While National Cybersecurity Month (October) and National Data Privacy Week (late January) seemingly growing in adoption, a couple of more-recent cybersecurity events will hopefully take that next step. AI Fools Week (Naturally Kicking off ‘AI’pril) The good folks over at the National Cybersecurity Alliance (NCA) have created their inaugural artificial intelligence (AI) awareness campaign, fittingly entitled “AI Fools Week”, taking place the Week of March 31 ( https://www.staysafeonline.org/aifools ). NCA even jokingly refers to the month as “AIpril”.  As is often the case, NCA offers a very well-done toolkit of tip sheets, infographics, posters, etc. for those looking to initiate a ‘be safe when using AI” campaign at their institution or place of business. One of the NCA toolkit’s more ironic, but interesting ideas is to leverage a concept dating back to Ancient Greece by creating a shared password (safe word) to combat “deepfake” voicemails, messages, even video calls. The kit suggests safe word systems are worthy for consideration beyond families – such as with fellow employees, close friends, caregivers and groups reliant upon virtual communication. Identity Management Day 2025 Identity Management Day 2025 ( https://www.idsalliance.org/event/identity-management-day-2025 ) will take place immediately after AI Fools Week on April 8. The awareness focus is a free, day-long online conference. The NCA and the Identity Defined Security Alliance play host to the event, which started in 2021. Of course, adhering to safe computing practices in this rapidly changing landscape is a 365-day per year battle (366 during leap years - LOL). Some might consider it impossible to avoid deepfakes for long because so much is beyond the individual’s control – especially in a GenAI world. But the silver lining is any improvement in protection is a positive and the event is geared toward promoting best practices. Higher Education Cybersecurity Digital Magazines Awareness days and weeks are nice and all, but this is also a daily effort where timely, helpful information made available within a few clicks is a vital asset. This is one way digital magazines can make a difference. Higher education might increasingly be operating ‘like a business’, but access to information from those who understand the unique higher education environment remains a plus. Fortunately, higher education cybersecurity professionals can find plenty of education-specific content without cost. It is true the mix of public sector, non-profit and for-profit websites are valuable. But targeted digital magazines also provide critical additional insight. Though not a comprehensive review, three sites appear to be among the leaders in this space. EdTech magazine’s cybersecurity site ( https://edtechmagazine.com/higher/security ), for example, published nine (9) new articles during a recent three-month period, featuring diverse topics like identity and access management (IAM), student BYOD security challenges, AI, and the age-old technical debt implications for security and privacy. Each article places the material into a higher education-centric context. One specific nice feature is the site’s article filtering, which allows readers to deep dive into 14 sub-topics in an instant. Campus Technology magazine has been a friend to the higher education IT community for some 35 years (known as Syllabus from 1988-2004 before adopting its current name). Cybersecurity has been part of its content for multiple decades and its website touts a cybersecurity portal ( https://campustechnology.com/Portals/Cybersecurity.aspx ) full of articles, podcasts, webcasts and whitepapers. The site included 10 articles in a recent 90-day timeframe and these included information about subjects ranging from AI, Educause HECVAT’s release, Jamf’s purchase of Identity Automation, etc. Education Technology Insights ( https://www.educationtechnologyinsights.com ) offers content spanning the education sector, with a focus on “…bringing forth a complete picture of how teachers are using different classroom technologies…”. Although there does not appear to be a cybersecurity-specific part on the site, there is plenty of content found via a general search. There are loads of higher education-focused sites that offer cybersecurity content, but most do not have it as a specific focus area. Inside Higher Ed, University Business, and GovTech are just a few. Of course, there are also many cybersecurity digital magazines that cut across all industries and certain content has implications for the education sector. Bill Balint is the owner of Haven Hill Services LLC, contracted as TriVigil’s Advisory CIO for Education.

