Online threats getting attention of area school districts

By Russ O’Reilly

ybersecurity breaches happen every day.

Recent attacks on retailers are prime examples.

But it’s not just large corporations that are open to cyberthreats. Any organization holding sensitive information on anyone outside of their organization is vulnerable to a privacy breach through cyberspace.

Data breaches at school districts can mean half a million dollars in costs.

And it’s not just sophisticated hackers staying up all night who can wreak havoc on school networks.

In May 2008, a 15-year-old student of a Pennsylvania school district broke into the school’s computer system, accessed names, Social Security numbers and addresses.

Hollidaysburg Area School District’s insurance broker Bridget Glass of S&T Evergreen insurance used that example during a presentation about insurance covering cyber-related liabilities.

One hundred forty-nine of the state’s 500 school districts purchase insurance for cyberthreats. Those school districts purchase the insurance through the Pennsylvania School Boards Association, underwritten by Swett & Crawford.

Hollidaysburg Area is among the districts poised to join those schools. But the board is considering proposals from a few companies.

PSBA spokesman Steve Robinson said there are probably more districts joining this new movement to protect against cyberthreats, but the PSBA only records districts that purchase its insurance.

“Protection against cyberthreats is something districts need to be talking about and individuals need to talk about. As we get more technical … it’s necessary for people to be aware of the risks,” he said.

According to statistics provided by Glass during a July Hollidaysburg Area School Board meeting, 21 percent of cyberbreaches come from outside hackers; 15 percent come from insiders such as disgruntled employees.

Unauthorized access to a network, a misplaced laptop or USB drive are other scenarios that result in compromised confidential information.

Glass said the solution is to transfer that risk for insurance. The PSBA plan that Glass presented would provide a maximum coverage of $1 million over 12 months.

The policies she presented for the board covered costs of third-party forensic services in the event of a security failure, transmission of malware and expenses involved with complying with state law requiring the district to notify people potentially affected by a breach.

The district has no policy now, so Glass started to get the district looking at policies of a $1 million aggregate limit.

“Is the limit enough?” board member Aaron Ritchey asked.

Because of the potentially hefty costs of just one incident, the board may look at higher coverage limits for data breaches.