, Ohio State Says Hackers Breached Data on 760,000, NEW YORK TIMES (Dec. 16, 2010), http://www.nytimes.com/2010/12/17/education/17colleges.html. 12 Business E-mail Compromise: The 3.1 Billion Dollar Scam, INTERNET CRIME COMPLAINT Center (June 14, 2016), https://www.ic3.gov/media/2016/160614.aspx. 13 Id. 14 Id. 15 Id. 16 Id.
3
names, travel schedules, dates, etc.17 Cyber criminals may also use more sophisticated
methods such as ransomware or malware to gain the information necessary to impersonate
legitimate business vendors or organization executives.18
CEO fraud, a common form of business e-mail compromise, involves the
impersonation of an organization’s CEO (or other executive, such as an account manager)
to fool high-level members of that organization.19 A typical CEO fraud scenario occurs
when the CEO is out of the office. 20 During the CEO’s absence, scammers send a
fraudulent email to a targeted employee in the financial department, such as an accountant
or financial officer.21 The CEO impersonator will make a request for an immediate wire
transfer, typically to a trusted vendor and with a need for urgency.22 The targeted employee
will send money to what looks like a familiar account, but that actually has slightly different
account numbers.23 The urgency of the request from a high-level executive or CEO will
usually induce the targeted employee to make the transfer without taking the necessary
time to verify the account information, and the money will then end up in the hands of the
criminals.24
A common BEC scam might follow this pattern: XYZ Independent School District
has a contract with Steve’s Sanitation Services for daily cleaning of the District’s academic
and athletic facilities. According to the contract, Steve’s Sanitation Services receives
payment in the amount of $100,000 every six months. XYZ ISD has faithfully made
payments to Steve’s Sanitation Services every six months for the last ten years. When the
District has a question, it typically communicates with Sally, the administrative assistant
for Steve’s Sanitation Services, by email at [email protected]. Steve’s
Sanitation Services maintains a website where information about its staff and services can
be found, and the District maintains a website with pictures and bios of its upper-level staff,
including those in business services.
17 Id. 18 Id. 19 Business E-mail Compromise: Cyber-Enabled Fraud on the Rise Globally, FEDERAL BUREAU OF
INVESTIGATION (February 27, 2017), https://www.fbi.gov/news/stories/business-e-mail-compromise-on-the-rise. 20 Id. 21 Id. 22 Id. 23 Id. 24 Id.
4
Casey Criminal is a sophisticated cybercriminal. He uses the State Public
Information Act to obtain a copy of the contract between Steve’s Sanitation Services and
the District. The contract states the method, times, and amount of payment the District must
make. Casey also peruses Steve’s website and the District’s website for information about
employees. Casey creates a new email address, [email protected], and
emails Albert Administrator in the District’s business office. Casey copies and pastes
Steve’s logo (found on the website) to his email so it looks legitimate, and writes that
Steve’s Sanitation Services has changed bank accounts, and all future payments should be
made to the new account. Attached to the email is a voided check. The check is a real
check. In reality, the check has Casey’s name and address on it. However, Casey has altered
the check with Photoshop by replacing his name with “Steve’s Sanitation Services.” The
phone number on the signature line of the email is Casey’s cell phone number.
Albert Administrator, being a diligent business services officer, picks up the phone
and calls the number on the email to verify that the account information has indeed
changed. Although he is accustomed to talking to Sally, Casey answers the phone. When
Albert asks to talk to Sally, Casey states that Sally is out sick for the week, but that he is
filling in. Of course, Casey confirms that the new account number on the check is correct,
and that future payments should be made to the new account. Satisfied that he has
thoroughly investigated, Albert hangs up the phone, and authorizes a $100,000 transfer to
the new account. Casey immediately withdraws the funds, and deposits them in foreign
bank accounts.
Several weeks go by. Steve’s does not immediately call the District to ask for the
missing payment, since the District is Steve’s largest customer and has always paid
faithfully. But after a couple of months, Sally reaches out to Albert to inquire about the
payment. The District realizes the mistake, but it is too late—the money is gone, and Casey
has shut down the new account and fake email address. The District has lost $100,000.
