Student Data Security and Privacy Must Be Taken More Seriously

School districts continue to see value in using Google Workspace, Microsoft 365, video conferencing platforms, and other cloud apps even as remote learning restrictions have eased. However, as the use of these online solutions has increased, so have the student data privacy concerns.

Charlie Sander, CEO of ManagedMethods, works to shore up data security and privacy for K–12 students and schools.It’s no secret that school districts have been a popular target of cyberattacks. These cybersecurity incidents pose a threat to the privacy of the data stored by districts as more cyber criminals extract it for malicious use. Couple this with more activity by students and staff in the cloud, and you can see why data privacy in schools is threatened.

Data security and privacy are inseparable. With today kicking off Data Privacy Week, it’s a good time to take a step back and look at the efforts being made to ensure the privacy of our student’s data is being protected.

Government Efforts to Improve Data Privacy in Schools

Federal data security and privacy laws like FERPA, COPPA, CIPA, and others have provided a layer of protection. However, many agree that these regulations are outdated and do not offer enough to protect student data privacy and security in schools.

Given the increasing frequency of cybersecurity incidents in school districts, states are not waiting for Congress and are introducing their own laws to protect student data and privacy. According to Data Quality Campaign, 43 bills were signed into law in 22 states in 2020—with more being introduced.

Here is a short list of states and regulations I believe are leading the way:

  • Illinois’ Student Online Personal Protection Act: Effective July 1, 2021, school districts are now required by the Student Online Personal Protection Act to provide additional guarantees that student data is protected when collected by educational technology companies, and is used for beneficial purposes only.
  • Texas’ Senate Bill 820: Passed into law in 2019, SB 820 requires school districts to develop and maintain a cybersecurity framework that will:
    • Secure the district against cyberattacks and/or incidents
    • Establish a framework that meets the standards set by the Department of Information Resources
    • Establish a risk assessment and mitigation plan
    • Assign a Cybersecurity Coordinator to serve as the liaison between the school district and the DIR
    • Report any cyberattack or incident as soon as possible to the DIR
  • New York’s State Education Law 2-d: Introduced in January 2020, the regulations guide schools and their third-party vendors to strengthen data privacy and security. Education Law 2-d outlines the minimum requirement necessary to ensure the confidentiality, integrity, and availability of State Education Department Information Technology assets and data.
  • California’s Student Online Personal Information Protection Act: Since taking effect in January 2016, the Student Online Personal Information Protection Act prohibits operators from sharing student data and using it for targeted advertising on students for a non-educational purpose. It also requires operators to delete a student’s information at the request of the school or district.

Federal Approach to Protecting Student Data?

Momentum is beginning to pick up at the federal level, most recently with the K-12 Cybersecurity Act being signed into law in October 2021. This law requires the Cybersecurity and Infrastructure Agency to study the cybersecurity risks facing elementary and secondary schools and develop recommendations that include cybersecurity guidelines designed to assist schools.

The study must evaluate the challenges schools face in securing information systems they own, lease, or rely on. It will also evaluate the challenges in securing sensitive student and employee records. Upon completion of the study, CISA will develop an online training toolkit designed for school officials and make the study’s findings, the cybersecurity guidelines, and the toolkit available on the Department of Homeland Security website.

It is important to note that the use of CISA’s recommendations is voluntary by school districts, which raises the question: Are district administrators taking data security in their school district’s seriously?

The State of Data Privacy and Security in Schools

If the proper cybersecurity measures are not put in place by school districts, then the information of students stored is vulnerable to a breach. The bills and laws are being brought forth by state and federal government, but is it leading to action by district administrators?

According to a report from ManagedMethods and EdWeek Research Center, this may not be the case. Of the hundreds of district administrators surveyed, 77% said they were not very concerned with data breaches or leaks. In regards to complying with government regulations, 79% reported not being very concerned and 43% said they either do not monitor for potential regulatory violations or do not know if they do.

The pandemic sparked a massive change in the way education is delivered. For district administrators, it has created a new and everchanging challenge to ensure learning environments are secure and student privacy is protected. The survey by EdWeek Research Center suggests administrators may be under-informed about what steps must be taken to protect what is created, shared, and stored in the cloud.

There is no data privacy without data security. Federal and state governments are becoming more involved in creating guidelines for privacy policies and cybersecurity practices. It’s time for district administrators to get more serious and take action to protect the privacy of our students.

Featured

  • Businessman using laptop analyzing data and growth graph chart

    Report: AI Budgets in Education Show No Sign of Decline

    The vast majority of education organizations (98%) expect their AI infrastructure budgets to either increase or hold steady over the next year, according to a report from cloud storage provider Wasabi.

  • Wi-Fi icon on dark blue circuit background

    FCC to Conduct 'Top-to-Bottom' Review of E-Rate Program

    The FCC is laying the groundwork for a comprehensive review of its E-Rate program, the federal initiative that provides K–12 schools and public libraries with discounts on internet, WiFi, and telecommunications services to ensure equitable digital access.

  • interconnected nodes with currency symbols

    Report: Half of Gen AI Projects Could Exceed Budget by 2028

    Organizations may be underestimating the cost of generative AI as they move from experimentation to production, according to Gartner's "10 Best Practices for Optimizing Generative and Agentic AI Costs" report.

  • abstract data flow

    Google Announces New Gemini Enterprise Agent Platform

    Google Cloud has introduced a new platform for building and managing enterprise AI agents, as the company seeks to turn its Gemini models and Vertex AI tooling into a broader system for automating business workflows.