FBI Highlights Security Risks for Student Data: What Parents, Schools, and Policymakers Need to Know

The Federal Bureau of Investigation (FBI) released a Public Service Announcement (PSA) today that encourages public awareness of cyber threat concerns related to K-12 students. The Future of Privacy Forum (FPF) applauds the FBI’s attention to student privacy and wholeheartedly agrees that parents, schools, and policymakers should be aware of student privacy and security issues that affect the safety of children’s information. However, the PSA does not address a crucial challenge: as we wrote last fall, “while other industries are investing in greater IT security to protect against cyber threats, many schools are facing budget constraints that result in declining resources for IT security programs.”

Schools across the country lack funding to provide and maintain adequate security.  Sophisticated corporations employ Chief Information Security Officers and routinely bifurcate responsibility for cybersecurity and IT support, allowing security professional to mitigate threats and IT staff to troubleshoot users’ everyday tech support needs.  Schools rarely have the resources to establish dedicated security staff, leaving technologists with a full plate – combating malicious access attempts while also handling humdrum IT issues and attempting to comply with new state student privacy laws; more than 120 laws were passed in 40 states since 2013. Now that the FBI has focused  attention on these concerns, policymakers must step up and fund impactful security programs.

The PSA recommends that stakeholders get “involved with organizations that can provide support and resources for navigating the integration of technology and cybersecurity into schools.” Fortunately, there is a wealth of publicly available resources to help concerned members of the public, parents, schools, policymakers, and other stakeholders.

The good news is that there is a wealth of publicly available resources to help concerned members of the public, parents, schools, policymakers, and more.

Most student data disclosures are caused by human error, like clicking a false attachment in an email or using a weak password. These errors often happen at the local level; however, few districts have the funding or resources to train staff to protect student data.

More and more, there are resources popping up to help: FPF’s student data privacy website, FERPA|Sherpa, links to more than 450 resources, including models from districts, training materials, and information on student privacy from experts at the Department of Education’s Privacy Technical Assistance Center (PTAC), CoSN, the Council of School Attorneys (COSA), the Student Data Privacy Consortium (SDPC), and the Software and Information Industry Association (SIIA).

Guides such as FPF’s seven security questions to ask are a good place to start when evaluating the security of ed tech products. Parents can also check out FPF’s recent guide for questions parents should ask schools about how they protect student data. We also created guides with ConnectSafely and the National PTA on student data privacy issues for parents and educators.

States, districts, and companies are stepping up to protect student data.

Very few states, Utah being the notable exception, have funded student privacy work. However, many states and districts throughout the country have stepped up, becoming student privacy superheroes and doing an exceptional job working with limited resources to protect student privacy.

Utah’s State Board of Education has, in addition to other initiatives, provides training to local leaders and teachers about what they can do to protect their students’ information. Funding training is invaluable because it directly addresses the most common cause of data breaches – human error.

Raytown Quality Schools in Missouri, one of the first districts in the nation to earn the Consortium for School Networking’s Trusted Learning Environment Seal, has made student data privacy and data governance a priority, which includes working collaboratively with other state and district leaders and considering data privacy in every aspect of its decision making. Howard County Public Schools in Maryland maintains one of the most thorough student data policies in the nation and is a great example of a district taking proactive steps to address student data privacy concerns in its ed tech contracting.

In an effort to both protect student privacy and ease the burden of complying with state student privacy laws, the Student Data Privacy Consortium, founded by districts and now in seventeen states, has had hundreds of companies sign model contracts such as the California Student Data Privacy Agreement.

Ed tech companies are also stepping up; there are almost 350 companies as signatories to the Student Privacy Pledge, a FTC-enforceable code of conduct for ed tech vendors, and there are numerous examples of companies building privacy into their business model. For example, Clever has implemented an annual audit of their privacy policy to ensure compliance with all new developments in state and federal privacy law. LearnPlatform has partnered with states like Connecticut and Utah to ensure that parents, teachers, administrators, and students know which products and tools fully comply with state and federal student privacy laws. CatchOn allows districts to monitor their networks to see traffic from apps and websites that are being used on every district-owned device, so districts can make educated decisions about which apps to use or forbid – all without ever seeing any student data.

More needs to be done – and everyone can help.  

More needs to be done in order to fully protect student data. Basic training in security is a great first step – there are steps recommended by the Department of Homeland Security and resources available from the FTC. Districts can use some of the resources described above to mitigate accidental data sharing and build up good cyber hygiene. Policymakers can authorize funding for security and training programs or incentivise districts and companies to do the same. Parents can help protect their kids by speaking to them about being safe online, asking questions about the privacy and security protections in their child’s school, and getting involved with their district and state representatives to work for more effective security in schools.

Cyber attacks directed at student data justifiably cause a lot of concern, but parents, educators, ed tech companies, policymakers, and administrators are already coming together to find solutions that keep students’ data safe. With enough resources, training, and support, schools can have the tools they need to safely use cutting edge technology to do what they do best – teach students.

Image: “Security in the dictionary” by Blue Coat Photos  is licensed under CC BY-SA 2.0.