With regard to business email compromise and CEO fraud, districts should be
cognizant of the difference between losing funds through a voluntary (albeit fraudulently
induced) transfer of funds, and a loss of funds as a result of direct hacking. In Apache
Corporation v. Great American Insurance Company, Apache Corporation lost over $2
5
million after employees transferred funds to a criminal acting as an established vendor.25
Apache carried a computer fraud policy for loss of funds resulting “directly from the use
of any computer” to fraudulently transfer funds.26 The Fifth Circuit ruled that the policy
did not cover the fraud, and that the email used to induce the fraudulent transfer was only
incidental to Apache Corporation’s authorized transfer of funds.27 Therefore, even though
Apache’s loss was caused by a cyber-enabled crime, the loss was not compensable because
Apache’s own employees voluntarily authorized the transfer.
B. Phishing & Extraction Programs
The Federal Trade Commission defines phishing as a scammer using fraudulent
emails, texts, or copycat websites to get individuals to share valuable personal information
such bank account numbers, Social Security numbers, credit card information, or login IDs
and passwords.28 Phishing scammers lure targets into a false sense of security by using
familiar logos of legitimate companies, organizations, or other entities.29 Once the victims’
personal data is disclosed or captured, the criminal uses this data for a variety of purposes
– including identity theft, fraud, and gaining unauthorized access to computer networks.30
In one such phishing scheme, hackers used an “extraction program” to illegally
collect the email addresses of millions of victims.31 For example, one e-mail scheme
targeted American colleges and universities over a period of five years, collecting millions
of student email addresses.32 The criminals then used the extracted emails to send targeted
spam messages in an attempt to sell products and services to those students. 33 The
University of Missouri alone received so many spam e-mails from the scheme that it caused
25 Apache Corp. v. Great Am. Ins. Co., 662 Fed. 252, 253-54 (5th. Cir. 2016). 26 Id at 257. 27 Id at 258-59. 28 Consumer Information: Phishing, FEDERAL TRADE COMMISSION (July 2017), https://www.consumer.ftc.gov/articles/0003-phishing. 29 Id. 30 Fernando M. Pinguelo & Bradford W. Muller, Virtual Crimes, Real Damages: A Primer on Cybercrimes in the United States and Efforts to Combat Cybercriminals, 16 VA. J.L. & TECH. 116, 129-31 (2011). 31 Id. 32 Id. 33 Id.
6
damage to their servers.34 Colleges and school districts should remind employees and
students to exercise caution when providing their e-mail address to unknown sources,
especially online.35
C. Ransomware
Ransomware, a form of malicious software (“malware”), attacks victims by sending
an e-mail with a legitimate appearance that actually contains ransomware code.36 Upon
clicking on the e-mail, or URL within the e-mail, the ransomware infects the computer.
The infection encrypts files and folders (turns them into secret code so they cannot be
accessed) on local drives, any attached drives, backup drives, and other computers on the
same network.37 Organizations typically do not notice the infection until they can no longer
access data, or begin receiving messages informing them of the attack and demanding a
ransom payment in exchange for a decryption key to unlock the network (thus, the
“ransom” portion of the phrase).38
According to a study by BitSight, a security rating company, schools experience
three times more ransomware attacks than the healthcare sector and more than tenfold those
suffered by the finance sector, constituting the highest rate of ransomware attacks across
all economic sectors.39
Not only have ransomware attacks become more prolific, they’re becoming more
sophisticated as well.40 In previous years, mass spam e-mails were used as the delivery
vehicle for ransomware.41 Now, criminals typically use spear-phishing e-mails specifically
targeting individual users in order to bypass spam filters.42 However, the newest forms of
34 Id. 35 Id. 36 What We Investigate: Cyber-crime, FEDERAL BUREAU OF INVESTIGATION (2017), https://www.fbi.gov/investigate/cyber. 37 Id. 38 Id. 39 Liz Teitz, Personal info at risk as cyber crooks target school districts, BEAUMONT ENTERPRISE (April 11, 2017), https://www.beaumontenterprise.com/news/article/Personal-info-at-risk-as-cyber-crooks-target-11063366.php 40 What We Investigate: Cyber-crime, supra. 41 Id. 42 Id.
