Risk management has become an increasingly high-stakes enterprise for higher education in recent years. The Covid-19 pandemic, the accompanying economic strain, and political polarization have only made it more so.
The Chronicle recently released a special report, “The New Risk Management,” that explores the trends that are making academe an ever-riskier business. Here is a condensed excerpt.
Colleges face an increasingly complex and unpredictable array of challenges — abuse, harassment, assault, police misconduct, accidents, health and environmental hazards, fiduciary wrongdoing, the pandemic — that are making it more difficult to calculate risk and insure against it.
That’s a big part of why annual insurance premiums have gone up by double digits in recent years. John McLaughlin, senior managing director of the higher-education practice at Gallagher, an insurance brokerage and risk-management and consulting firm, says those increases range between an average of 10 and 35 percent across an institution’s insurance portfolio.
Norms around liability have also changed. Colleges were once seen as like churches; they were broadly protected from legal liability, according to Peter F. Lake, a professor of law, and director of the Center for Excellence in Higher Education Law and Policy, at Stetson University. Public colleges enjoyed nearly complete sovereign immunity.
Now higher education is everybody’s punching bag, Lake says. It gets hit from the right and the left, from private interest groups and public agencies, as too intrusive and insufficiently involved, even for following federal guidelines. The assumptions of immunity colleges once enjoyed are largely eroding. For example, says Lake, in Doe v. University of the Sciences (2020), a federal court of appeals — obviously dissatisfied with traditional rules of contract law favoring colleges — completely rewrote the student handbook of a private university in Pennsylvania to include implied federal due-process requirements.
“It was tough for colleges to lose back then,” Lake observes. “Now it’s tough for them to win.”
While Covid-19 has dominated public attention, it’s not the only thing, or even the main thing, keeping lawyers, risk managers, and insurance executives up at night. Instead, worries revolve around other long-simmering problems.
Enrollment — which has been battered at many institutions — ranked first on a recent list of the top 10 risks affecting institutions. Covid accelerated an enrollment dropoff that had been projected for 2025.
But what’s striking is that just behind enrollment on colleges’ list of worries are two areas that are not directly related to Covid: data security and Title IX. That’s according to an annual survey by United Educators, which provides liability insurance and risk-management services for its member colleges and schools. The survey was conducted from May 2019 through September 2020, as the coronavirus crisis unfolded, and 480 United Educators member institutions responded.
The Costs of Data Breaches
Data security has been high on colleges’ worry list for years. Months before Covid-19 was in the news, Michael B. Rynowecer, president of BTI Consulting Group, in Wellesley, Mass., called data breaches “probably the No. 1 issue” on the minds of colleges’ legal teams. It still is, Rynowecer says, and the pandemic has only increased that risk as operations spread for remote teaching and management. Colleges’ databases are vulnerable, and so are those of the companies that work with them.
Among them is Blackbaud, a prominent cloud-computing vendor that early in 2020 suffered a ransomware attack and data breach that lasted the better part of four months and compromised information about more than six million people, including their Social Security numbers, bank-account information, and user names and passwords. The Health IT Security newsletter reported that at least 10 class-action lawsuits had been filed against Blackbaud over the breach, which affected dozens of colleges among more than 200 organizations over all.
Consider, says Rynowecer, that colleges and their corporate partners handle not just sensitive financial and identity information but also data on health, disciplinary proceedings, and academic performance. Beyond student information, they also hold data on faculty and staff members, donors, and alumni. As coronavirus and other public-health tracking, record keeping, and surveillance expand, the data are likely to grow. And so will opportunities to penetrate software systems, as students and employees continue to work from home.
The Blackbaud breach drew wide scrutiny because of its size, but there has been a steady stream of breaches. In July 2020, Comparitech, a website catering to tech consumers, reported that 1,327 data breaches at colleges and elementary and secondary schools had resulted in the exposure of 24.5 million records since 2005. Higher education accounted for three-fourths of those breaches, with California, Florida, Arizona, Massachusetts, Georgia, Ohio, and Washington State hit hardest, and public institutions faring worse than private ones.
The cost of these incidents can be high. A crippling cyberattack in October 2020 on the computer systems of the University of Vermont Medical Center cost it about $1.5 million a day in lost revenue and recovery expenses. (The hospital said that it was about 70 percent recovered from the attack as of mid-December 2020.)
