The San Diego Unified School District in December 2018 announced on Twitter that an “unauthorized user gained access to a district database.” Someone had been stealing sensitive district data since January of that year.
The breach was massive, involving more than 500,000 records. It included student and staff personal data, such as addresses and telephone numbers; social security numbers; emergency contact information; student schedules; disciplinary information; student and employee health information; employee benefit information; payroll information; and much more. The incident made national news. The district was required by law to send out a data breach notice to those who were potentially affected.
Incidents like this can wreak havoc on a school system and can have a devastating impact on the public’s trust. Parents, students, employees, and even school visitors necessarily put their faith and trust in public schools to protect the increasingly vast amounts of personal data that are collected.
The types of data that are collected can be very valuable to cybercriminals. Board members, school administrators, parents, and employees need to be aware of cybersecurity risks and concerned about the security of public school networks and electronic information. Yet research shows that most schools seem unprepared to protect this information.
The San Diego Unified example is only one of many recent breaches and attacks. In 2018, there was an unprecedented number of cyberattacks against schools. This led the FBI to issue a public service warning in September 2018 with a headline of “Education Technologies: Data Collection and Unsecured Systems Could Pose Risks to Students.” A series of strikingly similar phishing scams fooled public school HR officials over a two-year period at Rockdale Independent School District, Texas; Scottsboro Public Schools, Alabama; School District of Manatee County, Florida; and Glastonbury Public Schools, Connecticut; among others.
In each of those cases, an HR employee complied with an email that appeared to be from the school’s superintendent asking for copies of all employee W-2s. The cybercriminals then used the information to file false tax returns and obtain fraudulent direct-deposit refunds. The scam was so widespread, and so heavily focused on schools and other public institutions, that the U.S. Department of Education issued a specific warning to schools about the attacks.
Other phishing scams targeted school employees, including ones where employees are tricked into entering usernames and passwords. Despite the warnings and the patterned nature of the attacks, they continued to be successful in schools across the country.
The similar nature of these types of attacks, as well as their repeated success over several years tells us something important: Schools are not taking the necessary steps to raise awareness about and prevent cyber attacks. These types of attacks are largely preventable if schools take certain actions. Those actions include staying abreast of current trends; taking precautions to fortify school networks against hacking and malware attacks; and putting into place mechanisms to quickly recognize, confine, and address breaches.
Schools also should provide meaningful student and staff training on recognizing, preventing, and reporting phishing attacks that prey upon everyday users. While no institution can guarantee that proper training will eliminate all risk, such training can dramatically reduce the risk of breach by heightening awareness and ensuring that students and staff are on guard against future threats.
Ransomware is another issue that is posing an increasing threat to public schools. As with the phishing incidents, in 2017, the U.S. Education Department issued a warning to schools about ransomware attacks. Ransomware schemes were once carried out by sophisticated hackers. However, over the past few years, entrepreneurial cybercriminals have developed the ability to be able to provide ransomware-as-a-service initiatives, essentially leasing malware, effectively extending the ability to use malware to those with little-to-no technical skills.
With more criminals able to carry out ransomware attacks, the number of attacks has increased. There also have been incidents of ransom demands in schools, such as in the Columbia Falls School District in Montana. There, the monetary demand was accompanied by threats of violence against the students if the demands were not met. Many of these threats were made directly to parents, whose email contact information the hackers had obtained in the breach.
The use of threats of bodily injury heightens the already significant stakes. Not only do schools considering nonpayment need to assess their ability to unilaterally restore the data, but they also need to assess the physical threats being made. In Columbia Falls, the district ultimately concluded that the threats were not credible, and it did not pay the ransom. Many schools, however, may not be willing to take that risk. Even if the threats are not credible, those types of situations can cause long-term unease in a school community. Regardless of what decision a school makes, it is imperative that schools work with law enforcement in such cases.
Vulnerable, Unprepared Schools
In recent years, public schools have increased spending on new technology initiatives, thanks in part to increased federal and state technology subsidies under the ESSA and a variety of state-level initiatives. By contrast, however, spending on cybersecurity efforts does not appear to be increasing at the same rate. Research shows that the spending incongruencies may be the result of a failure of schools to recognize the potential problems.
Despite the vast amounts of data that schools maintain on their servers, according to a 2018 study conducted by Consortium of School Networking and EdWeek.org, an alarmingly small percentage of technology administrators had concerns about such significant data breach issues as malware and viruses (27 percent), identity theft (17 percent), unauthorized disclosure of student data (19 percent), and unauthorized disclosure of teacher data (15 percent).