7
ransomware no longer rely on e-mail for delivery at all.43 Instead, criminals choose to lace
legitimate websites with malicious code, relying on vulnerable or out-of-date software on
victim’s computers.44
Regardless of how the criminals deliver the ransomware, the FBI does not
recommend paying the ransom in response to an attack.45 Paying the ransom does not
guarantee the perpetrators will deliver the encryption key, and it incentivizes criminals to
continue or pursue the activity in the future.46 Moreover, criminals may use the funds
obtained from ransomware to fund other illegal ventures.47
D. Denial of Service Attacks
A denial of service attack attempts to render computers unavailable to users by
saturating and overwhelming the target computers or network with external
communication requests, thereby denying service to legitimate users. 48 Criminals use
denial of service attacks as a diversionary technique.49 During a denial of service attack,
the victim institution may receive thousands of phone calls or emails from the attackers to
overwhelm the phone lines and email servers.50 Meanwhile, the attackers will access
individual accounts and change profile information of the victim, enabling the attacker to
steal funds without the victim noticing.51 For example, a denial of service attack may
overwhelm a school district’s servers. During the attack, the criminals change employee
bank routing information so that the payroll department of the institution delivers the funds
to the criminals’ bank account of choice.
43 Id. 44 Id. 45 Id. 46 Id. 47 Id. 48 Charges in Distributed Denial of Service Attack Against Santa Cruz County Website, FEDERAL BUREAU
OF INVESTIGATION (Sept. 22, 2011), https://archives.fbi.gov/archives/sanfrancisco/press-releases/2011/charges-in-distributed-denial-of-service-attack-against-santa-cruz-county-website. 49 TDOS: Telecommunication Denial of Service, FEDERAL BUREAU OF INVESTIGATION (May 14, 2010), https://www.fbi.gov/audio-repository/news-podcasts-inside-tdos-telecommunication-denial-of-service.mp3/view. 50 Id. 51 Id.
8
E. Cyber Extortion
A relatively new form of cyber-crime, cyber extortion involves using the threat of
releasing information compromised by a cyber-attack such as ransomware or hacking to
coerce an organization into paying criminals a ransom in exchange for a promise not to
release the data. 52 The Dark Overlord attacks described above provide an excellent
example of how cyber extortion schemes work. The criminals use phishing or ransomware
to gain access to student or employee information, and then use the information to send
threatening messages or demands for payment. A similar attack happened to Uber in
October 2016, and Uber paid hackers $100,000 to conceal a cyber-attack exposing the data
of approximately 50 million customers, as well as 7 million drivers.53 By concealing
evidence of the attacks, paying the ransom, and potentially lying to the Federal Trade
Commission while under investigation, Uber provided a manual in how not to handle a
cyber extortion threat.54
III. Applicable Law
A. Vendors, Banks, and Third Parties
District policies across the country that deal with financial transactions and the
parties to them do so in a relatively uniform fashion. In Texas, for example, school districts
have adopted a policy (using language mirrored in many other states) requiring all trustees,
employees, vendors, contractors, agents, consultants, volunteers, and any other parties
involved in a district’s financial transactions to act with integrity and diligence in duties
52 See Sara Larson, Hackers are targeting schools, U.S. Department of Education warns, CNN (Oct. 18, 2017, 10:51 PM), http://money.cnn.com/2017/10/18/technology/business/hackers-schools-montana/index.html. 53 Zoë Bernard, Here’s how Uber reportedly tried to keep the lid on the data breach that affected 57 million people, BUSINESS INSIDER (Nov. 22, 2017, 11:00 AM), http://markets.businessinsider.com/news/stocks/how-uber-covered-up-data-breach-hack-affected-57-million-people-report-2017-11-1009106059. 54 See id.
