On February 23, 2018, the Pennsylvania Office of Administration (OA) announced that a security incident involving the Teacher Information Management System (TIMS) exposed the personal information of teachers. TIMS is an online platform used by educators in Pennsylvania. Current and prospective teachers can create and manage profiles to collate their certifications in education, and administrators use TIMS to review applicant credentials. According to the announcement, between 12:00 p.m. and 12:30 p.m. on February 22, 2018, users who logged into TIMS had access to teacher personal information, which may have included names and social security numbers. The announcement advised that the incident was the result of human error by an OA employee, and that, in response to the incident, the Pennsylvania Department of Education (PDE) and OA are taking steps including: investigating the scope of the incident, mailing letters to the affected individuals offering free credit monitoring services, reviewing internal procedures, and implementing changes to prevent similar incidents in the future.

The TIMS breach, along with the response, is instructive for three reasons. First, it serves as an important reminder that cyber risk is not exclusive to tech companies like PayPal and Uber. Indeed, the field of education, which necessarily involves the personal information of both students and professionals, faces cyber risk just like many industries in the corporate world.

Second, the breach was notably traced back to the human error of an OA employee. Employee error is one of the leading causes of cyber incidents. As noted in a past Newsletter, cybersecurity education and training for employees both reduces the threat of data loss and blunts the impact of negative consequences that may arise from a breach.

Third, the OA has a robust information technology policy that includes training, security maintenance, and breach response. By having a written cybersecurity policy, the OA positioned itself well for appropriate protocols to be followed in response to a breach. Here, the PDE and OA response has incorporated several steps from the Respond Function of the NIST Cybersecurity Framework, including: communication to internal and external stakeholders, analysis regarding the scope of the breach, and incorporating lessons learned from this incident to improve their cybersecurity policy in the future. Following such protocols in the breach response should help to mitigate the damage caused by the breach.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.