As more large, well-known companies鈥攕uch as Anthem health insurance, Home Depot, and Target鈥, school districts have begun to realize they could be next.
Some have taken out a new kind of insurance policy called cyberinsurance. Unlike traditional property insurance or general-liability insurance, these new policies are geared specifically toward protecting data, both digital and print, in the event of a breach.
鈥淚t鈥檚 becoming something that is hard to ignore, and companies across the spectrum are realizing that, and school districts are starting to realize it as well, because of the large amount of data they hold,鈥 said Andrew Laubmeier, a cyber-risk broker with Aon Risk Solutions鈥 Financial Services Group, one of many brokerage firms now offering cyberpolicies to school districts.
John Gambale, the head of professional liability, Americas region, for the American International Group, or AIG, said student data are 鈥渉ighly sought after鈥 on the black market, and most schools lack the resources to adequately protect the data. 鈥淭hieves look at the potentially antiquated IT systems and see them as very appealing targets,鈥 he said, explaining that AIG offers cyberinsurance to schools as well as technology and training to prevent a breach.
Cyberpolicies typically cover data breaches whether they are accidental, such as an employee losing a laptop or emailing sensitive information to the wrong person, or via a coordinated hacking attack.
Expenses following any of those scenarios could be astronomical, depending on how many current or former employees鈥 or students鈥 information was compromised. Laws differ by state on who must be notified, how quickly, and how the notifications must be handled.
Cyberinsurance covers all notification costs, as well as the cost of investigating how the breach occurred, who could be affected, and legal assistance to determine notification requirements. Some policies also cover credit-monitoring services and media relations, in addition to third-party costs in the event of a civil lawsuit or class action.
It鈥檚 unclear how many districts have purchased cyberpolicies. Laubmeier said Aon covers several districts but declined to say exactly how many. 鈥淲e are seeing a very large uptick in the number of school districts that have inquired about the possibility of cyberinsurance,鈥 he said.
Mr. Gambale also declined to say how many school systems AIG covers, but said it鈥檚 definitely an area of growth. Schools and institutions of higher education are now listed as a category in his firm鈥檚 risk portfolio.
鈥淭wo years ago, that segment was not big enough for me to track,鈥 he said, adding that across all industries, his firm鈥檚 cyberinsurance portfolio has increased 30 percent in the past year.
鈥楨asy Target鈥
Trudy Sowar, the director of risk-management services for the Georgia School Boards Association, which provides pooled-insurance coverage to districts via Marsh Insurance, has for the past three years. So far, 59 of the 95 districts in Georgia have taken the coverage.
鈥淚f you really think about it, we are probably some of the most fertile ground [for a cyberattack],鈥 she said, referring to the copious amount of personal data鈥擲ocial Security numbers, medical records, payroll information鈥攖hat each school district keeps on file.
Michael A. Alao, a former chief internal-audit executive for the Cincinnati school district, said Sowar is right. In fact, he said, districts provide easy targets for cyberthieves.
鈥淚f you are going to scam someone, you go against an easy target,鈥 Alao said, pointing out that not all districts have an auditor or a chief technology officer to maintain tight security controls and firewalls.
Sowar said the cost of the coverage is relatively low, about $1 per student. Since many of the state鈥檚 school districts have fewer than 10,000 students, it ends up not being that expensive, she said.
Still, there has been some pushback.
鈥淪ometimes, it鈥檚 that the technology officer believes that their firewalls are going to protect them,鈥 she said. 鈥淎nd sometimes, it鈥檚 a financial issue because we鈥檝e seen so many cuts to school funds lately.鈥
Why Districts Buy Cyberinsurance
A growing number of districts around the country have recently bought insurance policies with coverage for data-privacy risks. Among them:
GARDEN CITY, N.Y. | Enrollment: 4,000
The district has a new cyberinsurance policy starting this school year with Lloyd鈥檚 of London at a cost of about $11,000 a year.
What the insurance covers: The school鈥檚 cyberpolicy is in addition to general-liability and property insurance. It would compensate the district for the expenses incurred by making the required notifications in the event of a data breach. It also includes catastrophic insurance to protect the district in the event of a lawsuit stemming from the breach.
Why it purchased cyberinsurance: The Anthem health-insurance data breach this past February was a real 鈥渨ake-up call,鈥 said Superintendent Robert Feirsen. The district had already been working on making sure its network was secure, but Feirsen said schools needed added protection.
鈥淲e have a tremendous amount of data that we store, and a lot of it is personal, regarding the students and staff, and also financial, plus confidential information as well. It鈥檚 a brave new world for everyone. Several years ago, this would not even have been a blip on the radar.鈥 - Robert Feirsen
ANN ARBOR, MICH. | Enrollment: 17,000
The school district has had a cyberinsurance policy from Zurich Insurance Group since February 2014.
What the insurance covers: The supplemental-insurance policy covers the cost of regulatory proceedings related to a data breach, Internet media liability (e.g., invasion of privacy, slander, plagiarism, copyright infringement or negligence related to Internet content), privacy-breach costs, cyberextortion and threats, and reward/payment coverage. The plan costs $25,155 per year, compared with about $800,000 the district pays in other liability-insurance coverage each year.
Why it purchased cyberinsurance: Judy Solowczuk, the district鈥檚 executive assistant for finance and operations, said the district鈥檚 insurance agency recommended the coverage, and since Ann Arbor is a district with lots of sensitive data, she thought it was time for protection. Solowczuk said the cost of the insurance was a 鈥渄rop in the bucket compared to what it might cost us if we had a cyberattack or something was breached.鈥
鈥淲hen you see Target and all these big companies being breached, it鈥檚 scary. We aren鈥檛 as big, but if someone hacked into our system, they could really do some damage.鈥 - Judy Solowczuk
PAULDING COUNTY, GA. | Enrollment: 28,500
The school system has had cyberinsurance since July 2014. The district pays about $25,000 a year for the policy, which is through the Georgia School Boards Association鈥檚 pooled-insurance plan with Marsh, a global provider in insurance brokering and risk management and a subsidiary of Marsh & McLennen Companies.
What the insurance covers: The policy is an add-on to other insurance the school district has, such as workers鈥 compensation, general-liability, and property and casualty insurance. It covers the costs of investigating the breach, making the required notifications, and any related lawsuits.
Why it purchased cyberinsurance: About 10 years ago, the district was the victim of a 鈥減hishing鈥 attack by hackers out of St. Petersburg, Russia. A man walked into the bank that the school district used and withdrew money using the district鈥檚 password. The bank was not required to compensate the district, but it chose to refund most of the money that was taken. Superintendent Cliff Cole said the incident shows that 鈥渆veryone is vulnerable.鈥 When the cyberinsurance policy was first offered, he said it was a 鈥渘o brainer鈥 to sign up.
鈥淯nfortunately, the society we live in today, it鈥檚 almost weekly that you hear about someone鈥檚 files being hacked or someone鈥檚 identity being stolen. So many people are concerned now about identity theft and privacy rights. It鈥檚 another layer of protection for our students and employees.鈥 - Cliff Cole