The Yale Data Breach — Security Lessons for Ediscovery Professionals

Yale University has been in the news this month due to a data breach that started in 2008. That’s not a typo; it took Yale 10 years to realize that its security had been compromised. This situation brings into sharp focus the importance of not just avoiding security problems but also promptly detecting them to enable a swift, effective response. Ediscovery attorneys would do well to learn the lessons that Yale, so far, apparently hasn’t.

The Yale Data Breach

At some point between April 2008 and January 2009, “hackers breached a University database and extracted” the personal information of 119,000 Yale students, faculty, and staff. That information included names, Social Security numbers, dates of birth, email addresses, and physical addresses. What’s worse, Yale had deleted the stolen information from its own servers in 2011 without ever detecting the intrusion.

Only in June 2018 did Yale realize what had happened. It waited another month to advise the affected individuals, though what’s one month after 10 years?

Now, Yale is facing at least two putative class-action lawsuits seeking millions of dollars in damages.

Unfortunately, the details coming out about the breach point to a number of earlier missed opportunities to improve security. For instance, the complaint states that in 2011, Yale discovered that 43,000 Social Security numbers collected by the school were posted online—and had been for almost a year.

In its defense, Yale stated that it had “continually improved its electronic security” in the 10 years since this breach. However, it also indicated that it would not even attempt to investigate this incident, as it would “not be possible to identify the culprit” so many years later.

While Yale’s woes are a reminder that “universities constitute fertile ground for hackers,” they’re not the only targets. Corporate ediscovery teams should never forget that they, too, are walking bullseyes.

Ediscovery Lessons

Obviously, data breaches are expensive. Aside from the costs of potential litigation, there are the costs of corrective measures, lost clients, and damaged reputations.

But what’s more expensive than a data breach is a data breach that goes undetected.

When you don’t realize that your security is flawed, you cannot correct the weakness. You can’t respond to clients or partners who may have suffered losses; you likely won’t even know about them. You’re too late to help the victims recoup their damages, too late to investigate what went wrong, and too late to effectively shore up your security measures.

If you haven’t already gotten serious about conducting regular cybersecurity reviews, this is your wake-up call. Implement routine security audits; run breach-response drills. And when you do add security features, don’t build on a faulty foundation. Fully investigate your existing protective measures and patch any existing vulnerabilities.

Most importantly, do not keep data that you no longer need. Not only is it an ediscovery liability, but it opens you up to the possibility of paying damages for failing to protect data that wasn’t serving any valid business use in the first place.

Sometimes you have to make a mistake for yourself to really learn its lessons. This isn’t one of those times.