Let’s talk about something that most Chief Information Security Officers (CISOs) hesitate to discuss, BURNOUT . Cybersecurity is a high-stakes, high-pressure field. The constant barrage of threats, the responsibility of protecting an organization’s digital infrastructure, and the expectation of being on-call 24/7 can take a toll. Burnout among CISOs and security professionals is real, prevalent, and dangerous , not just for individuals but for organizations as well. Burnout can manifest in various ways: self-medicating with alcohol or drugs, struggling with depression, losing the ability to make decisions, or feeling so overwhelmed that you shut down. The risk is even higher during crises, such as a major ransomware attack, where long hours and intense pressure become the norm. The good news? Burnout is preventable. Recognizing the signs early and taking proactive steps can make all the difference. Understanding Burnout in Cybersecurity Burnout doesn’t happen overnight; it’s a gradual process. Security professionals often start by feeling stressed and overworked, but over time, that stress turns into chronic exhaustion, cynicism, and decreased effectiveness . The key warning signs include: Constant fatigue despite adequate rest Loss of motivation or feeling disconnected from work Irritability or mood swings with colleagues or family Difficulty concentrating or making decisions Physical symptoms like headaches, insomnia, or muscle tension A sense of helplessness or feeling like you’re failing If these symptoms sound familiar, it’s time to take action. Strategies to Prevent and Combat Burnout 1. Take Strategic Breaks Security incidents demand immediate attention, but working under constant stress isn’t sustainable. Taking short breaks throughout the day can help lower stress levels. I personally step away from screens for at least 10 minutes every two hours to give my mind (and eyes) a reset. 2. Find an Outlet Beyond Work Engaging in activities that provide mental relief is essential. For me, that includes reading (both work-related and for pleasure), swimming, shooting, gaming, talking with friends, riding my trike, or going to the movies. Whatever it is for you, sports, music, art, hiking, find something that allows your brain to reset. 3. Use Your Vacation Time (and Actually Unplug!) Many of us accumulate vacation days but hesitate to use them, fearing work will pile up. Use your time off. Fully unplugging, even for a few days, can reset your perspective and prevent burnout from spiraling. 4. Set Realistic Expectations CISOs often feel like they must handle everything themselves. This mindset is a fast track to burnout. Know your limits and delegate where possible. If you have a team, trust them. Security is a team effort, and you don’t have to be a hero every day. 5. Prioritize Physical Health Regular exercise is one of the best tools against stress. Studies show that physical activity boosts serotonin and helps improve cognitive function. Even a short walk or stretching routine can have a profound impact on your mental state. 6. Create a Routine to Reduce Decision Fatigue CISOs make critical decisions every day. Over time, constant decision-making wears down mental resources. Structuring parts of your day, whether it’s a morning routine, meal planning, or even wearing the same style of clothing, can free up brainpower for more important decisions. Top executives, from Steve Jobs to U.S. presidents, rely on routines to reduce decision fatigue. 7. Get Enough Sleep (And Learn to Recognize Fatigue) It sounds simple, but lack of sleep is one of the biggest contributors to burnout. Fatigue affects judgment, reaction time, and emotional resilience. If you’re waking up exhausted, it’s time to reassess your sleep habits. Short naps can also provide quick recovery when needed. 8. Talk About It—Don’t Struggle Alone Burnout thrives in isolation. CISOs are often expected to be strong, resilient, and unshakable, but everyone needs support. Find someone you trust, a friend, colleague, mentor, or therapist—and talk about what you're experiencing. Sometimes, just saying things out loud can bring clarity and solutions. Final Thoughts Burnout isn’t a sign of weakness; it’s a signal that something needs to change. Recognizing the warning signs and taking proactive steps can prevent long-term damage to both your well-being and your career. If you’re feeling overwhelmed, step back, reset, and reach out. You’re not alone, and help is available. Cybersecurity is a tough job, but it shouldn’t come at the cost of your health and happiness.

