PHOTO CREDIT: PEACH_ADOBE/STOCK.ADOBE.COM
You’ve seen the headlines. “Cyberattack keeps Iowa’s largest school district closed.” “Ransomware attacks against schools are on the rise. Are Forth Worth districts ready?” “Cyber attack leaves school board’s employee data compromised.” “San Benito school officials outline cyber attack.” “Ransomware attack forces Mass. school district to cancel classes.” In May, Facebook parent company Meta was fined $1.3 billion for violating European Union data privacy rules.
In response, your district has established a data governance framework, a data breach incident plan, and data privacy policies, in compliance with state law, and with advice from your school attorney and IT experts. You have cybersecurity insurance coverage.
Your staff is now trained on data security protocols, classroom app use requirements, and education records concerns. School staff employment records are secure in your district’s data platforms.
What now?
As Congress considers federal legislation to regulate online service providers whose platforms are used by youth, and the Department of Education considers updating its own regulations, school officials can refamiliarize themselves with the key components of best practices for data security and privacy. Below are key concepts to keep on your radar as we enter a new era of data regulation, including questions to ask as you review your policies.
Data security remains a concern. Data security describes the protections in place to prevent unauthorized access to or acquisition of personal student and staff information. Think of locking a file cabinet, and providing the key or combination only to people who need the records inside to do their jobs. Data security also includes using tools like encryption when transmitting personal data electronically, requiring school district employees to use passwords to access files containing personal data, and installing software that detects intruders in the computer network.
Data security threats abound, and the costs are real. Some common threats are malware, phishing, and vishing. Malware is software designed to overtake or disrupt a system. It can have various names—viruses, worms, trojan horses, ransomware, spyware, adware, and the like. Phishing is email activity that attempts to obtain a person’s username and password or sensitive data such as Social Security numbers, driver’s license, credit card security, or bank account information. Often criminals will use the username and password to log in to the person’s email to obtain personal information.
Vishing is the telephone version of “phishing.” The idea is to trick a person into providing sensitive information to steal the person’s identity or commit fraud. Sometimes the caller attempts to get the person to install malicious software. Ransomware remains a big threat, too. It continues its upward trend, with an almost 13% increase in 2020.
An industry report shows a 10% increase in the average total cost of a breach in 2020-21. It was the second consecutive year that the U.S. education sector had the highest occurrence rate of ransomware attacks.
Ask: Does our district’s data governance framework address:
- Access control?
- Intrusion detection?
- Loss prevention?
- Security risk assessment?
- Physical security?
- Disaster recovery and/or business continuity?
Data privacy remains a concern as digital tools expand. Data privacy refers to concerns about the collection and use of personal information of both students and staff. Schools collect student names, addresses, dates of birth, Social Security numbers, demographic, contact, academic, and other identifying information for inclusion in each student’s record. Schools also collect employees’ personal information, compiled into each employee’s personnel record. Schools monitor the use of such data carefully.
One way to protect data privacy, for example, would be to assess whether student names and email addresses are shared with a third-party vendor. Does that vendor then use that information to send marketing materials to the students? If so, limit or prohibit such sharing. Data privacy also can include close controls on how student records are shared with students, their parent or guardian, teachers and other school staff, and other third parties, consistent with the requirements of the Family Educational Rights and Privacy Act (FERPA) and state laws. And data privacy includes how school districts handle employee data, under applicable federal and state laws.
“For the second calendar year running, at least 75 percent of all data breach incidents affecting U.S. public K-12 school districts were the result of security incidents involving school district vendors and other partners … the most significant vector of data breaches impacting education settings— in terms of numbers of individuals affected—are education tech vendors and other trusted non-profit and government partners.” —The State of K-12 Cybersecurity: Year in Review - (2022 Annual Report)
Ask: Does our district’s data governance framework address:
- Governance
- Cross-border data transfers
- Notice and access to data subjects
- Consent management
- Privacy impact assessments
- Privacy by design
- Retention/destruction?
The legal landscape is a patchwork. At the federal level, we still have limited laws and regulations, most of which were written before the digital era. To date, there is no overarching federal data notification law.
