69ý

Special Report
Privacy & Security

Threat of Data-Privacy Litigation Fuels District Insurance Purchases

By Malia Herman — October 19, 2015 6 min read
  • Save to favorites
  • Print
Email Copy URL

As more large, well-known companies—such as Anthem health insurance, Home Depot, and Target—, school districts have begun to realize they could be next.

Some have taken out a new kind of insurance policy called cyberinsurance. Unlike traditional property insurance or general-liability insurance, these new policies are geared specifically toward protecting data, both digital and print, in the event of a breach.

“It’s becoming something that is hard to ignore, and companies across the spectrum are realizing that, and school districts are starting to realize it as well, because of the large amount of data they hold,” said Andrew Laubmeier, a cyber-risk broker with Aon Risk Solutions’ Financial Services Group, one of many brokerage firms now offering cyberpolicies to school districts.

John Gambale, the head of professional liability, Americas region, for the American International Group, or AIG, said student data are “highly sought after” on the black market, and most schools lack the resources to adequately protect the data. “Thieves look at the potentially antiquated IT systems and see them as very appealing targets,” he said, explaining that AIG offers cyberinsurance to schools as well as technology and training to prevent a breach.

Cyberpolicies typically cover data breaches whether they are accidental, such as an employee losing a laptop or emailing sensitive information to the wrong person, or via a coordinated hacking attack.

Expenses following any of those scenarios could be astronomical, depending on how many current or former employees’ or students’ information was compromised. Laws differ by state on who must be notified, how quickly, and how the notifications must be handled.

Cyberinsurance covers all notification costs, as well as the cost of investigating how the breach occurred, who could be affected, and legal assistance to determine notification requirements. Some policies also cover credit-monitoring services and media relations, in addition to third-party costs in the event of a civil lawsuit or class action.

It’s unclear how many districts have purchased cyberpolicies. Laubmeier said Aon covers several districts but declined to say exactly how many. “We are seeing a very large uptick in the number of school districts that have inquired about the possibility of cyberinsurance,” he said.

Mr. Gambale also declined to say how many school systems AIG covers, but said it’s definitely an area of growth. 69ý and institutions of higher education are now listed as a category in his firm’s risk portfolio.

“Two years ago, that segment was not big enough for me to track,” he said, adding that across all industries, his firm’s cyberinsurance portfolio has increased 30 percent in the past year.

‘Easy Target’

Trudy Sowar, the director of risk-management services for the Georgia School Boards Association, which provides pooled-insurance coverage to districts via Marsh Insurance, has for the past three years. So far, 59 of the 95 districts in Georgia have taken the coverage.

“If you really think about it, we are probably some of the most fertile ground [for a cyberattack],” she said, referring to the copious amount of personal data—Social Security numbers, medical records, payroll information—that each school district keeps on file.

Michael A. Alao, a former chief internal-audit executive for the Cincinnati school district, said Sowar is right. In fact, he said, districts provide easy targets for cyberthieves.

“If you are going to scam someone, you go against an easy target,” Alao said, pointing out that not all districts have an auditor or a chief technology officer to maintain tight security controls and firewalls.

Sowar said the cost of the coverage is relatively low, about $1 per student. Since many of the state’s school districts have fewer than 10,000 students, it ends up not being that expensive, she said.

Still, there has been some pushback.

“Sometimes, it’s that the technology officer believes that their firewalls are going to protect them,” she said. “And sometimes, it’s a financial issue because we’ve seen so many cuts to school funds lately.”

Why Districts Buy Cyberinsurance

A growing number of districts around the country have recently bought insurance policies with coverage for data-privacy risks. Among them:

GARDEN CITY, N.Y. | Enrollment: 4,000

The district has a new cyberinsurance policy starting this school year with Lloyd’s of London at a cost of about $11,000 a year.

What the insurance covers: The school’s cyberpolicy is in addition to general-liability and property insurance. It would compensate the district for the expenses incurred by making the required notifications in the event of a data breach. It also includes catastrophic insurance to protect the district in the event of a lawsuit stemming from the breach.

Why it purchased cyberinsurance: The Anthem health-insurance data breach this past February was a real “wake-up call,” said Superintendent Robert Feirsen. The district had already been working on making sure its network was secure, but Feirsen said schools needed added protection.