A little cottage industry seemingly arises at the conclusion of each decade, joyously pointing out those long-since forgotten, failed techy items from the past 10 years that were supposed to impact the world but were miserable failures instead. While we are only at the midpoint of the 2020s, it is safe to say AI will not be the next Google Glass, 3D television or the loads of other mainstays on the 2010s lists of IT infamy. Higher education quickly realized both the potential AI positives and negatives as it applied to the teaching, learning and academic research space (think plagiarism on one hand matched against the prospect of personalized learning on the other). Underscoring this fact is the groundbreaking recent announcement that the California State University System intends to become the nation’s “first and largest AI-empowered university system” ( https://www.calstate.edu/csu-system/news/Pages/CSU-AI-Powered-Initiative.aspx ). However, AI adoption for administrative tasks – providing desperately-needed help as struggling institutions look to lower costs, attract/retain more students, and obtain external support via fundraising, grants, etc. – has been a little more deliberate. But this is changing fast, as it seems every higher education information system vendor is now flexing its AI muscles – or at least the sales and marketing teams are doing so. Phrases like ‘Throw your CRMs into the trash bin because mine innovates using AI’ or ‘I’ll see your legacy registration system and raise you a machine language course schedule wizard’ are lurking in that sea of PR if you read between the lines hard enough. The fear of missing the AI train must be balanced because higher education cybersecurity and data privacy risks because AI requires data and that’s where things get complicated. Higher education is always among the most vulnerable industries because its data is so valuable to cyber attackers, and it is considered an easy target. No industry has the combination of user churn, number of inexperienced and casual users, the plethora of personal devices, and an overriding culture of openness. Couple it with IT budgets and staffing often facing unprecedented challenges and it is a mix that attracts bad actors from across the globe. The increasing AI usage will likely bring even more frequent, more sophisticated attacks. Adding to the complexity is the presence of shadow systems housing sensitive or confidential data lurking in higher education for some 40 years. Among the relevant examples are a power user downloading student fiscal data onto a personal hard drive, a researcher locally storing sensitive data, and an office which has deployed an information system for which the IT department does not even know exists. Consider the dark possibilities if a user innocently exposes such data to a GenAI model.  This all means answers to traditional questions like ‘Where is the data actually stored and what security measures exist for that data both at rest and in transit?’ and ‘How robust are the tools restricting data access?’ deserve more scrutiny than ever. Perhaps more importantly, the question of ‘Does my executive who listened to AI hype at a conference last week and is now eager to buy an AI-infused product fully grasp the potential risk?’ At one time, it may have taken a concerning cybersecurity audit finding to catch the attention of the institution’s board or cabinet. But these can no longer those times and executive recognition of AI risk up front is critical. Executive leadership should prioritize the creation of practical, common-sense policies governing AI usage. Tactical and operational leadership needs empowered to keep those policies up to date and to make key decisions on tools and techniques to help keep data safe. They can then build appropriate procedures, guidelines, standards, FAQs, and best practices so users can effectively work in an emerging AI world. Bill Balint is the owner of Haven Hill Services LLC, contracted as TriVigil’s Advisory CIO for Education.

The highly anticipated Version 4 of The Higher Education Community Vendor Assessment Toolkit TM (HECVAT) has arrived, which is big news for the higher ed. IT community and the software vendors who serve the industry. For HECVAT veterans, the inclusion of AI-related questions for vendors probably serves as HECVAT 4’s major highlight. The critical area of data privacy also receives a more in-depth treatment. It also includes a streamlined process for vendors attempting to complete the assessment, which should hopefully lead to even more assessed products. According to The Research & Education Networks Information Sharing & Analysis Center (REN-ISAC), vendors offering nearly 200 products have completed a HECVAT assessment. REN-ISAC tracks the current list ( https://www.ren-isac.net/hecvat/cbi.html ) as reported by vendors. Educause has a dedicated Version 4 webpage ( https://er.educause.edu/articles/2025/2/hecvat-4-better-than-ever ) for those with HECVAT experience, bringing together relevant HECVAT 4 enhancements and other details. Much thanks go to the 21 individuals who served as HECVAT 4 volunteers and the nine-person HECVAT Advisory Committee. These folks join dozens of others who have pitched in over the years. For newcomers, HECVAT is a no-cost questionnaire for vendors intended to assess cybersecurity, risk mitigation and privacy practices applicable to a product. Created in 2016 and governed by a mix of higher education IT experts along with industry heavyweights like Educause, REN-ISAC, and Internet2, HECVAT is fortunately driven by the higher education community