Expert Viewpoint: Data Privacy Week

Student Data Security and Privacy Must Be Taken More Seriously

• By Charlie Sander
• 01/24/22

School districts continue to see value in using Google Workspace, Microsoft 365, video conferencing platforms, and other cloud apps even as remote learning restrictions have eased. However, as the use of these online solutions has increased, so have the student data privacy concerns.

It’s no secret that school districts have been a popular target of cyberattacks. These cybersecurity incidents pose a threat to the privacy of the data stored by districts as more cyber criminals extract it for malicious use. Couple this with more activity by students and staff in the cloud, and you can see why data privacy in schools is threatened.

Data security and privacy are inseparable. With today kicking off Data Privacy Week, it’s a good time to take a step back and look at the efforts being made to ensure the privacy of our student’s data is being protected.

Government Efforts to Improve Data Privacy in Schools

Federal data security and privacy laws like FERPA, COPPA, CIPA, and others have provided a layer of protection. However, many agree that these regulations are outdated and do not offer enough to protect student data privacy and security in schools.

Given the increasing frequency of cybersecurity incidents in school districts, states are not waiting for Congress and are introducing their own laws to protect student data and privacy. According to Data Quality Campaign, 43 bills were signed into law in 22 states in 2020—with more being introduced.

Here is a short list of states and regulations I believe are leading the way:

• Illinois’ Student Online Personal Protection Act: Effective July 1, 2021, school districts are now required by the Student Online Personal Protection Act to provide additional guarantees that student data is protected when collected by educational technology companies, and is used for beneficial purposes only.
• Texas’ Senate Bill 820: Passed into law in 2019, SB 820 requires school districts to develop and maintain a cybersecurity framework that will:
  • Secure the district against cyberattacks and/or incidents
  • Establish a framework that meets the standards set by the Department of Information Resources
  • Establish a risk assessment and mitigation plan
  • Assign a Cybersecurity Coordinator to serve as the liaison between the school district and the DIR
  • Report any cyberattack or incident as soon as possible to the DIR
• New York’s State Education Law 2-d: Introduced in January 2020, the regulations guide schools and their third-party vendors to strengthen data privacy and security. Education Law 2-d outlines the minimum requirement necessary to ensure the confidentiality, integrity, and availability of State Education Department Information Technology assets and data.
• California’s Student Online Personal Information Protection Act: Since taking effect in January 2016, the Student Online Personal Information Protection Act prohibits operators from sharing student data and using it for targeted advertising on students for a non-educational purpose. It also requires operators to delete a student’s information at the request of the school or district.

Federal Approach to Protecting Student Data?

Momentum is beginning to pick up at the federal level, most recently with the K-12 Cybersecurity Act being signed into law in October 2021. This law requires the Cybersecurity and Infrastructure Agency to study the cybersecurity risks facing elementary and secondary schools and develop recommendations that include cybersecurity guidelines designed to assist schools.

The study must evaluate the challenges schools face in securing information systems they own, lease, or rely on. It will also evaluate the challenges in securing sensitive student and employee records. Upon completion of the study, CISA will develop an online training toolkit designed for school officials and make the study’s findings, the cybersecurity guidelines, and the toolkit available on the Department of Homeland Security website.

It is important to note that the use of CISA’s recommendations is voluntary by school districts, which raises the question: Are district administrators taking data security in their school district’s seriously?

The State of Data Privacy and Security in Schools

If the proper cybersecurity measures are not put in place by school districts, then the information of students stored is vulnerable to a breach. The bills and laws are being brought forth by state and federal government, but is it leading to action by district administrators?

According to a report from ManagedMethods and EdWeek Research Center, this may not be the case. Of the hundreds of district administrators surveyed, 77% said they were not very concerned with data breaches or leaks. In regards to complying with government regulations, 79% reported not being very concerned and 43% said they either do not monitor for potential regulatory violations or do not know if they do.

The pandemic sparked a massive change in the way education is delivered. For district administrators, it has created a new and everchanging challenge to ensure learning environments are secure and student privacy is protected. The survey by EdWeek Research Center suggests administrators may be under-informed about what steps must be taken to protect what is created, shared, and stored in the cloud.

There is no data privacy without data security. Federal and state governments are becoming more involved in creating guidelines for privacy policies and cybersecurity practices. It’s time for district administrators to get more serious and take action to protect the privacy of our students.