When New York State Attorney General Letitia James announced a settlement with Marymount Manhattan College stemming from a data breach in 2021, some people discussing the case online were surprised that a state could go after a non-profit college that way, and they wondered if the state could get that kind of settlement with a public entity.
They can.
As the state explains in its filing:
The Office of the Attorney General of the State of New York (“NYAG”) commenced an investigation, pursuant to New York Executive Law § 63(12) and New York General Business Law § 899-bb, into the data security and privacy practices of Marymount Manhattan College (“Respondent” or “MMC”), as a result of a data security incident occurring in or around November 2021 affecting 191,752 actual or prospective students, employees, and alumni, including 99,097 residents of New York.
The state’s description of the incident reveals a fairly common scenario for a ransomware attack:
Sometime before November 12, 2021, a malicious threat actor penetrated MMC’s Technical Infrastructure, initially through a Microsoft Exchange Server, gaining access to significant quantities of data concerning 99,097 residents of New York who were actual and prospective students, faculty, and alumni, including social security numbers, dates of birth, bank and credit card numbers, passport numbers, driver’s license numbers, medical information, and usernames and passwords (the “breach”). The threat actor then encrypted this information on MMC’s servers, and demanded payment in exchange for returning the information.
The Assurance of Discontinuance identifies a number of security failures on the college’s part that constituted violations of state law as well as FERPA and the Gramm-Leach-Bliley Act (which applies to federal student loan data). The college neither agreed with, nor denied, the state’s findings, but agreed to spend $3.5 million over the next six years to improve its cybersecurity.
The number of specific requirements the college must comply with under the terms of the settlement is somewhat staggering, and entities may want to read the whole document to read what the failures were, and what remedies the college has now agreed to implement to avoid litigation by the state.