itself. Compliance to items driven by an external force - such as federal or state law - may not meet the industry’s evolving needs in a complete and/or timely manner. The HECVAT questionnaire for vendors is very extensive. Depending on certain factors, vendors can be asked to supply some 350 general facts or answers to questions in offering institutions a complete assessment. Like the HECVAT itself, the questionnaire is higher education-centered, which is a big plus. Questionnaire components include: Organization Details Documentation of cybersecurity-related items, how the vendor assesses third parties it uses, change management, and policies, processes, procedures. Product Authentication, authorization, account management, and data. Infrastructure Application and service security, datacenter, firewalls, ID, PIS and networking, incident handling, and vulnerability management. IT Accessibility Various elements of accessibility Case-Specific Consulting services, HIPAA and PCI compliance, and on-premises data AI General information, policy, security, machine learning, and LLM from an AI perspective Privacy General information, company details, documentation, third parties, chance management, sensitive data, policies and procedures, international-specific items, data, and AI from a privacy perspective HECVAT also provides institutions with an impressive customizable mechanism to evaluate the vendor assessment based on institution-specific requirements and priorities. Educause supplies a brief video demonstration for institutions ( https://www.youtube.com/watch?v=yC3_cK0e1bg ) and more complete tips and best practices for written format ( https://www.educause.edu/higher-education-community-vendor-assessment-toolkit/how-to-use-the-higher-education-community-vendor-assessment-toolkit ). Institutions can use these results to determine if the product is viable – or even preferable – based on how the product complies with the institution’s expectations or requirements. The questionnaire’s goal is to provide institutions with a deep perspective on a software product’s status in the critical areas of cybersecurity and privacy. It also holds the potential to look at competing products in these areas with an apples-to-apples to view. More than 180 higher education entities have publicly reported their use of HECVAT. Since some of these entities are consortiums or State Systems and some likely have not reported usage publicly, the number of actual institutions using HECVAT is larger. The HECVAT 4 expansion into AI, privacy, etc. should bring even more participation. The go-to resource for ‘all things HECVAT’ is part of the Educause website ( https://www.educause.edu/higher-education-community-vendor-assessment-toolkit ). The FAQ sections for institutions and corporations are most helpful for both the novice and the experienced individual. Bill Balint is the owner of Haven Hill Services LLC, contracted as TriVigil’s Advisory CIO for Education.

Higher education institutions performing research and other partnerships with Federal Government agencies are relied upon for insights and advancements but also for their ability to secure sensitive data associated with this work. For over a decade the Federal Government has relied upon contractual agreements and self-assessments to confirm that strict cybersecurity controls were in place. However, such self-assessments have proven inadequate and have resulted in weak security controls, sensitive information leakage, and even lawsuits charging false claims against universities for failure to implement contractual obligations. Enter the Cybersecurity Maturity Model Certification (CMMC) —a framework designed to ensure robust cybersecurity practices and independent review of their implementation across the supply chain. For higher education institutions, understanding and implementing CMMC is not just a matter of compliance but a necessity for long-term success. The Importance of CMMC Higher education institutions often serve as hubs for federally funded research and development. These projects frequently involve sensitive information that must be safeguarded from malicious actors. Understanding CMMC and its implications on higher education is crucial for several reasons: Critical Deadline: December 16, 2024 On this date, the final rule for CMMC went into effect, making compliance mandatory for any organization handling controlled unclassified information (CUI) or pursuing Department of Defense (DoD) contracts. For higher education institutions, this deadline solidifies the importance of aligning with CMMC to maintain eligibility for government research grants and contracts. Protecting Federal Research and Contracts : Many universities conduct research funded by the DoD. CMMC compliance ensures they remain eligible for these critical projects. Building Trust with Stakeholders : Compliance with CMMC demonstrates a commitment to safeguarding data, fostering trust with government agencies, private sector partners, and the broader academic community. Reducing Cyber Risks : Universities are prime targets for ransomware, intellectual property theft, and espionage. CMMC provides a structured approach to mitigate these risks. Why It Is Important The higher education sector is no stranger to cyberattacks. From ransomware to phishing schemes, the threats are constant and evolving. For institutions managing sensitive government contracts, the stakes are even higher. Non-compliance with CMMC after December 16, 2024 can result in: Loss of Funding : Failure to meet CMMC standards could lead to the loss of lucrative research contracts