When a phishing email put the private data of a Provo, Utah school district at risk back in 2014, officials were taken off guard. The school responded by meeting with each employee of the district face to face, then offered a year of credit monitoring, changed its protocols for handling sensitive information and retrained employees so they could better identify potentially malicious scams.
“It was a kind of learn-as-we-went-along kind of thing,” Caleb Price, the spokesman for the 13,000-student district, told Education Week.
Today, however, school districts are increasingly likely to have a response plan in place when data breaches occur.
1970s Federal Law Protects Data
The Family Educational Rights and Privacy Act of 1974 (FERPA) set the stage for protecting schools’ data. This federal law protects the privacy of educational records and applies to any school that receives U.S. Department of Education funds.
“FERPA gives parents certain rights with respect to their children’s education records,” the Department of Education explains. “These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level.”
Separately, 48 states plus the District of Columbia, Guam, Puerto Rico and the Virgin Islands have individual security breach notification laws (Alabama and South Dakota are the holdouts). The laws, which are generally aimed at both the private and public sector, share many similarities from state to state, though ZD Net estimated that “North Dakota’s policy is probably the most lax, while Virginia’s law is considered among the toughest, which isn’t really surprising given that the state is a hub for federal contracting and consulting.”
Safeguards against security breaches can be particularly challenging for schools, Chris Paschke, the director of data privacy and security for the 86,500-student Jeffco public schools in Golden, Colo., told Education Week: Technology constantly changes, and in the classroom setting there is a need to balance security against educational freedom and creativity. Solutions include log management and insurance.
“What’s unique to our industry is balancing that need for teachers to be able to explore and be innovative and creative with technology, versus keeping kids and their data and all of our district members’ data safe,” Paschke said.
Security Plan Basics: Protect Security, Communicate the Plan, and Be Ready to Respond
In addition to laws, organizations like the Consortium for School Networking (COSN) have stepped in to offer frequently-updated protocol suggestions and guides. COSN’s Smart Education Networks by Design (SEND) program publishes reports and white papers for schools to use as a reference to build or renovate their data security programs. The organization’s Education Network Security plan suggests education technology leaders:
- Develop policies and procedures for maintaining network security
- Craft an effective communication and professional development strategy to clue teachers, staff, volunteers, students and parents into the importance of good security
- Initiate a prevention plan customized to the particular school or district
- Create an incident response and mitigation plan to handle what happens when a breach does occur
“Network security threats are real and looming,” SEND’s executive summary states. “Experts predict that these types of incidents are on the rise and will only become more frequent, rendering every school district vulnerable to attack. For this reason, every school district should have a network security strategy in place to address the inevitable.”
The U.S. Department of Education has its own data breach response checklist, a 14-page synopsis which covers what to do before a breach and during a breach.
“Attacks against computer systems are often targeted at PII (personally identifiable information), and being able to detect, respond to, and recover from these incidents as quickly as possible can limit the amount of damage that such attacks can do,” the checklist states. “Having a robust data breach response plan, documented in writing, as part of an overarching incident response program provides an organization the tools and structure necessary to efficiently assess, manage, and mitigate a breach, while maintaining compliance with the privacy laws.”