Significantly, though, hacking accounted for only 43 percent of college breaches, according to the Comparitech report. Unintentional disclosures accounted for 27.3 percent, and the theft or loss of portable devices for 14.7 percent. Those figures suggest that beyond shoring up sensitive data with digital ramparts, proper training in the handling of data remains crucial.
Among recent incidents reported on other information-security platforms, tax and personal data for 1,755 staff members at the College of DuPage, in Illinois, were compromised. Many other institutions have also reportedly suffered breaches, including Columbia College Chicago; Grinnell, Hamilton, and Oberlin Colleges; Oregon State and Washington State Universities; and the University of Connecticut.
Beyond disruptions, the potential misuse of data, and the possibility of class actions, colleges are sometimes forced to pay a ransom. The University of Utah, for example, paid $457,000 to a hacker to prevent disclosure of data stolen in July 2020 from its College of Social and Behavioral Science. Colleges increasingly back up their data, so, for leverage, attackers grab information and threaten to leak it if a ransom isn’t paid.
The December 2020 hacking of the cybersecurity firms FireEye and SolarWinds will do nothing to quiet risk managers’ nerves. Of the former, The New York Times reported, “It was a stunning theft, akin to bank robbers who, having cleaned out local vaults, then turned around and stole the FBI’s investigative tools.” Targets included hundreds of publicly traded corporations, government agencies, the military, NASA, and the National Security Agency. An analysis by The Wall Street Journal identified Kent State University as among the victims of the megahack.
When the Pentagon is vulnerable to Trojanized software — a predatory move experts attribute to a group of more than 1,000 Russian hackers — how are cash-strapped colleges and universities supposed to defend themselves?
Sex-Abuse Scandals
It is perhaps even more obvious why Title IX and other sexual-abuse scandals are among college lawyers’ top concerns. A recap of some major cases conveys not just the horrors of the situations themselves but also the high legal, financial, and reputational stakes.
Michigan State University agreed to pay a half-billion dollars to more than 300 victims of sexual abuse committed by the sports-medicine doctor Larry Nassar. Legal payouts in Pennsylvania State University’s Jerry Sandusky child-sex-abuse scandal surpassed $100 million. Ohio State University has reached settlements with 185 plaintiffs totaling $46.7 million for alleged sexual abuse decades ago at the hands of Richard Strauss, a team doctor. More than 200 additional plaintiffs, as of October 2020, had yet to reach an agreement with the university.
The University of California has offered a $73-million settlement to 5,000 women over alleged abuse by James Heaps, a former gynecologist on its Los Angeles campus. The University of Southern California is paying $215 million to 18,000 women allegedly abused by George Tyndall, a former gynecologist there.
New allegations of sexual misconduct keep emerging. For instance, lawsuits have been filed for alleged harassment and unfair treatment involving a studio-art professor at the University of South Carolina at Columbia. And an investigation by USA Today has raised questions about how Louisiana State University at Baton Rouge has handled assault and abuse allegations against some of its star athletes.
The University of Utah in October 2020 agreed to pay $13.5 million in a settlement with the family of Lauren McCluskey, a track star who was stalked and killed by her ex-boyfriend. Ruth V. Watkins, the university’s president, said at a news conference that it “acknowledges and deeply regrets that it did not handle Lauren’s case as it should have.” University employees had “failed to fully understand and respond appropriately to Lauren’s situation.”
Scott Schneider, of the law firm Husch Blackwell, says of the McCluskey case, “People think ‘that would never happen here.’ But that’s the kind of thing that could happen on any campus in America.”
Title IX, the public-policy framework that often governs claims of sexual abuse or harassment in higher education, is murky, too. “It’s a mess,” says Schneider.
Among educational amendments Congress enacted in 1972, Title IX has many components, including gender parity in athletic opportunities. With Covid-accelerated cuts in sports programs, that’s a different mess. The particular mess Schneider is referring to is a set of federal rules on how colleges are supposed to handle accusations of harassment or assault.
With a “Dear Colleague” letter issued under President Barack Obama in 2011, federal guidelines swung toward the rights of the accuser. Under President Donald J. Trump, they swung back toward the rights of the accused. Under President Biden, they are expected to swing back toward the Obama-era rules, although maybe not quite so far, some lawyers think, because judges have voiced concerns that the accused, under Obama-era rules, did not always have a fair say.
How it will all shake out remains unclear. “There’s just going to be a weird interim,” Schneider says. But one thing seems certain: “There’s going to be more mayhem in that space, and it’s not serving anyone except lawyers like me.”