and grants. Reputation Damage : A cybersecurity breach can erode trust and damage an institution’s reputation, affecting enrollment and partnerships. Increased Liability : Universities that fail to secure sensitive data may face legal and financial repercussions. What Higher Education Institutions Can Do So, how can your institution prepare for CMMC compliance? Here’s a roadmap to get started: Train Your Workforce - Ensure that your organization fully understands how to recognize areas that need to be secured, the CMMC requirements, and how to get started. Complete a CMMC Readiness Assessment - Work with a CMMC expert to identify your sensitive data (FCI and CUI), inventory assets, create network and data flow diagrams, and limit assessment scope through architecture. Complete a CMMC Self-Assessment - Assess each of the control requirements against your implementation. Determine remediation measures. Implement Missing Critical Controls Access Management : Ensure that only authorized personnel can access sensitive systems. Multi-Factor Authentication (MFA) : Add an extra layer of security to user accounts. Data Encryption : Protect data at rest and in transit with encryption protocols. CMMC - specific Documentation : policies (e.g., access control, awareness and training), Plans (e.g., System Security Plans, Incident Response Plan, Contingency Plan), and other documents (e.g,., list of authorized users, facility diagram, risk mitigation procedures).  Engage the appropriate Professional (e.g., for Level 2 a Certified Third-Party Assessment Organization (C3PAO) to perform a CMMC certification assessment. Conclusion The December 16, 2024, CMMC deadline underscores the urgency of preparing now. Compliance is more than a regulatory requirement—it’s a commitment to safeguarding the future of higher education. By taking proactive steps to secure systems and data, universities can protect their research, reputation, and partnerships. Don’t wait for a cyber incident to take action. Start your CMMC journey today and ensure your institution is prepared for the challenges ahead.

With cyber threats growing at an alarming rate, National Data Privacy Week (January 27–31, 2025) serves as a critical reminder: Take Control of Your Data. For many school leaders, cybersecurity can feel like an overwhelming challenge, filled with technical jargon and uncertainty. However, protecting your district from cyberattacks doesn’t have to be an insurmountable task. The Rising Threat to Schools An improved cybersecurity posture begins with recognizing that schools are increasingly targeted by cybercriminals due to the wealth of sensitive information they manage— student records, financial information, and staff credentials . The consequences of a cyberattack go far beyond operational disruption; they can impact student safety, community trust, and district finances. Here are some of the most common cyber threats facing school districts today: Ransomware – Hackers lock critical systems and demand payment for their release. Phishing Emails – Deceptive messages trick users into revealing sensitive information or downloading malicious files. Data Breaches – Unauthorized access to sensitive student and staff data, leading to privacy violations and financial losses. Because student and staff safety are paramount in school district operations, the consequences and repercussions of these attacks can be severe and long-lasting. This makes it essential for districts to prioritize cybersecurity. As a school district leader, you have the power to strengthen your district’s defenses. 5 Steps to Fortify Your District’s Cybersecurity 1. Conduct a Cybersecurity Audit Start by assessing your current systems to identify vulnerabilities. Understanding your district’s weaknesses is the first step toward building a stronger defense. 2. Develop a Cyber Incident Response Plan A cybersecurity strategy is just as crucial as a physical security plan. Outline clear protocols to detect, contain, and recover from cyber incidents. Conduct regular drills to ensure your team is prepared to act swiftly when a threat arises. 3. Provide Cybersecurity Training for Staff & Students Your best defense is awareness . Equip educators, students, and families with the knowledge to recognize phishing attempts, suspicious links, and unsafe online behavior. Cybersecurity is a shared responsibility. 4. Invest in Essential Security Tools Implementing firewalls, encryption, multi-factor authentication, and endpoint protection can significantly reduce the risk of cyber threats. Strong defenses begin with the right technology. 5. Seek Expert Support Partnering with cybersecurity professionals can provide the specialized guidance needed to protect your district. Consider working with trusted security advisors, local law enforcement, and government agencies , and evaluate whether cybersecurity insurance is a worthwhile investment. Take Action This Data Privacy Week National Data Privacy Week 2025 is the perfect opportunity to kickstart or enhance your district’s cybersecurity strategy. Whether it’s conducting an internal security review, hosting a cybersecurity awareness session, or drafting an incident response plan, every step forward matters. At TriVigil , we understand that taking control of cybersecurity can feel daunting, which is why we offer a Quick Start program—helping districts move from cyber insecure to cyber secure with practical, actionable solutions. Want to learn how to strengthen your district’s defenses? Let’s take the first step together. Scott Bailey provides contracted consultant services to TriVigil.