9
involving a district’s funds.55 While criminals may freely choose to ignore legal and
financial duties owed to school districts, vendors and other third parties cannot skirt such
obligations.56 As a result, the contracts between districts and entities such as vendors and
depository banks play a crucial role in determining liability and indemnification in the
event of a cybercrime. Districts should negotiate to include provisions in vendor
agreements for insurance payments, dispute resolution, progress payments, and accounting
records access.
Certain provisions in bank agreements may help prevent cybercrime on the front
end of an attack. Ideal bank agreements require verification of changes in wiring
instructions as well as vendor information. Bank agreements may also include provisions
requiring verification or confirmation for transfers above certain amounts. Verification for
changes in wiring instructions, vendor information, and large transfers will hopefully
preclude districts from falling victim to CEO fraud, business e-mail compromise, and other
forms of wire transfer fraud that rely on deception rather than technological sophistication.
Look once again at the example of Steve’s Sanitation and XYZ ISD. In this
scenario, Albert Administrator verifies the change in wiring instructions over the phone
with Casey Criminal (believing him to be a legitimate employee for Steve’s Sanitation).
Unfortunately, the over-the-phone verification does little to hinder the efforts of a criminal
anticipating the possibility of some effort on the part of the District to verify the change in
account information. Suppose, however, that the agreement between XYZ ISD and its bank
contained a provision requiring verification of changes in wiring instructions as well as
vendor information. Now, the bank would need to take additional security measures
beyond a simple phone call to confirm these changes with Steve’s Sanitation and XYZ
ISD. The bank contacts Casey asking for additional business information to verify the
transfer, and when Casey cannot provide the relevant information, the bank contacts Albert
letting him know. Albert, now alerted, contacts Steve directly, and manages to thwart
Casey’s entire scheme.
55 See, e.g., Dallas Indep. Sch. Dist. Bd. Policy CAA (LOCAL); Fort Worth Indep. Sch. Dist. Bd. Policy CAA (LOCAL); Houston Indep. Sch. Dist. Bd. Policy CAA (LOCAL) (“All board members, employees, vendors, contractors, consultants, volunteers, and any other parties who are involved in the District’s financial transactions shall act with integrity and diligence in duties involving the District’s fiscal resources.”). 56 Id.
10
While the monetary loss resulting from a cybercrime scheme typically represents
the most immediate harm to a school district, a successful cybercriminal act involving a
vendor will also cause significant harm to the vendor-district relationship. Using Texas
once again as an example, in the event of a wire transfer fraud leading to nonpayment of a
vendor, a district’s payment becomes overdue on the 31st day after the date on which the
district received the goods under the contract, or the date which performance of services
under contract was completed, or the date on which the district received the invoice for the
goods or services, whichever is latest.57 If the district’s board of trustees meets only once
a month, payment becomes overdue on the 45th day after the date of receipt of goods,
performance of services, or receipt of invoice, whichever date falls latest.58 Additionally,
payments to vendors begin to accrue interest on the date the payment becomes overdue.59
The unpaid balance of a partial payment made within the prescribed period accrues interest,
unless the balance is in dispute.60
Nonpayment to a vendor after a cybercrime may also disrupt performance.61 A
vendor may disrupt performance under a contract with a district if the district does not pay
the vendor an undisputed amount within the specified time limits and the vendor gives the
district written notice informing the district that payment has not been received and stating
the intent of the vendor to suspend performance for nonpayment.62 Fortunately, many
districts have long-term relationships with many vendors, which may lessen the likelihood
that a vendor simply stops performance for nonpayment. But districts should remain aware
that vendors have this right.
Districts may have legal remedies against vendors and banks in certain situations.
For example, a district may have a contributory negligence claim against a vendor who
failed to take certain reasonable precautions that may have at least partially caused the
district to lose funds through a fraudulent transfer. Such precautions might include the
maintenance of adequate security software in order to block an incoming cyber-attack. In
these cases, the vendor may have failed to mitigate damages. The vendor should
57 TEX. GOV’T CODE § 2251.021 (West 2018) (for contracts executed on or after September 1st, 1987). 58 Id. 59 Id. § 2251.025, 2251.029. 60 Id. 61 Id. § 2251.051. 62 Id.
