Student Data Security and Privacy Must Be Taken More Seriously

  • By Charlie Sander
  • 01/24/22

School districts continue to see value in using Google Workspace, Microsoft 365, video conferencing platforms, and other cloud apps even as remote learning restrictions have eased. However, as the use of these online solutions has increased, so have the student data privacy concerns.

Charlie Sander, CEO of ManagedMethods, works to shore up data security and privacy for K–12 students and schools.It’s no secret that school districts have been a popular target of cyberattacks. These cybersecurity incidents pose a threat to the privacy of the data stored by districts as more cyber criminals extract it for malicious use. Couple this with more activity by students and staff in the cloud, and you can see why data privacy in schools is threatened.

Data security and privacy are inseparable. With today kicking off Data Privacy Week, it’s a good time to take a step back and look at the efforts being made to ensure the privacy of our student’s data is being protected.

Government Efforts to Improve Data Privacy in Schools

Federal data security and privacy laws like FERPA, COPPA, CIPA, and others have provided a layer of protection. However, many agree that these regulations are outdated and do not offer enough to protect student data privacy and security in schools.

Given the increasing frequency of cybersecurity incidents in school districts, states are not waiting for Congress and are introducing their own laws to protect student data and privacy. According to Data Quality Campaign, 43 bills were signed into law in 22 states in 2020—with more being introduced.

Here is a short list of states and regulations I believe are leading the way:

  • Illinois’ Student Online Personal Protection Act: Effective July 1, 2021, school districts are now required by the Student Online Personal Protection Act to provide additional guarantees that student data is protected when collected by educational technology companies, and is used for beneficial purposes only.
  • Texas’ Senate Bill 820: Passed into law in 2019, SB 820 requires school districts to develop and maintain a cybersecurity framework that will:
    • Secure the district against cyberattacks and/or incidents
    • Establish a framework that meets the standards set by the Department of Information Resources
    • Establish a risk assessment and mitigation plan
    • Assign a Cybersecurity Coordinator to serve as the liaison between the school district and the DIR
    • Report any cyberattack or incident as soon as possible to the DIR
  • New York’s State Education Law 2-d: Introduced in January 2020, the regulations guide schools and their third-party vendors to strengthen data privacy and security. Education Law 2-d outlines the minimum requirement necessary to ensure the confidentiality, integrity, and availability of State Education Department Information Technology assets and data.
  • California’s Student Online Personal Information Protection Act: Since taking effect in January 2016, the Student Online Personal Information Protection Act prohibits operators from sharing student data and using it for targeted advertising on students for a non-educational purpose. It also requires operators to delete a student’s information at the request of the school or district.

Federal Approach to Protecting Student Data?

Momentum is beginning to pick up at the federal level, most recently with the K-12 Cybersecurity Act being signed into law in October 2021. This law requires the Cybersecurity and Infrastructure Agency to study the cybersecurity risks facing elementary and secondary schools and develop recommendations that include cybersecurity guidelines designed to assist schools.

The study must evaluate the challenges schools face in securing information systems they own, lease, or rely on. It will also evaluate the challenges in securing sensitive student and employee records. Upon completion of the study, CISA will develop an online training toolkit designed for school officials and make the study’s findings, the cybersecurity guidelines, and the toolkit available on the Department of Homeland Security website.

It is important to note that the use of CISA’s recommendations is voluntary by school districts, which raises the question: Are district administrators taking data security in their school district’s seriously?

The State of Data Privacy and Security in Schools

If the proper cybersecurity measures are not put in place by school districts, then the information of students stored is vulnerable to a breach. The bills and laws are being brought forth by state and federal government, but is it leading to action by district administrators?

According to a report from ManagedMethods and EdWeek Research Center, this may not be the case. Of the hundreds of district administrators surveyed, 77% said they were not very concerned with data breaches or leaks. In regards to complying with government regulations, 79% reported not being very concerned and 43% said they either do not monitor for potential regulatory violations or do not know if they do.

The pandemic sparked a massive change in the way education is delivered. For district administrators, it has created a new and everchanging challenge to ensure learning environments are secure and student privacy is protected. The survey by EdWeek Research Center suggests administrators may be under-informed about what steps must be taken to protect what is created, shared, and stored in the cloud.

There is no data privacy without data security. Federal and state governments are becoming more involved in creating guidelines for privacy policies and cybersecurity practices. It’s time for district administrators to get more serious and take action to protect the privacy of our students.

Featured

  • Abstract AI circuit board pattern

    Nonprofit LawZero to Work Toward Safer, Truthful AI

    Turing Award-winning AI researcher Yoshua Bengio has launched LawZero, a nonprofit aimed at developing AI systems that prioritize safety and truthfulness over autonomy.

  • abstract pattern of cybersecurity, ai and cloud imagery

    Report Identifies Malicious Use of AI in Cloud-Based Cyber Threats

    A recent report from OpenAI identifies the misuse of artificial intelligence in cybercrime, social engineering, and influence operations, particularly those targeting or operating through cloud infrastructure. In "Disrupting Malicious Uses of AI: June 2025," the company outlines how threat actors are weaponizing large language models for malicious ends — and how OpenAI is pushing back.

  • tutor and student working together at a laptop

    You've Paid for Tutoring. Here's How to Make Sure It Works.

    As districts and states nationwide invest in tutoring, it remains one of the best tools in our educational toolkit, yielding positive impacts on student learning at scale. But to maximize return on investment, both financially and academically, we must focus on improving implementation.

  • red brick school building with a large yellow "AI" sign above its main entrance

    New National Academy for AI Instruction to Provide Free AI Training for Educators

    In an effort to "transform how artificial intelligence is taught and integrated into classrooms across the United States," the American Federation of Teachers (AFT), in partnership with Microsoft, OpenAI, Anthropic, and the United Federation of Teachers, is launching the National Academy for AI Instruction, a $23 million initiative that will provide access to free AI training and curriculum for all AFT members, beginning with K-12 educators.