In late May 2023, cybercriminals gained unauthorized access to the personal information of IHEs’ students, employees, and other community members by exploiting a security vulnerability in MOVEit software, which is used by many IHEs and by prominent vendors of IHE services, including National Student Clearinghouse and TIAA, to store and transfer sensitive personal information.
In accordance with applicable data breach reporting laws, some IHEs have directly notified affected individuals and relevant regulatory authorities, while others have generally informed their community members that they will receive notification from the vendor responsible for the breach if their personal information was compromised.
All IHEs should act now to determine the extent to which their students, employees, or other community members may be affected, implement IT safeguards as needed, and analyze applicable data breach reporting obligations.
What Happened?
Following customer reports of suspicious activity on May 28, 2023, Progress Software Corporation announced on May 31, 2023 that a “sophisticated cybercriminal group” exploited a security vulnerability in Progress Software’s MOVEit Transfer and MOVEit Cloud products, and as a result, the cybercriminals gained access to some customers’ data. In response, Progress Software provided MOVEit Transfer customers with three software patches to eliminate the initial MOVEit Transfer security vulnerability, as well as to eliminate two additional, distinct security vulnerabilities that Progress Software discovered during its investigation of the initial security vulnerability. At the same time, Progress Software also patched its MOVEit Cloud to eliminate all detected security vulnerabilities.
While Progress Software’s investigation is currently still underway, Progress Software last reported on July 5 that thus far it believes only the initial MOVEit Transfer security vulnerability was exploited by the cybercriminals, and there have been no reports of any additional unauthorized access after deploying the software patches.
Who is Affected?
Although not all MOVEit Transfer or MOVEit Cloud customers’ data was accessed by the cybercriminals, Progress Software has deployed the MOVEit Cloud patch for all MOVEit Cloud customers and has advised all MOVEit Transfer customers to install its latest security patch. However, Progress Software has notified some MOVEit Transfer and MOVEit Cloud customers, including some institutions of higher education (IHEs), that their data was compromised in the attack.
National Student Clearinghouse
Of note for thousands of IHEs, National Student Clearinghouse (NSC)—which provides educational reporting, verification, and research services to around 3,600 IHEs—was notified that some of NSC’s data, including data belonging to NSC’s IHE customers, was compromised in the attack. NSC reports that it “promptly took measures to protect customer data and [NSC’s] systems by applying the relevant security patches and diligently following guidance from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).” NSC further reports that it has notified affected IHEs and “will follow up with additional information regarding the impact to affected organizations, including a list of individuals whose personal information is identified in the relevant files.”
According to NSC, the compromised data “may have included information from the student record database on current or former students.” Thankfully, NSC further reports that there is currently “no evidence that the affected files included the enrollment and degree files that organizations submit to the Clearinghouse for reporting requirements and for verifications.”
Teachers Insurance and Annuity Association of America (TIAA)
Of further note for many IHEs, the Teachers Insurance and Annuity Association of America (TIAA), which manages 403(b) retirement funds on behalf of thousands of IHEs, was also notified that some of its IHE customers’ data was compromised as a result of the MOVEit data breach. According to TIAA’s notice submitted to the Maine Attorney General and its sample consumer notification letter, TIAA discovered on June 28 that data TIAA entrusted to Pension Benefit Information, LLC (PBI), which provides audit and address research services for TIAA, was processed by PBI using MOVEit Transfer and was thus compromised on May 29 and May 30 as a result of the MOVEit data breach.
According to the consumer notification letter, PBI “promptly took steps to patch servers, investigate, [and] assess the security of [PBI’s] systems.” PBI has also notified “potentially affected customers,” including TIAA, and has directly notified “individuals associated with those customers,” such as IHE employees with TIAA retirement accounts. Individuals’ compromised personal information potentially includes name, Social Security number, date of birth, address, and gender.
How IHEs are Responding
Some IHEs have confirmed that personal information, including sensitive personal information, was compromised as a result of the MOVEit data breach and have already notified affected individuals and relevant regulatory authorities, including State Attorneys General and the Department of Education (ED), in compliance with local and federal data breach reporting requirements. IHE notifications have varied depending on the IHE and on the IHE’s relationship with MOVEit’s provider, Progress Software.
For example, some customers of Progress Software have notified affected individuals directly and have also submitted notices to State Attorneys General in compliance with State data breach reporting laws. On the other hand, some TIAA customers affected by PBI’s use of Progress Software have issued general notices to their university communities stating that affected individuals will be notified directly by PBI.
Some NSC customers have received confirmation from NSC that their students’ data was compromised in the MOVEit data breach and have notified affected individuals directly or have generally informed their students, employees, and other community members that affected individuals will receive notifications from NSC. Many other IHEs have received notice from NSC stating that some of their students’ personal information may have been compromised but that NSC has not yet confirmed which (if any) personal information was actually compromised, leaving such institutions in an anxious holding pattern.
Other actions taken by IHEs include notifying internal departments, such as human resources, information technology, financial aid, and marketing/communications; notifying relevant service providers, such as insurance brokers and insurance carriers; notifying relevant regulatory authorities, such as ED, particularly when IHEs have been able to confirm that student financial aid information was compromised through NSC; working with similarly situated IHEs to pool their legal resources; and hiring outside counsel to advise on internal and external responses, including reporting obligations under federal, state, and international laws and regulations.
For specific examples of public notices and other responses posted or submitted by IHEs, please contact XL Law & Consulting.
