Seeking Counsel: Data Threats

Computer data

Protect your student and employee data from cyberattacks

Séamus Boyce

Daily, your school employees deal with data from administrators, teachers students, and staff, much of it sensitive and private: social security numbers, medical information, employee and student records, banking information, electronic prescriptions, and more.

Unfortunately, with the increase in electronic data comes the rising threat of cyberattacks and hacks. In recent years, powerful and well-defended institutions like J.P. Morgan, eBay, Anthem, and Dow Jones have all had electronic data stolen. Educational institutions have not been immune either. Not surprisingly, these security breaches have sparked substantial litigation.

For example, in Boucher v. School Board, a school had to go to federal court to uphold the decision to expel a student for teaching peers how to hack into the school’s mainframe and access the most sensitive files.

In another instance, M.T. v. Central York School District, a student helped a peer decrypt protected school files to make fake identification cards. The school promptly expelled the student, but the expulsion was overturned by a court because the court determined that the school acted arbitrarily by failing to articulate any such specific cyber-policy or response in its school policies.

In the face of these and other data security threats, both internal and external, what should school districts and their data holders do when they face similar situations? In this article, we will look at what protections already exist for school and student data, how school districts might choose to address their own potential data weaknesses, and how school leaders might respond when a similar threat or breach occurs.


Presently, there are some protections relating to school data at the federal level. For example, the Family Educational Rights and Privacy Act (FERPA) prohibits the disclosure of personally identifiable information contained in students’ educational records without parental consent.

Under FERPA, identifiable information includes things like: names, addresses, student ID numbers, and “other information that, alone or in combination, is linked or linkable to a specific student” that would allow someone in the school community “to identify the student with reasonable certainty.” FERPA stipulates a school’s obligations after breaches and sometimes requires disclosure of breaches to specific parties.

Another protection is known as the Computer Fraud and Abuse Act. This is the primary federal law prohibiting unauthorized access to computers. It specifically applies to “protected computers” and lists seven categories of prohibited acts.

Other protections exist, as well. The Protection of Pupil Rights Amendment calls for schools to consult with parents on the collection/disclosure of student data for the purpose of marketing/selling the information. An exception is when the data is disclosed for the exclusive purpose of providing students and/or institutions with educational products, services, and evaluations.

The Children’s Online Privacy Protection Act (COPPA) is a set of regulations under the Federal Trade Commission meant to give parents control of what data is collected from their children. COPPA does this by mandating specific requirements for operators of commercial websites for children under the age of 13. The Identity Theft and Assumption Deterrence Act of 1998 forbids “aggravated identity theft” and, just like the Identity Theft Enhancement Act of 2004, increases criminal penalties for violators.

The Fair Credit Reporting Act has prompted the creation of regulations that require the proper disposal of consumer information and how to identify red flags indicating risk. Additionally, the Truth in Lending Act and the Electronic Fund Transfer Act both limit liability related to unauthorized use of electronic funds. The Electronic Communications Privacy Act authorizes civil and criminal actions relating to unauthorized access to electronic communications. Finally, the Federal Privacy Act governs the disclosure of social security numbers -- schools can be liable for mishandling of student Social Security numbers.


Many of the above-mentioned statutes can be vague about where ultimate liability should lie. Many data hacks do not occur directly on mainframes but from hacks at electronic storage vendors. As such, contracts with outside vendors are pivotal in protecting schools from unnecessary exposure to liability.

Effective provisions for any contract include: (1) expressly prohibiting redisclosure of student data, (2) restricting the use of student data to the purposes for which it is provided, (3) stating that the data remains the property of the school and must be returned and copies destroyed when the agreement ends, (4) requiring that the school be notified of any data breach or loss, (5) requesting indemnification for any litigation as a result of a data breach, and (6) requiring commercially reasonable security measures when handling school/student data.


Outside of having an appropriate contract with data services or insurance providers, there are several other things that you should consider to prepare for a cybersecurity threat. For instance, it is wise to have a plan for steps to take if a hack occurs. Contacting parents, securing services to mend the breach, and practicing the implementation of related procedures can all save much-needed time following a hack.

More so, the U.S. Department of Education, via its Privacy Technical Assistance Center, has issued a training exercise specifically simulating a school breach, which could be a valuable resource for districts to test their own processes. The exercise can be found at

Increasing employee awareness is another important step school leaders can take. Ensuring that employees, both teachers and administrators, understand basic data security can significantly reduce a potential threat. Common issues to discuss with employees include proper password maintenance, identifying suspect internet use, and the process to efficiently inform of potential breaches.

It is also important for administrators to brainstorm processes regarding any breaches from staff or students, in order to both discourage such attempts and to legitimize future school actions in line with these processes.

Furthermore, firewalls and anti-virus software can be powerful sentries and can catch more subtle intrusions. Lastly, schools should consider insurance coverage and whether or not they cover a school for a catastrophic breach. Insurance carriers may not include data breaches under general liability coverage, so schools may need to purchase an additional policy rider.


How should your district respond if you have been hacked or breached? The first priority should be to stop any ongoing breach and to secure all systems. Next, all systems suspected of being affected should be investigated and law enforcement should be contacted if criminal involvement is suspected.

It is important to check with legal counsel to determine whether or not the school has any federal, state, or local obligations to report the incident. You also should inform your insurance carrier and file a claim, if appropriate.

Furthermore, if the breach represents an ongoing threat to an individual’s security, you may consider offering credit monitoring and identity theft protection to mitigate any outstanding risk. Once the situation has cooled, you should debrief on the incident. You can and should develop new or modify existing processes in order to better prepare or avoid such incidents in the future.

While schools cannot always completely protect themselves from cyber-threats, they can take effective steps to be prepared and have in place processes to handle any situation which arises.

Séamus Boyce ( is a partner with Church Church Hittle + Antrim. Indiana University McKinney School of Law student Tyler Jones contributed to this article.

Go to top