The body content of your post goes here. To edit this text, click on it and delete this default text and start typing your own or paste your own from a different source.

With National Data Privacy Week just days away (Jan. 27-31, 2025), this year’s theme of “You have the power to take charge of your data” does a terrific job of focusing attention where it is warranted. So, how exactly do we ‘take charge’? A great place to start is to use Jan. 27-31 as that time to educate yourself, clean up where your online private data lives, and develop a plan to regularly keep providers from unnecessary access. You are typically the customer of online tools (email accounts, online services, social media accounts, web browsers, mobile apps, online gaming, etc.), and it is time to wield that authority. Your private data is worth a fortune to some of these providers, but you do not need to be a computer whiz or a cybersecurity expert to reign in those who covet your data. Accepting and acting on that empowerment is the key concept. An early step is to review the proliferation of tools you have accumulated that you no longer need and get rid of them. This will narrow the risk immediately. A few of us (and we know who we are!) have been piling these up dating back more than 25 years. Anyone remember when the predecessor of AOL burst onto the scene in 1985 to provide Commodore 64 users the ability to connect online? That’s 40 years ago as of this writing if you are keeping track. It is long past time to sweep away those old tools and even newer ones that are neither enriching nor simplifying your life. Private data is often collected by these tools and is possibly shared even if not actively used. Our contacts, photos, and where we live could be among these items. Set the bar high and wipe out the rest. With the online trash moved to the dustbin of our histories, it is time to look at the big players in our lives. Deep dives into privacy settings for some 150 tools can be found at the terrific National Cybersecurity Alliance ‘Manage Your Privacy Settings’ site ( https://www.staysafeonline.org/articles/manage-your-privacy-settings ). The May 2024 edition splits privacy settings links across 17 categories for quick review - everything from mobile banking to dating sites. Reviewing the list is also a great way to jog your memory of that mobile app you signed up for 10 years ago but have long forgotten about. This is where the value judgment with your most important tools is critical. “How much convenience do I want vs. how much privacy do I require?” is the defining question, but it likely will not result in a common answer across all the tools we access. For example, not providing your zip code may mean you have to entire it manually upon every visit to that site. How important is the time and hassle of typing in your zip code each time? It all depends on the value added. When in doubt, there is typically no harm in locking down your privacy settings to the strictest level possible. If the provider’s options are either too limited or the tool becomes lousy when you tighten the settings, replacing it with a competitor offering more privacy options should be on the table. A provider failing to protect your private data by now may never improve until a new law forces their hand. Fortunately, elected leaders are increasingly forcing those who possess our data to ensure privacy of that data is respected. Besides the traditional federal level laws executed via HIPAA, GLBA, and FERPA, various states have taken it further by authoring their own data privacy laws. According to the International Associate of Privacy Professionals ( https://iapp.org ), similar laws had been signed in 19 states by early 2025 and several others were in the law-making process. The most well-known and first of these is the California Privacy Rights Act (CRPA) ( https://oag.ca.gov/privacy/ccpa ). Taking control of your private data will likely be time consuming, it may degrade the value of some tools, and it might even result in changing providers – such as switching web browsers or email clients. However, making data privacy a regular part a safe computing commitment is time well spent! Bill Balint is the owner of Haven Hill Services LLC, contracted as TriVigil’s Advisory CIO for Education.

