Compliance: Just Not Good Enough

Bill Balint • April 30, 2025

In a higher education world where cybersecurity, data protection and data privacy activities are bathed in multiple regulations, policies, procedures, standards and all the rest, what happens when victims claim, “compliance is just not good enough”?


The answer can be quite costly.


The March 2025 data breach incident at the Yale New Haven Health System (https://www.ynhhs.org/legal-notices) could potentially be such a case. Yale New Haven Health reported a data breach incident to the public on March 11, 2025, and a pair of 52-page federal lawsuits were filed on behalf of victims were already filed just over a month later. There are reports that as many as six additional suits were filed in the following days. A variety of law firms have created web pages where victims can seek legal engagement, so the number of suits could potentially increase.


It does not appear Yale New Haven Health is being accused of specifically failing to meet a given governmental regulation – such as HIPAA, PCI, GLBA, or a state breach notification law. The fact that a generic notification letter about the incident can be found at the Massachusetts Office of the Attorney General website implies at least that state’s requirements have been met.


But according to the Hartford Business Journal (https://www.hartfordbusiness.com/article/yale- new-haven-health-faces-lawsuits-over-data-breach-health-system-discloses-more-details), the suit claims Yale New Haven Health did not “…properly secure and safeguard Plaintiff ’s and Class Members’ sensitive personally identifiable information (PII) and personal health information (PHI), which, as a result, is now in criminal cyberthieves’ possession.” These lawsuits understandably infer that provider storing sensitive or confidential customer needs to use a portion of its revenue to fund customer data protection measures. The goal should be protecting data even beyond regulatory compliance demands.


A Big Year For Settlements


Beyond the question of governmental regulations and their relationship to lawsuits, there is no doubt higher education is suffering increased direct financial penalties resulting from data breaches.


Just one example from 2025 is the $2 million settlement of the class action data breach lawsuit against St. Louis University and SSM Health Saint Louis University Hospital from mid-April, stemming from the data breach of up to 93,000 individuals (https://www.hipaajournal.com/saint- louis-university-data-breach-lawsuit-settlement/). Besides the common practice of receiving identity theft protection benefits, claimants can receive up to $2,500 in unreimbursed expenses resulting from the breach. St. Louis University and SSM Health Saint Louis University Hospital are not alone, as various similar suits are on schedule to be settled later in 2025. Large or small, public or private, no institution appears immune.


Too Early? Too Late?


Another new lawsuit is among those that confront the long-debated ”time to notify the victims” issue. Michael Harris, a potential incoming student at Lee University, filed the suit against Lee in the U.S. District Court Eastern District of Tennessee (https://www.local3news.com/local-news/lee-university-sued-for-negligence-after-data-breach-impacts-thousands/article_ca5ecb44- 8872-4692-9dd8-4ce35defe574.html).


The lawsuit includes multiple complaints, among them is the claim that Lee waited for more than one year to notify the impacted individuals. One could argue notifying potential victims before all facts are known runs the risk of providing incomplete information. But waiting for an investigation to complete runs the risk of victims suffering the consequences of the breach without even knowing a breach of their information occurred.


Damage Over Dollars?


Of course, data breaches are often about a lot more than money. They hold the potential to devastate victims by inflicting non-economic temporary and sometimes even permanent damage. The recent takeover of the New York University (NYU) website by a hacker who briefly exposed NYU applicant information datasets back to 1989 (https://nyunews.com/news/2025/04/01/nyu-data-breach-lawsuits/) serves as a reminder.


Public policy – often via regulation – tries to limit the damage by requiring those who house sensitive and confidential data adhere to strict standards. But higher education institutions need to know that compliance with all regulations and data breach laws might not be enough.


These large settlements should provide institutions with a constant reminder.


Bill Balint is the owner of Haven Hill Services LLC, contracted as Trivigil’s Advisory CIO for Education.

