The utility of incident response plans for data breaches in higher education.

摘要

This study intended to determine if an incident response program for data breaches in higher education provides a proactive approach to protecting an institution's cost for recovery and slow the economic damages for individuals whose personal information was stolen in a data breach. An analysis of the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and the Graham-Leach-Bliley Act (GLBA) revealed extensive legislative mandates for protecting student confidential information in higher education. Despite federal and state mandates to secure data in physical and electronic formats, education institutions experience challenges with data protection. Data is a valuable commodity, so even with strong security controls and meticulous risk management practices in place, it is still possible for a data breach to occur. The federal government recommends an Incident Response Plan for institutions of higher education to prepare for and mitigate a data breach, but the development and implementation of an Incident Response Plan is expensive. Ambiguity among state notification laws allows for confusion about who is to report a data breach, how long an institution can wait before reporting the breach, and what exact information is necessary to report in a notification letter. Higher education institutions can use a risk analysis to their advantage and skip reporting a data breach to affected individuals. The research proposed the establishment of a standardized federal data breach law. Without government intervention, many people may continue to have their private and personal information stolen and never know about it.