In addition, despite the steady increase in attacks, which resulted in the issuance of the FBI, IRS, and the U.S. Department of Education warnings to schools, only 55 percent of school technology administrators recognized phishing as a significant issue. Only 23 percent recognized ransomware as significant. These numbers reveal that schools still have a long way to go with regard to cybersecurity, and the journey needs to begin with awareness at the top levels of administration.
Most schools rely upon vendors for crucial technology, including student and employee data management systems, cloud-based storage, networking, electronic communication systems, and grade reporting systems. These vendors take on responsibilities that may subject schools to significant legal liability. It is important for schools to remember that these vendors are providing services on behalf of the schools. In many instances, schools can be held legally responsible for actions, inactions, and/or problems caused by these vendors.
It is imperative that schools thoroughly vet technology vendors, closely examining their histories and past issues. Vendor contracts should be reviewed by legal counsel. School attorneys can ensure that the contracts are consistent with applicable state and federal laws and that appropriate indemnification provisions are in place if a vendor’s product, procedures, actions, or inactions cause legal liability for the school.
Cybersecurity incidents can have many legal implications, and a school’s actions both before and in response to a cybersecurity incident can impact the potential legal liability that is involved. Many legal scholars have predicted that we will see a dramatic increase in cybersecurity negligence actions including negligence lawsuits brought by individuals whose personal data has been compromised because of subpar data security measures.
This type of legal action is particularly likely to affect schools in states that afford public schools little or no tort claims immunity. In those types of claims, courts will examine and ultimately be required to determine what constitutes a reasonable standard of care with regards to electronic data security, and they will examine a specific school’s practices considering that standard. This type of analysis may not bode well for public schools, considering the lack of emphasis on network security in so many schools and the fact that most public schools do not have clearly delineated, legally defensible policies, procedures, or practices in place regarding cybersecurity.
The federal warnings, such as those issued by the FBI, IRS, and Department of Education regarding cybersecurity, phishing, and ransomware, also can be problematic for schools, since they can be used in these types of cybersecurity standard-of-care analyses to clearly establish the known and publicized risks posed by these types of attacks. To protect themselves, schools should be able to show the specific actions that they have taken in response to such warnings, such as staff training, implementation of a heightened system of data security, the development of policies and procedures, etc.
Legal compliance with statutory and regulatory requirements regarding student and employee data privacy always should be a primary concern. Schools need to work closely with their legal counsel to ensure that their digital security measures are in line with federal and state laws and nonregulatory guidance with regard to student and employee data privacy obligations.
While the federal student data privacy law, the Family Educational Rights and Privacy Act (FERPA), does not require public schools to adopt specific security controls, it does require the use of “reasonable methods” to safeguard student records. There is currently no definitive standard under FERPA regarding what that means in the context of safeguarding digital data.
However, the Department of Education’s Office of the Chief Privacy Officer, which is tasked with enforcing FERPA, has focused much of its recent guidance on electronic data security. Federal nonregulatory guidance, while not law, is important because it may be considered in determining what “reasonable” means regarding safeguarding digital data.
In addition, increasing numbers of states have laws or proposed legislation regulating the protection of digital data. There also are several federal and state laws that address privacy requirements for employee records. Since many employee records are maintained digitally, schools need to establish policies and practices that appropriately safeguard employee records consistent with the law.
Since cyberattacks almost always involve a data breach that would likely trigger state data breach laws, schools must ensure that they have appropriate data breach procedures in place. Schools need to have training, policies, and procedures that will ensure that they are able to quickly recognize what constitutes or may constitute a data breach and take the necessary steps to comply with applicable data breach laws.
There are many things that schools can do to ensure that their cybersecurity practices are legally defensible. School attorneys should be involved in all steps of the process, from the development of proactive procedures to the vetting of vendors and reviewing of vendor contracts, to advising responsive measures in the wake of a cybersecurity incident. These measures will help ensure legally defensible practices and will go a long way in minimizing or eliminating legal liability with regard to cybersecurity issues.
Erin D. Gilsbach (firstname.lastname@example.org) is a school law attorney at Steckel & Stopp in Slatington, Pennsylvania, and the executive director of EdLaw Interactive, which provides school law training to educators and school leaders.