The Experts Await: Higher Education Cybersecurity and Data Privacy Events Spring, 2025

By Bill Balint April 15, 2025
TriVigil is dedicated to providing educational institutions with comprehensive cybersecurity solutions that harmonize people, policies, and technology. This commitment includes highlighting selected opportunities where cybersecurity and privacy professionals in the education sector can network, learn, meet with solutions providers and gain other insights. There are literally hundreds of cybersecurity and data privacy events – local, regional, national, international and virtual. Everything from a one-hour webinar to global large-scale events with thousands of attendees. Some are purely focused on cybersecurity and/or data privacy, while others list these as merely a sub-interest or track. Some emphasize the education sector, while others do not focus on any specific industry. Among the plethora of quality events blanketing every area of interest, TriVigil notes a pair of late spring 2025 events that include education as a specific focus. The 2025 Educause Cybersecurity and Privacy Professionals Conference will take place in Baltimore May 19-21 ( https://events.educause.edu/cybersecurity-and-privacy-professionals-conference/2025 ). It is perhaps higher education’s best-known event focused solely on these topics. This year’s “Stronger Connections for Stronger Protections” theme is evident in all five attendee tracks: · Awareness, Education, and Human Factors · Governance and Strategic Alignment · Transformational Leadership · Navigating Compliance with Confidence · Evolving Technologies and Practices With the emphasis on collaboration, it is fitting the 2025 conference is efficiently expanded such that a small increase in time spent onsite provides a large increase for attendee opportunities. The opening pre-conference workshop day remains from previous years (May 19), but the opening general session has been moved to the end of the first day, as well. This change allows for breakout sessions to begin immediately on the second day (May 20). The third day (May 21) has been extended to a full day agenda. May 19 opens with eight preconference workshops. These include two full-day, three morning half-day and three afternoon half-day options. Derrich Phillips, founder of Aspire Cyber and of the CMMC Professionals Network (CPN), provides the opening general session entitled “Beyond the Firewall: How Community Strengthens Cybersecurity in Higher Education”. May 20-21 should also be a treat as attendees can take advantage of 12 breakout session time slots, each 45 minutes in length. This is especially impressive as there are conferences twice as long that struggle to offer that many breakout session slots. Furthermore, the agenda also provides three separate times for attendees to take part in poster sessions. The conference concludes with a closing general session. Better than 45 breakout sessions spread across those 12 timeslots will be delivered in presentation and panel discussion formats by representatives from about 40 different institutions and some 20 solutions providers. Presenters and panelists from institutions span large R1 institutions and state system offices to small liberal arts schools, community colleges and those in between. 2025 NICE Conference and Expo The 2025 NICE Conference & Expo will take place in Denver on June 1-3, 2025 ( https://niceconference.org/ ). The conference touts itself as “… the annual convening of community members and thought leaders from education, government, industry, and non-profits to explore ways of developing a skilled cybersecurity workforce ready to meet the challenges of the future.” NICE itself is a program led by the National Institute of Standards and Technology (NIST), established by the Cybersecurity Enhancement Act of 2014. Florida International University is a conference co-host, further underscoring the important role of higher education at the event. New America, a non-profit think tank, serves as the conference’s other co-host. This year’s “Climbing Higher: Educating & Sustaining a Resilient Cybersecurity Workforce” theme would appear very relevant for a higher education sector challenged with talent acquisition and employee development. This is especially true with the internal cybersecurity workforce. The event opens with half-day afternoon workshops on June 1, with the conference running for two full days on June 2-3. Although the list of sessions is not available yet, a glance at the 2024 agenda indicated eight breakout session timeslots and five plenary slots in addition to the pre-conference workshops. Over 30 breakout sessions in 2024 were delivered by a mix of academia, government and industry representatives. Bill Balint is the owner of Haven Hill Services LLC, contracted as TriVigil’s Advisory CIO for Education.