Data Breach Reporting Requirements
A variety of federal, state, and international laws and other legal obligations require IHEs to report data breaches, and the applicability of each law largely depends on the type of data that was compromised. Considering the types of student, employee, and other data that were compromised as a result of the MOVEit data breach, potentially applicable reporting requirements include, without limitation, the following:
Federal Reporting
Student Financial Aid Data: For data breaches involving “information obtained as a result of providing a financial service to a student (past or present),” which may include some NSC records, ED’s Title IV Program Participation Agreement and related guidance require IHEs to comply with the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule. While the GLBA Safeguards Rule does not contain any express data breach reporting requirements, it requires IHEs to maintain a written data breach response plan, which must address external communications and reporting. Furthermore, ED’s Student Aid Internet Gateway agreement, which all institutions must sign to receive and disburse Title IV funds, requires participating IHEs to notify ED “immediately” following “an unauthorized disclosure or breach of [student federal financial aid] applicant information or other sensitive information (such as personally identifiable information).” Notably, ED’s Federal Student Aid (FSA) office issued an alert on June 16 addressing the MOVEit data breach and recommending (inter alia) that IHEs report breaches to FSA.
Student Education Records: For data breaches involving Education Records protected by the Family Educational Rights and Privacy Act (FERPA), which may also include some NSC records, as a best practice ED’s Data Breach Response Checklist asks IHEs to consider notifying ED and provides that “[w]hile [ED] has the discretion under 34 CFR §99.64(b) to conduct its own investigation of a breach, it will take into consideration an effort to proactively come into compliance demonstrated by voluntarily notifying [ED] about the breach.”
Health Records: For data breaches involving Protected Health Information protected by the Health Insurance Portability and Accountability Act (HIPAA), which may include records that IHEs store or transmit using MOVEit Cloud or MOVEit Transfer, IHEs must directly notify affected individuals, and they must notify the Department of Health and Human Services. Additionally, for breaches affecting more than 500 residents of any State or other jurisdiction, IHEs must notify prominent media outlets that serve the State or other jurisdiction. Generally, IHEs must issue the required notifications “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.”
State Reporting
Most States have laws requiring IHEs to report data breaches affecting State residents. Such laws vary greatly in terms of applicability and notification requirements. The International Association of Privacy Professionals (iapp) provides a helpful State Data Breach Notification Chart summarizing data breach reporting laws in each State, including each law’s notification timeframe, notification content, and requirements to notify affected individuals, the State Attorney General, and/or Consumer Protection/Reporting Agencies. Please note that iapp’s chart was last updated in 2021, so IHEs should verify the accuracy of the information provided.
International Reporting
Many countries have laws that require IHEs to report data breaches involving the personal information of individuals located within the country and/or individuals residing within the country. Most (if not all) countries’ laws apply to data breaches that occur within the country’s borders, and some also apply extraterritorially to data breaches that occur within the US. The European Economic Area’s General Data Protection Regulation(EEA GDPR) and the People’s Republic of China’s Personal Information Protection Law (PRC PIPL) are two international laws most prominent among US IHEs, and both laws have extraterritorial data breach reporting requirements.
EEA GDPR: For data breaches involving Personal Data protected by the EEA’s GDPR, which may include any data compromised as a result of the MOVEit data breach if such data relates to an individual located within the EEA, IHEs must notify the appropriate EEA supervisory authority without undue delay and no later than 72 hours after becoming aware of the data breach, unless the data breach is unlikely to result in a risk to individuals’ rights and freedoms. Additionally, IHEs must notify affected individuals whose Personal Data is protected by the GDPR without undue delay if the data breach is likely to result in a high risk to such individuals’ rights and freedoms.
PRC PIPL: For data breaches involving Personal Information protected by the PRC’s PIPL, which may include any data compromised as a result of the MOVEit data breach if such data relates to an individual located within Mainland China, IHEs must immediately notify the Chinese National Cyberspace Department. IHEs must also immediately notify affected individuals whose Personal Information is protected by the PIPL, unless the IHE’s protective measures can effectively avoid the harm caused by the data breach.
Recommendations for IHE Offices of General Counsel
Determine whether your IHE utilizes the services of Progress Software, MOVEit Cloud, MOVEit Transfer, NSC, TIAA, or any other vendors affected by the MOVEit data breach. While such vendors have been diligently notifying affected IHEs, sometimes notifications are delivered to individuals outside the Office of General Counsel in accordance with the contract’s Notice provisions.
If your IHE utilizes MOVEit Transfer to transmit data and has not yet taken any action to address the MOVEit security vulnerabilities, per MOVEit’s Customer FAQ, ensure that your IHE follows all the remediation steps described in the May 31, 2023 MOVEit Knowledge Base Article. After implementing all such remediation steps, ensure that your IHE applies the new MOVEit Transfer Service Pack (July 2023)for additional product updates and security improvements.
If you received notice that your IHE may have been affected by the MOVEit data breach but have not yet received confirmation either way, follow up regularly with the vendor that provided the initial notice. Many vendors have long lists of clients whose cases they must analyze, so let them know that your IHE is a top priority.
If you received confirmation that your IHE’s data was compromised as a result of the MOVEit data breach, analyze the type(s) of data compromised and location/residency of affected individuals to determine your IHE’s federal, state, and international reporting obligations.
If your IHE’s data was not compromised as a result of the MOVEit data breach, use this as an opportunity to conduct a tabletop exercise simulating how your IHE would respond if student, employee, or other data had been compromised. Invite a variety of institutional stakeholders to participate in the tabletop exercise, such as information technology, human resources, marketing and communications, risk management (and your IHE’s insurance broker), financial aid, registrar’s office, and student affairs.