“We have a tremendous amount of data that we store, and a lot of it is personal, regarding the students and staff, and also financial, plus confidential information as well. It’s a brave new world for everyone. Several years ago, this would not even have been a blip on the radar.” - Robert Feirsen

ANN ARBOR, MICH. | Enrollment: 17,000

The school district has had a cyberinsurance policy from Zurich Insurance Group since February 2014.

What the insurance covers: The supplemental-insurance policy covers the cost of regulatory proceedings related to a data breach, Internet media liability (e.g., invasion of privacy, slander, plagiarism, copyright infringement or negligence related to Internet content), privacy-breach costs, cyberextortion and threats, and reward/payment coverage. The plan costs $25,155 per year, compared with about $800,000 the district pays in other liability-insurance coverage each year.

Why it purchased cyberinsurance: Judy Solowczuk, the district’s executive assistant for finance and operations, said the district’s insurance agency recommended the coverage, and since Ann Arbor is a district with lots of sensitive data, she thought it was time for protection. Solowczuk said the cost of the insurance was a “drop in the bucket compared to what it might cost us if we had a cyberattack or something was breached.”

“When you see Target and all these big companies being breached, it’s scary. We aren’t as big, but if someone hacked into our system, they could really do some damage.” - Judy Solowczuk

PAULDING COUNTY, GA. | Enrollment: 28,500

The school system has had cyberinsurance since July 2014. The district pays about $25,000 a year for the policy, which is through the Georgia School Boards Association’s pooled-insurance plan with Marsh, a global provider in insurance brokering and risk management and a subsidiary of Marsh & McLennen Companies.

What the insurance covers: The policy is an add-on to other insurance the school district has, such as workers’ compensation, general-liability, and property and casualty insurance. It covers the costs of investigating the breach, making the required notifications, and any related lawsuits.

Why it purchased cyberinsurance: About 10 years ago, the district was the victim of a “phishing” attack by hackers out of St. Petersburg, Russia. A man walked into the bank that the school district used and withdrew money using the district’s password. The bank was not required to compensate the district, but it chose to refund most of the money that was taken. Superintendent Cliff Cole said the incident shows that “everyone is vulnerable.” When the cyberinsurance policy was first offered, he said it was a “no brainer” to sign up.

“Unfortunately, the society we live in today, it’s almost weekly that you hear about someone’s files being hacked or someone’s identity being stolen. So many people are concerned now about identity theft and privacy rights. It’s another layer of protection for our students and employees.” - Cliff Cole

A version of this article appeared in the October 21, 2015 edition of Education Week as Threat of Data-Privacy Litigation Prompts Districts to Buy Insurance

Events

School & District Management Webinar Crafting Outcomes-Based Contracts That Work for Everyone
Discover the power of outcomes-based contracts and how they can drive student achievement.
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
School & District Management Webinar
Harnessing AI to Address Chronic Absenteeism in 69ý
Learn how AI can help your district improve student attendance and boost academic outcomes.
Content provided by 
School & District Management Webinar EdMarketer Quick Hit: What’s Trending among K-12 Leaders?
What issues are keeping K-12 leaders up at night? Join us for EdMarketer Quick Hit: What’s Trending among K-12 Leaders?

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.

Read Next

Privacy & Security What Teachers Need to Know About Changes to Instagram Teen Accounts
The adjustments come as Meta faces multiple lawsuits from states and school districts.
4 min read
Close up photo of Black teen looking at Instagram photos on her cellphone.
Anastasia_Prish/Getty
Privacy & Security Download A Tip Sheet to Help Teachers Prevent and Respond to Doxxing
Teachers can be a target for malicious actors. Use this tip sheet to prevent and respond to doxxing.
1 min read
Image of digital safety against doxxing and privacy invasion.
Laura Baker/Education Week via Canva
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Privacy & Security Quiz
Quiz Yourself: How Much Do You Know About Cybersecurity For 69ý And Districts?
Answer 6 questions about actionable cybersecurity solutions.
Content provided by 
Privacy & Security What 69ý Need to Know About These Federal Data-Privacy Bills
Congress is considering at least three data-privacy bills that could have big implications for schools.
5 min read
Photo illustration of a key on a digital background of zeros and ones.
E+