11
immediately alert both the district as well as law enforcement once it becomes aware of a
breach involving district funds or the vendor’s accounts. Failure to do so could cause
additional loss of funds for the district if it is unable to recoup wired money due to untimely
notice from the vendor.
Cybercrimes involving wire transfers may create a question of whether the
transferring bank used a commercially reasonably security procedure prior to wiring the
money under Article 4A of the Uniform Commercial Code. 63 The commercial
reasonableness of a security procedure is a question of law to be determined by considering
the wishes of the customer expressed to the bank, the circumstances of the customer known
to the bank, including the size, type, and frequency of payment orders normally issued by
the customer of the bank, alternative security procedures offered to the customer, and
security procedures in general use by customers and receiving banks similarly situated.64
A security procedure is deemed to be commercially reasonable if: (1) the security
procedure was chosen by the customer after the bank offered, and the customer refused, a
security procedure that was commercially reasonable for the customer; and (2) the
customer expressly agreed in writing to be bound by any payment order, whether or not
authorized, issued in its name and accepted by the bank in compliance with the security
procedure chosen by the customer.65
The Bank Secrecy Act also places requirements on banks with regard to
transactional recordkeeping.66 Each agent, agency, branch, or office of a bank located
within the United States is subject to recordkeeping requirements for any funds transfer in
the amount of $3,000 or more.67 For each payment order that it accepts as an originator’s
bank, a bank shall obtain and retain either the original or a copy, or electronic record of the
following information relating to the payment order:68
(A) The name and address of the originator;
(B) The amount of the payment order;
(C) The execution date of the payment order;
63 TEX. BUS. & COM. CODE § 4A.202 (West 2018). 64 Id. § 4A.202(c). 65 Id. 66 Records Required to be Maintained by Banks, 31 C.F.R. § 1020.410 (2016). 67 See Id. § 1020.410(a). 68 Id.. § 1020.410(a)(1)(i). (2016).
12
(D) Any payment instructions received from the originator with the payment order;
(E) The identity of the beneficiary’s bank; and
(F) As many of the following items as are received with the payment order:
1. The name and address of the beneficiary;
2. The account number of the beneficiary; and
3. Any other specific identifier of the beneficiary.
In addition, every bank must file a report of any suspicious activity relevant to a
possible violation of law or regulation.69 A transaction requires reporting under the Bank
Secrecy Act if it is conducted or attempted, by, at, or through the bank, it involves or
aggregates at least $5,000 in funds or other assets, and the bank knows, suspects, or has
reason to suspect that the transaction involves funds derived from illegal activities.70
Unfortunately, the Bank Secrecy Act does not create a private right of action for bank
customers. Still, it does create conditions under which cybercrime may be readily detected,
reported, and possibly thwarted, thus mitigating its effect.
A bank may be liable for a breach of the depository contract with the district if it
failed to abide by the agreement. Most commonly, the bank will have failed to follow
security procedures delineated in the contract. In Texas, for example, depository banks
contracting with a school district must file a bond in an initial amount equal to the estimated
highest daily balance, determined by the board of trustees of the district, of all deposits that
the school district will have in the depository during the term of the contract, less any
applicable Federal Deposit Corporation Insurance.71 The depository bank must increase the
amount of the bond if the board of trustees determines it to be necessary to adequately
protect the funds of the school district deposited with the depository bank.72 Finally, the
bond is partially conditioned upon the faithful keeping of school funds by the depository
and the accounting for the funds according to law.73 Districts should ensure the depository
bank followed these statutory requirements.
69 Reports Required to be Made by Banks, 31 C.F.R. § 1020.320 (2011). 70 Id. § 1020.320(a)(2)(i) (2011). 71 TEX. EDUC. CODE § 45.208(b) (West 2018). 72 Id. 73 Id. § 45.208(c).
13
IV. Prevention Efforts & Breaches
A. FBI-Recommended Prevention Efforts
School districts should keep to the old adage that “an ounce of prevention is
worth a pound of cure” when considering how to deal with the body of cyber threats
against them. They may take some solace in the knowledge that there are entities
that have successfully faced these threats and have helped others to do so. Most
notable among them is the Federal Bureau of Investigation.