Cybersecurity AI and Identity Management Receive Awareness Boosts

By Bill Balint March 27, 2025
While National Cybersecurity Month (October) and National Data Privacy Week (late January) seemingly growing in adoption, a couple of more-recent cybersecurity events will hopefully take that next step. AI Fools Week (Naturally Kicking off ‘AI’pril) The good folks over at the National Cybersecurity Alliance (NCA) have created their inaugural artificial intelligence (AI) awareness campaign, fittingly entitled “AI Fools Week”, taking place the Week of March 31 ( https://www.staysafeonline.org/aifools ). NCA even jokingly refers to the month as “AIpril”.  As is often the case, NCA offers a very well-done toolkit of tip sheets, infographics, posters, etc. for those looking to initiate a ‘be safe when using AI” campaign at their institution or place of business. One of the NCA toolkit’s more ironic, but interesting ideas is to leverage a concept dating back to Ancient Greece by creating a shared password (safe word) to combat “deepfake” voicemails, messages, even video calls. The kit suggests safe word systems are worthy for consideration beyond families – such as with fellow employees, close friends, caregivers and groups reliant upon virtual communication. Identity Management Day 2025 Identity Management Day 2025 ( https://www.idsalliance.org/event/identity-management-day-2025 ) will take place immediately after AI Fools Week on April 8. The awareness focus is a free, day-long online conference. The NCA and the Identity Defined Security Alliance play host to the event, which started in 2021. Of course, adhering to safe computing practices in this rapidly changing landscape is a 365-day per year battle (366 during leap years - LOL). Some might consider it impossible to avoid deepfakes for long because so much is beyond the individual’s control – especially in a GenAI world. But the silver lining is any improvement in protection is a positive and the event is geared toward promoting best practices. Higher Education Cybersecurity Digital Magazines Awareness days and weeks are nice and all, but this is also a daily effort where timely, helpful information made available within a few clicks is a vital asset. This is one way digital magazines can make a difference. Higher education might increasingly be operating ‘like a business’, but access to information from those who understand the unique higher education environment remains a plus. Fortunately, higher education cybersecurity professionals can find plenty of education-specific content without cost. It is true the mix of public sector, non-profit and for-profit websites are valuable. But targeted digital magazines also provide critical additional insight. Though not a comprehensive review, three sites appear to be among the leaders in this space. EdTech magazine’s cybersecurity site ( https://edtechmagazine.com/higher/security ), for example, published nine (9) new articles during a recent three-month period, featuring diverse topics like identity and access management (IAM), student BYOD security challenges, AI, and the age-old technical debt implications for security and privacy. Each article places the material into a higher education-centric context. One specific nice feature is the site’s article filtering, which allows readers to deep dive into 14 sub-topics in an instant. Campus Technology magazine has been a friend to the higher education IT community for some 35 years (known as Syllabus from 1988-2004 before adopting its current name). Cybersecurity has been part of its content for multiple decades and its website touts a cybersecurity portal ( https://campustechnology.com/Portals/Cybersecurity.aspx ) full of articles, podcasts, webcasts and whitepapers. The site included 10 articles in a recent 90-day timeframe and these included information about subjects ranging from AI, Educause HECVAT’s release, Jamf’s purchase of Identity Automation, etc. Education Technology Insights ( https://www.educationtechnologyinsights.com ) offers content spanning the education sector, with a focus on “…bringing forth a complete picture of how teachers are using different classroom technologies…”. Although there does not appear to be a cybersecurity-specific part on the site, there is plenty of content found via a general search. There are loads of higher education-focused sites that offer cybersecurity content, but most do not have it as a specific focus area. Inside Higher Ed, University Business, and GovTech are just a few. Of course, there are also many cybersecurity digital magazines that cut across all industries and certain content has implications for the education sector. Bill Balint is the owner of Haven Hill Services LLC, contracted as TriVigil’s Advisory CIO for Education.

