When COVID-19 emerged, school districts turned to technology to keep the doors of education open, giving students tablets, mobile apps, network access, and more. When they returned to in-person learning, they retained the benefits of their investment in technology-enabled learning.
But there’s another thing they held on to: higher cybersecurity risk. Every student’s device, connection, and log-on expands their cyberattack surface. Cybercriminals now have many potential avenues to access sensitive student data – including date of birth, Social Security number, medical and disability information, academic records, discipline history, and family financial status – stored in a school’s IT system.
For example, one in 43 children were affected by a data breach between July 2021 and July 2022, and one in 80 were the target of identity theft. Likewise, 29 percent of K-12 schools say they were victims of a cyber incident during the 2021-2022 school year. It’s no wonder cybersecurity is the No. 1 pain point for school systems.
Furthermore, the most at-risk students often live in districts with the least resources to safeguard their data. As a result, students in cities and counties with lower tax bases and greater potential for outcome disparities are less likely to have their privacy protected and more likely to have their personal identifiable information (PII) exposed.
Fortunately, there are actions your district can take to protect student data and close the equity gap in student data protection:
1. Assess Your Data Repositories
Start by understanding what information you have on file, where it’s stored, and how it’s shared. Student data is likely spread across your district, from the registrar’s office to the nurse’s office to teachers’ email inboxes. It might be housed on computer servers, laptops, and removable USB drives. It’s probably sent outside the district to parents, government organizations, and other parties.
A formal inventory of student data will give you the insights to establish policies for managing that data, implement appropriate protection practices, maintain regulatory compliance, and make sure safeguards follow the data wherever it goes.
2. Understand Privacy Regulations
Numerous laws set requirements for the protection of student data. Districts should understand their provisions and take the necessary steps to comply.
At the federal level, the Family Educational Rights and Privacy Act (FERPA) requires that schools protect the privacy of student education records. The Children’s Internet Protection Act (CIPA) requires that schools receiving discounts on Internet access through the FCC’s E-Rate Program protect against unauthorized disclosure of student data. The Protection of Pupil Rights Amendment (PPRA) restricts the disclosure of student personally identifiable information (PII) for marketing purposes by schools receiving funding from the Department of Education.
Dozens of states have also passed student privacy laws. For example, New York’s State Education Law Section 2-D requires schools to use cybersecurity best practices, such as data encryption, to protect student privacy. In Texas, Senate Bill 820 requires districts to designate a security coordinator and report any breach of student PII.
3. Think Beyond Traditional Network Security
Traditional cybersecurity practices place firewalls around the network perimeter. But in an era of cloud-based applications and virtual learning, the perimeter has atomized. Schools must now protect students’ PII at the data level, everywhere it’s stored and shared. That calls for encryption, which permits data to be read only by an authorized entity that holds a key to decipher it.
One challenge is that most encryption methods aren’t universal, so what works for one file format, like raw data, doesn’t work for another, like email. The solution is an open standard, called the Trusted Data Format (TDF), that uses a single approach to encrypt many data types. TDF was developed at the National Security Agency (NSA) and is used by many federal agencies and other organizations.
4. Choose Easy-to-Adopt, Affordable Technology
Cybersecurity protections should improve district operations, not hamper them. Selecting easy-to-use solutions will ensure that students, teachers, administrators, and parents can all benefit from cyber safeguards.
This ease of use is essential for collaborating with parents and the school district, as is the case for Individualized Education Plans (IEPs) that need to be shared with parents and guardians: They need to easily access the child’s information, but they also need to be confident that this highly sensitive and personal data is secure every step of the way.
An effective solution built on TDF will dovetail smoothly with the devices and software people already use. For instance, it should seamlessly apply encryption to files and emails in Google Workspace and Microsoft 365. A seamless adoption process allows stakeholders to store and share information quickly and securely, without being tempted to go around security measures.
Better yet, such an approach needn’t price out cash-strapped school systems. Using the Newfield Central School District as an example, they implemented a cost-effective encryption solution that protects student data both at rest and in transit. As a result, the District ensures comprehensive security and privacy for its students – and closes the equity gap in student data protection.
5. Advocate for Cybersecurity Funding
Districts have opportunities to advocate for federal and state funding for cybersecurity. The State and Local Cybersecurity Grant Program, for example, is distributing $1 billion to qualifying states over the next four years. States must disburse 80 percent of the allocations to local agencies, including school districts. Schools can use the funds to invest in cyber protections such as data encryption. District leaders should contact their state’s CIO to learn how they can benefit.
Cybercriminals will continue their exploits, and students will continue to be targets. But by investing in effective cybersecurity technologies and strategies, school districts can make tangible progress in safeguarding student information and closing the equity gap in student data protection.
The author, Mike Morper is SVP of Product at Virtru, a global data encryption and digital privacy provider.