According to the FBI, cyber criminals seek to exploit schools because they are
attractive, data-rich environments.74 The 2017 large scale school district hacking
effort previously mentioned allowed cybercriminals to gain a mass of data that
included “student medical records, counselor reports, education plans, learning
disabilities, homework assignments, and contact information.” 75 Also in 2017,
cybersecurity failures at two large educational technology (EdTech) companies
allowed the public exposure of student data, in one case because it was stored on a
public-facing server, and in the other because the company suffered a breach
resulting in the posting of data for sale on the Dark Web.76
Connected EdTech allows criminals to exploit improperly secured networked
devices issued to students that collect data and monitor children in their homes or at
school by way of pre-installed remote access capabilities intended for tracking
student progress or online behavior.77 Other devices that may be remotely accessed
are student device location trackers, webcams, microphones, security cameras, and
the like.78 Essentially, all digital tools and data collection carry with them an inherent
associated cybersecurity risk. Stakeholders (i.e. district personnel, students, parents,
service providers, etc.) need to be aware of these risks.
74 Private Industry Notification No. 20180802-001, Federal Bureau of Investigation (August 2, 2018) 75 Id. 76 Id. 77 Id. 78 Id.
14
Depending on the school district, EdTech services may be chosen and
authorized by teacher and administrator alike. To mitigate this risk and those
addressed above, the FBI suggests that all education stakeholders contemplate the
following:79
The current scope and limitations of the Family Educational Rights and
Privacy Act (FERPA), Protection of Pupil Rights Amendment (PPRA), the
Children’s Online Privacy Protection Act (COPPA), and state laws as they
apply to EdTech, specifically to EdTech’s collection, storage, use, and sharing
of data.
Getting involved with organizations that can provide support and resources
for navigating the integration of technology and cybersecurity into schools.
Requiring EdTech companies to be transparent in their contracts, services,
and policies, particularly concerning data privacy and cybersecurity
provisions.
Considerations for student data protections include (but are not limited to):
o What kind of student data is being collected and tracked (e.g., PII,
academic, disciplinary, medical, biometric, IP addresses);
o Who maintains the data (e.g., company servers, cloud storage, third-
parties);
o What data security practices are employed (e.g., encryption in transit
and at rest, security audits, security training of staff, audit logs)
o Who has access to the data (e.g., vendors, third-parties);
o How the data is used (e.g., is it sold to or shared with third parties for
service enhancement, product development, studies,
marketing/advertising);
o Whether de-identification practices are used with the student data;
o Existing policies on data retention and deletion;
o Existing policies on data breach notifications and remediation; and
79 Id.
15
o Schools’ transparency with parents about what types of EdTech are
being used in classrooms.
The FBI has provided new recommendations on how to prevent future cyber-
attacks due to the rise of crime against organizations such as school districts, colleges, and
hospitals.80 Specifically the FBI recommends the following prevention efforts to help deter
future attacks and breaches:81
Make sure employees are aware of ransomware and of the employees’
critical roles in protecting the organization’s data.
Patch operating system, software, and firmware on digital devices.
Ensure antivirus and anti-malware solutions are set to automatically
update and conduct regular scans.
Manage the use of privileged accounts – no users should be assigned
administrative access unless absolutely needed, and only use
administrator accounts when necessary.
Configure access controls, including file, directory, and network share
permissions appropriately. If users only need specific information, they
do not need write-access to those files or directories.
Disable macro scripts from office files transmitted over e-mail.
Implement software restriction policies to prevent programs from
executing from common ransomware locations.
The FBI also encourages technology and information security officials to
protect their networks by adhering to numerous best practices that include:82
Changing passwords and not reusing passwords for multiple accounts.
Using two factor authentication.
Being careful when giving out contact information.
Being wary of social engineering tactics aimed at revealing sensitive
information.
80 Incidents of Ransomware on the Rise: Protect Yourself and Your Organization, FEDERAL BUREAU OF
INVESTIGATION (Apr. 29, 2016), https://www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise. 81 Id. 82 Private Industry Notification No. 20180802-001, supra.