Breaking the Silence: A CISO’s Guide to Beating Burnout

By John Schimanski March 12, 2025
Let’s talk about something that most Chief Information Security Officers (CISOs) hesitate to discuss, BURNOUT . Cybersecurity is a high-stakes, high-pressure field. The constant barrage of threats, the responsibility of protecting an organization’s digital infrastructure, and the expectation of being on-call 24/7 can take a toll. Burnout among CISOs and security professionals is real, prevalent, and dangerous , not just for individuals but for organizations as well. Burnout can manifest in various ways: self-medicating with alcohol or drugs, struggling with depression, losing the ability to make decisions, or feeling so overwhelmed that you shut down. The risk is even higher during crises, such as a major ransomware attack, where long hours and intense pressure become the norm. The good news? Burnout is preventable. Recognizing the signs early and taking proactive steps can make all the difference. Understanding Burnout in Cybersecurity Burnout doesn’t happen overnight; it’s a gradual process. Security professionals often start by feeling stressed and overworked, but over time, that stress turns into chronic exhaustion, cynicism, and decreased effectiveness . The key warning signs include: Constant fatigue despite adequate rest Loss of motivation or feeling disconnected from work Irritability or mood swings with colleagues or family Difficulty concentrating or making decisions Physical symptoms like headaches, insomnia, or muscle tension A sense of helplessness or feeling like you’re failing If these symptoms sound familiar, it’s time to take action. Strategies to Prevent and Combat Burnout 1. Take Strategic Breaks Security incidents demand immediate attention, but working under constant stress isn’t sustainable. Taking short breaks throughout the day can help lower stress levels. I personally step away from screens for at least 10 minutes every two hours to give my mind (and eyes) a reset. 2. Find an Outlet Beyond Work Engaging in activities that provide mental relief is essential. For me, that includes reading (both work-related and for pleasure), swimming, shooting, gaming, talking with friends, riding my trike, or going to the movies. Whatever it is for you, sports, music, art, hiking, find something that allows your brain to reset. 3. Use Your Vacation Time (and Actually Unplug!) Many of us accumulate vacation days but hesitate to use them, fearing work will pile up. Use your time off. Fully unplugging, even for a few days, can reset your perspective and prevent burnout from spiraling. 4. Set Realistic Expectations CISOs often feel like they must handle everything themselves. This mindset is a fast track to burnout. Know your limits and delegate where possible. If you have a team, trust them. Security is a team effort, and you don’t have to be a hero every day. 5. Prioritize Physical Health Regular exercise is one of the best tools against stress. Studies show that physical activity boosts serotonin and helps improve cognitive function. Even a short walk or stretching routine can have a profound impact on your mental state. 6. Create a Routine to Reduce Decision Fatigue CISOs make critical decisions every day. Over time, constant decision-making wears down mental resources. Structuring parts of your day, whether it’s a morning routine, meal planning, or even wearing the same style of clothing, can free up brainpower for more important decisions. Top executives, from Steve Jobs to U.S. presidents, rely on routines to reduce decision fatigue. 7. Get Enough Sleep (And Learn to Recognize Fatigue) It sounds simple, but lack of sleep is one of the biggest contributors to burnout. Fatigue affects judgment, reaction time, and emotional resilience. If you’re waking up exhausted, it’s time to reassess your sleep habits. Short naps can also provide quick recovery when needed. 8. Talk About It—Don’t Struggle Alone Burnout thrives in isolation. CISOs are often expected to be strong, resilient, and unshakable, but everyone needs support. Find someone you trust, a friend, colleague, mentor, or therapist—and talk about what you're experiencing. Sometimes, just saying things out loud can bring clarity and solutions. Final Thoughts Burnout isn’t a sign of weakness; it’s a signal that something needs to change. Recognizing the warning signs and taking proactive steps can prevent long-term damage to both your well-being and your career. If you’re feeling overwhelmed, step back, reset, and reach out. You’re not alone, and help is available. Cybersecurity is a tough job, but it shouldn’t come at the cost of your health and happiness.