Many of these laws regulate the companies that hold and use data through applications they market to schools. The most well-known law regulating these companies is the Children’s Online Privacy Protection Act (COPPA), which describes what steps online service providers must take to protect the data their applications collect from children under 13. COPPA generally requires that these companies provide notice of their data collection practices and obtain verifiable parental consent. Schools can consent on behalf of parents if the collected information is used for an educational purpose only, not for a commercial purpose.
Schools are regulated at the federal level by FERPA and the Protection of Pupil Rights Amendment (PPRA). FERPA prohibits school districts from disclosing, except in limited instances, personally identifiable information (PII) contained in students’ education records without the consent of the parent or eligible student. Educational records may include a range of written and electronic files. Generally, anything is considered PII in an education record, including emails and other communications or documents created by students, teachers, and administrators, and is governed by FERPA.
Trends in data security and privacy to keep
on your radar:
- Department of Education and state regulator incident notification
- Data subject rights and access requests
- Employee and third-party data collection
- Cyberwarfare
- Artificial intelligence and machine learning
There is a “school official” exception, which allows a district to disclose FERPA-protected records without consent to a contractor, like an online service provider, to whom the school has outsourced an institutional service or function. The designated “school official” must perform a function that the school or district would otherwise have used its own employees to perform. The school district must set up reasonable methods to ensure that the service provider/school official accesses only student records in which it has a legitimate educational interest. The service provider must be under the direct control of the district regarding the use and maintenance of the records. The provider must use FERPA-protected information “only for the purposes for which the disclosure was made,” and refrain from disclosure to other parties without authorization.
The PPRA requires schools and contractors to make certain instructional materials available for inspection by parents and to obtain written parental consent before requiring minor students to participate in some surveys, analyses, or evaluations that reveal information concerning certain subjects. The law also requires school districts to develop policies in consultation with parents on the collection, disclosure, or use of personal information collected from students for the purpose of marketing or selling that information. School districts must give parents at least an annual notice of PPRA policies, an opportunity to opt out of instructional activities related to these subjects, and notice of specific events surrounding these subjects.
These federal laws provide a floor of protection and basic requirements regarding data protection, but most of the detailed regulation affecting data security and privacy thus far has occurred at the state level. All 50 states have data breach laws, and now states are adding to their data security law requirements. Most states also have data privacy laws that touch schools in some way. States like California have broad-reaching statutes that affect online service providers and schools. School district leaders should be in contact with their school attorney and IT professionals to ensure compliance with state law.
In spring 2023, senators from both sides of the aisle introduced two bills that could, if passed, expand protections for youth data online. The Children and Teens’ Online Privacy Protection Act (COPPA 2.0) bill would prohibit internet companies from collecting personal information from users who are 13 to 16 years old without their consent; ban targeted advertising to children and teens; and revise COPPA’s “actual knowledge” standard, among other requirements. The Kids Online Safety Act bill would require social media platforms to limit minors’ exposure to addictive algorithms and to give parents new controls.
Now is a good time for schools to review data policies. The federal bills currently in play address online service providers, which may require review a of your district’s current contracts with such providers. Legislative and regulatory changes affecting schools may not be far behind. As we head into an unprecedented era of online data threats and potential new regulation, schools can take the opportunity to make sure their current policies comply with current law while keeping in mind changes that may be needed in the future.
Below is a checklist that can help you start conversations with your school attorney, IT professionals, leadership, and community on this topic.
- Develop and implement a data breach incident response plan and training for key leaders.
- Assess administrative, technical, and physical controls on data.
- Evaluate infrastructure in place to work with third-party vendors, including online service providers.
- Regularly audit and test security measures.
- Regularly review the incident response plan.
- Train, train, train. The skills to prevent data breaches are perishable and require refreshers. As new threats arise as technology shifts, the need to stay up to date is imperative.
Sonja H. Trainor (strainor@nsba.org) is NSBA’s managing director of legal advocacy. This article was adapted from materials prepared for the COSA School Law Seminar April 2023 by Ilya Smith (ismith@clarkhill.com), senior counsel, Clark Hill, Chicago, Illinois.
Share this content