16
Auditing which accounts are utilizing remote access.
Establishing whitelist access for any remote access.
Disabling remote access if not in use.
Auditing logs for all remote connection protocols.
Auditing all user accounts with administrative privileges to ensure they
are authorized for that specific role.
Auditing logs to ensure all new accounts were intentionally created.
Scanning for, and mediating, open or listening ports.
Ensuring software or firmware updates are applied as soon as the device
manufacturer releases them.
These prevention measures and best practices, used in conjunction with
continuity efforts such as regular data backups, will strengthen organizational
defenses against common forms of cyber breaches.83
B. Cyber Risk Assessments
Districts may want to consider cyber risk assessments as an independent test
of cybersecurity or as a component of a district’s more general security auditing.
According to the National Institute of Standards and Technology (“NIST”), a cyber
risk assessment should help an organization understand the cybersecurity risk posed
to organizational operations, organizational assets, and individuals. 84 Risk
assessments will likely involve a combination of reviewing the threats against the
district (i.e. who or what may cause harm), identifying vulnerabilities (i.e. how
harm may occur), and checking the consequences for the district in the event of a
cyber-attack (i.e. what district assets may be harmed or data compromised, and to
what degree).85 Such assessments are facilitated by understanding the tactics,
techniques, and procedures (TTP’s) that cyber actors have used in the past,
83 Incidents of Ransomware on the Rise: Protect Yourself and Your Organization, supra. 84 Steve Chabinsky, Best Practices for Conducting a Cyber Risk Assessment, SECURITY MAGAZINE (Nov. 2, 2015), https://www.securitymagazine.com/articles/86754-best-practices-for-conducting-a-cyber-risk-assessment. 85 See id.
17
and will likely use in the future, to target and exploit school districts.86 One
risk assessment tool, the vulnerability assessment, scans the district’s network to
evaluate whether security software is current and tests for known vulnerabilities.87
Districts may also use outside firms to conduct independent penetration testing to
help identify the effectiveness of district cybersecurity measures.88 The focus of
the cybersecurity risk assessment is on the value of information and the costs
involved if that information is destroyed, damaged, or stolen.89 The value of
information is established at a strategic level, and costs are defined in strategic
terms like the public relations effort needed to restore public perception and
defending against litigation.90 The risk assessment is the only tool ideally
suited for strategic discussion and decision making in the context of
cybersecurity risk management.91 Vulnerability assessments and penetration
tests are the tactical solutions used to conduct strategic risk assessment and
are simple, effective ways to ensure that appropriate resources (i.e. funds and
effort) are being spent on targeted threats.92
C. Breaches
States have distinct variations in the way they define what constitutes a data
security breach. California notes a “breach of the security of the system” as an
“unauthorized acquisition of computerized data that compromises the security,
confidentiality, or integrity of personal information maintained by the agency.”93
Texas defines a data security breach as the “unauthorized acquisition of
computerized data that compromises the security, confidentiality, or integrity
of sensitive personal information maintained by a person, including data that
86 Id. 87 Id. 88 Id. 89 Rob Arnold, 3 Types of Cybersecurity Assessments, https://threatsketch.com/3-types-cyber-security-assessments/ 90 Id. 91 Id. 92 Id. 93 CAL CIV CODE § 1798.29(f).
18
is encrypted if the person accessing the data has the key required to decrypt
the data.” 94 While most states define a data breach using the term
“unauthorized acquisition,” a large minority define a breach as a combination
of access and acquisition of data.95 In a few states, access alone will constitute
the breach.96 Fifteen states (namely Arizona, Hawaii, Kansas, Massachusetts,
Montana, North Carolina, Ohio, Oklahoma, Pennsylvania, Rhode Island, South
Carolina, Utah, Virginia, West Virginia, and Wyoming) require that the
“unauthorized access and/or acquisition of data cause, or be reasonably likely
to cause, harm” that may “take the form of economic loss, identity theft, or
fraud.”97
In response to a cyber-attack or data breach, an institution should first
appoint an incident manager to oversee the resolution of the case. The technology
department may then need to temporarily disable servers to prevent further attacks
or the spread of an infection, and backup or recovery systems might need to be
activated. The institution should immediately contact law enforcement—preferably
the regional FBI office—and establish contact with an agent who has knowledge
and background in cyber-crime.
