The world of cyber insurance and cybersecurity are as intertwined as homeowners insurance and home security. The difference? One is established and familiar. But cyber is, relatively, nascent. In a seeming hat-tip to that reality, Marymount Manhattan College has avoided a $1 million fine and gained a $3.5 million investment in data security. Albeit their $3.5 million.
New York Attorney General Letitia James announced today that she has reached an agreement with Marymount Manhattan College (MMC) to invest $3.5 million in data security to protect students’ online data. The agreement follows an investigation by the AG’s Office found that MMC failed to properly secure its network infrastructure. Additionally, it failed to update its policies to address new security concerns. The agreement allows Marymount to avoid a $1 million fine.
“In the modern digital age, companies and universities alike must do a better job at safeguarding the personal information with which they are entrusted. This agreement will help ensure that future classes of MMC students, faculty, and alumni will have their online data protected,” said Attorney General James.
“In the modern digital age, companies and universities alike must do a better job at safeguarding the personal information with which they are entrusted.”
New York Attorney General Letitia James
The Hack:
In November 2021, a hacker gained access to MMC’s technical infrastructure and stole online data belonging to nearly 100,000 New Yorkers. Those impacted included current and prospective students, faculty, and alumni. The data included social security numbers, bank and credit card numbers, passport numbers, driver’s license numbers, and medical information. Some of the data was over 10 years old and from applicants who never attended MMC.
The hacker then encrypted the information and demanded a ransom in exchange for the return of the information.
Following the cyber-attack, the Attorney General’s Office opened an investigation into the breach and MMC’s privacy and data security practices. The investigation concluded that MMC failed to adequately safeguard personal information. This included failing to use multi-factor authentication for accounts and not encrypting sensitive data. They also failed to update both their security policies and firmware in response to new security threats. MMC paid the ransom. The stolen data? Deleted.
Requirements:
- Maintaining a comprehensive information cybersecurity program that includes regular updates to keep pace with changes in technology and security threats;
- Encrypting all personal information, whether stored or transmitted, between documents, databases, or elsewhere;
- Maintaining reasonable policies to perform security updates and patch management;
- Enabling multifactor authentication for users logging into MMC’s networks;
- Scanning for vulnerabilities and potential weaknesses; and
- Publicly sharing the university’s plan on the purpose of personal information it collected, retained, and timeline for deletion.
The agreement continues Attorney General James’ efforts to protect the personal information of New Yorkers and hold companies accountable for their poor data security practices.
Analysis:
The agreement between Attorney General James and MMC is a significant step in protecting the personal information of students and other members of the college community. The $3.5 million investment that MMC is required to make will help to improve the school’s data security posture and reduce the risk of future breaches.
The agreement also sends a strong message to other colleges and universities that they must take steps to protect the personal information of their students and staff. In the digital age, it is more important than ever for organizations to have robust data security practices in place.
Implications for Consumers:
The agreement between Attorney General James and MMC is a reminder to consumers that they have a right to have their personal information protected. When consumers provide their personal information to a company or organization, they have a right to expect that the company will take steps to safeguard that information.
If consumers believe that their personal information has been compromised in a data breach, they should take steps to protect themselves, such as changing their passwords and monitoring their credit reports for fraudulent activity. Consumers should also report data breaches to the appropriate authorities.