When it comes to all things cybersecurity, one is wise to always be thinking ahead. So – in a sense – 2025 should probably be well underway in the minds of the higher education Cybersecurity Family, including for ‘cousins’ like the data privacy clan. Along these lines, one great New Year’s resolution is to kick off 2025 by embracing the 4th Annual Data Privacy Week, taking place January 27-31. Although a recent idea, the event’s roots date back more than 40 years. According to the Federal Privacy Council (FPC), established by presidential executive order in 2016, Data Privacy Week honors the January 28, 1981 signing of the first legally binding international treaty addressing the protection of data in an increasingly digital world. That January 28 date was designated National Privacy Day in the U.S. beginning in 2009 via congressional resolution. Privacy Day was expanded into a full work week in 2022. Granted, the concept of data privacy extends well beyond a classic data breach. Cybersecurity and data privacy, therefore, certainly do not share a definition. But with so much privacy compromised by countless cyberattacks, it is easy to see why the public may equate them. At a high level when it comes to data, cybersecurity is focused on protecting private data and data privacy is more about individuals taking control of their own data. Perhaps the European Union’s General Data Protection Regulation (GDPR), which sent shock waves through the U.S. higher education world when it was passed in 2016 and in effect in 2018, might remain the ultimate example of that difference. GDPR and its ‘right to be forgotten’ clause added an entirely new burden for colleges and universities trying to figure out how to delete data about a person, often in a surgical manner. Even figuring out what data elements the individual is allowed to have erased based on their relationship with the institution can be a time-consuming task. The institution must also contend with data retention requirements before acting. Data on individuals who never became part of the institution community - such as a recruit from 15 years ago who never enrolled but filed a financial aid return or perhaps a prospective donor who filled out a survey during homecoming but then never responded to further outreach – was everywhere in the pre-GDPR days. Data for student recruits on a search tape who never even applied could be stored in student information systems, ancillary systems (CRMs, etc.), data warehouses, little shadow Access databases living on some power user’s hard drive and in office staff spreadsheets. The potential damage caused by breaches and lack of user knowledge has simply exploded from there. A complicating factor for the institution is personal and institutional private data about an individual are ever-more deeply intertwined. In a social media and mobile device-centric world with AI entering seemingly every realm at lightning speed, both the individual and the institution benefit from added data privacy. As we know in the education sector, a critical first step is learning an discovering a solution before it is too late. Fortunately, some institutions have taken the lead in adopting Data Privacy Week with information tailored to a higher education community. These are terrific examples of an institution benefitting its community, which in turn benefits the institution. Yale University is among these leaders in spreading the work in a manner tailored to a campus community where there are many layers and differences among users. Yale’s Data Privacy Week webpage ( https://cybersecurity.yale.edu/data-privacy-week ) provides an extended video from experts, links to foundational resources from entities like the Federal Trade Commission and the National Cybersecurity Alliance, and a link to the National Privacy Test from NordVPN ( https://nationalprivacytest.org/ ). Other content is also included. Speaking of the National Cybersecurity Alliance (NCA), a key part of its site provides direct links to the privacy setting webpages at some 150 of the most popular apps, platforms and corporations ( https://www.staysafeonline.org/articles/manage-your-privacy-settings ). NCA provides a toolkit to support action steps for those who ‘Become a Champion’. Details can be found at its National Data Privacy Week webpage ( https://www.staysafeonline.org/data- privacy-week ). While our users will soon focus on improving themselves using those new year’s resolutions, resolving to enable them in taking control of their own data is a marvelous way to kick off 2025 and National Data Privacy Week is just the ticket. Bill Balint is the owner of Haven Hill Services LLC, contracted as the Advisory CIO for Education at TriVigil.