If the crime involves theft of funds, the institution should contact its banks
and closely monitor all transactions. While the institution investigates the theft, all
payments to vendors should be double-checked and authorized by a high-level
administrator. The institution should save all evidence of the crime, including
emails, phone logs, and payment records. These will assist law enforcement in the
recovery of funds. Then, the institution should contact its insurance carrier to
determine if the incident is covered by a policy.
If student data was compromised, the institution may need to notify the
Office of Federal Student Aid and/or the Family Policy Compliance Office—the
federal agency that polices the Family Educational Rights and Privacy Act, or
94 TEX. BUS. & COM. CODE § 521.053(a). 95 Jill Greenfield, Protecting Personal Information: Managing and Preventing Data Security Breaches (July 22, 2016), NATIONAL SCHOOL BOARDS ASSOCIATION, https://cdn-files.nsba.org/s3fs-public/reports/InquiryAnalysis%20-%20Aug%202016.pdf?TboRvF.9IHJX3wTWDKujhSuGGrAG4_Kr 96 Id. 97 Id.
19
FERPA. A self-report may be required by law, so consultation with an attorney is
key. Additionally, notices should be sent to affected individuals (i.e. students,
parents, guardians, etc.) whose information was stolen. These persons should
receive advice on how to protect their identities and minimize the damage caused
by the breach. The institution should consider providing free or reduced-price credit
monitoring services.
The institution should notify any involved vendors so these organizations
can tighten security and assist with the possible recovery of funds. Sometimes, a
vendor’s employee may actually be responsible for the crime. In such a case, legal
action against the vendor could be warranted.
Some state statutes obligate school districts to notify the state’s Attorney
General (and more specifically the Office of Consumer Protection or equivalent) if
the breach affects a particular number of individuals (usually 500 or 1,000
persons).98 They may also require notification of the breach to consumer reporting
agencies if a set threshold of impacted persons is reached (ranging from 500 to
10,000 people).99 Those that amass records on a nationwide basis must be made
aware of the content, distribution, and timing of the notices.100
Finally, the institution should work to close the security gaps that allowed
for the crime to occur. This may include providing additional education to
employees and students, improving technological security, reviewing protocol, and
establishing closer relationships with vendors.
Still, closing security gaps may be a difficult proposition due to competing
interests and purposes in state legislation. In Texas, for example, “an operator [of
a website, online service or application or mobile application] must implement and
maintain reasonable security procedures and practices designed to protect any
covered information [i.e. student personally identifiable information] from
unauthorized access, deletion, use, modification, or disclosure.”101 Despite this
mandate for security, a competing Texas statute requires that student assessment
98 Greenfield, supra. 99 Id. 100 Id. 101 TEX. EDUC. CODE § 32.155
20
data be easily accessed by a student’s parent and authorized school district
employees, and in the case of general data, the public. 102 Such opposing
requirements and competing interests may be difficult to reconcile and could create
conditions ripe for facilitating exposure of data.
V. Conclusion
Colleges, school districts, hospitals, and other public entities provide
attractive targets for cyber criminals. These institutions may have large wallets, and
typically store the data of hundreds or thousands of individuals. Moreover, schools
increasingly rely on electronic data and media for a variety of purposes in both
administrative and educational capacities. As a result, the opportunities for cyber
exposure likewise increase. Institutions should remain vigilant in monitoring for
potential attacks, and never hesitate to contact law enforcement or legal counsel in
the case of a breach. Institutions will likely improve their chances of defending
against the next wave of cyber-attacks by remaining vigilant against new threats,
and taking appropriate preventive measures going forward. Cyber-attacks are no
longer science fiction, even if the attackers call themselves Dark Overlord.
102 TEX. EDUC. CODE § 32.258