With Data Privacy Week nearing its end, hopefully school data privacy risks are high on your radar right now. Many districts think about data privacy in terms of student data privacy. But that doesn’t paint the full picture. Schools collect and store a ton of sensitive data. You’re also probably sharing a lot of that data with 3rd parties, whether it be for required reporting, research, education, or operational purposes.
Let’s take a look at the different types of data privacy risks your school is likely facing. I’ll also try to provide some tips and/or resources to help you prevent (or at least mitigate) them.
It should come as no surprise to you that your district collects and stores A LOT of data. Employee data, financial data, performance data, parent/guardian data and, of course, student data.
The types of student data that are stored in a typical school district include:
One of the main concerns among parents/guardians, students, policymakers, and administrators is how vendors are using data they gain access to when the school becomes a customer.
The type and sensitivity of the data collected varies wildly depending on the vendor and the services they provide. Today, in many cases, vendors come in the form of cloud-based SaaS applications that connect directly into your information systems.
Many states are passing student data privacy laws that limit what these EdTech apps can collect, how the data can be used, and how long the data can be retained. In many cases, state student data privacy laws are requiring that data can only be used for educational purposes.
Misuse can include purposes such as the vendor using the data for advertising purposes, whether it’s to advertise to students or their parents or even school staff. Data can also be packaged and sold or rented to other parties. This used to be a popular way for some companies to access new revenue streams, though it has largely fallen out of popularity today.
Preventing Vendor Misuse Data Privacy Risks
The main way you can prevent your data from being misused by vendors is to make sure you carefully read their terms of service and privacy policy. Some states, such as Illinois and North Carolina, require that all vendors accessing their data systems sign an agreement specific to their regulations. If you’re working with a vendor that is particularly resistant to doing this, it may be a red flag that they don’t have great data governance policies.
Free Resources:
Recently, there has been quite a bit of concern from parents/guardians and students regarding the pervasive use of student surveillance technology. While the majority of parents, teachers, and even students believe the benefits outweigh the risks, their concerns are not entirely unwarranted.
Recent research by the Center for Democracy & Technology found that low-income and minority students were more likely to be subjected to surveillance technology than their peers. Pairing that with other reports that minority students are more often subjected to harsher punishments that lead to lower learning outcomes, you can start to see why there are concerns. Further, there have been some reports of LGBTQ+ students being outed to parents without their knowledge because of these systems.
Preventing Vendor Misuse Data Privacy Risks
ManagedMethods does provide student cyber safety monitoring as part of our cloud safety & security platform. We’ve seen first-hand that school resources are often unprepared for what to do with the information provided when a risk is flagged.
Most experts agree that, in order to strike the right balance, schools need to create policies and processes around the use of student cyber safety incident reporting and be better about communicating its use with students and parents/guardians.
As the cliché goes, you’re only as secure as your weakest link. As you’re adding dozens of different technologies into your various data systems, you start to lose sight of where your weak links are. You have to put a lot of trust into your vendors that they are developing and maintaining a secure infrastructure.
This is because hackers can use legitimate SaaS applications to access your system. OAuth risks are a common example of how this can work. Using OAuth can create EdTech security risks once an app is granted access permissions, such as writing and sending emails, viewing contacts, and admin permissions. If a SaaS application is granted these types of permissions and then is compromised, it can be used to send phishing emails, install malware, exfiltrate sensitive data, and more.
Preventing EdTech App Security Data Privacy Risks
As mentioned earlier in this post, several state student data privacy laws are aiming to regulate how school technology can use student data. Though most of these laws focus on protecting student data from vendor misuse, they often have the unintended effect of also helping with EdTech data security. This is because they’re forcing schools to be more intentional about the apps that are allowed to connect with their data systems.
Whether you’re legally required to or not, a fantastic prevention method for EdTech school data privacy risks is to enact policies around what apps can and can’t be use, how new apps and/or vendors are vetted, and the process that teachers, staff, and students need to follow to request reviews of new technology.
Free Resources:
There are differences between a data leak v data loss. Most often, though not always, a data leak is the result of an accident by a student or staff member who has authorized access to that information.
Data leaks are probably the biggest concern of all the school data privacy risks simply because they’re so prevalent. In fact, the U.S. Government Accountability Office (GAO) recently analyzed K-12 cyber incident data reported by the K-12 Cybersecurity Resource Center. It found that:
Also sometimes referred to as “insider DLP risk”, preventing data leaks and loss is critically important to mitigating your schools’ data privacy risks. Doing so can be relatively simple, at least in comparison with some of the other school data privacy risks we’re discussing here.
Preventing Insider Data Leak Risks
Most insider data leaks can often be remediated automatically using policies set up in your security system. Your Google Workspace and/or Microsoft 365 admin tools allow you some pretty great controls natively. Often, it’s proper configuration that’s half the battle. The other half, of course, is educating your users on the importance of data privacy and security and why they need to protect it.
Free Resources:
Yes, cybersecurity and data privacy are inextricably linked. Data breaches and student data privacy problems persist in K-12 schools because your cybersecurity is largely understaffed and underfunded. Frankly, it’s been a problem for years, but the rash of school ransomware attacks in 2021 finally caught the attention of broader society.
Data breaches, phishing campaigns, ransomware attacks, and account takeovers can all put school data privacy at risk. If criminals have access to your data, they will use it in any way they can to turn a profit. In recent cases, that has meant ransom payments, selling personally identifiable information on the dark web, tax return fraud, diverting district wire payments from vendors, and more.
Preventing School Cybercrime Data Privacy Risks
If someone out there has the short answer to preventing cybercrime, they sure aren’t sharing it. Experts agree that zero trust cybersecurity and defense-in-depth are the baseline to any cybersecurity strategy. Layer that with on-going cybersecurity training for staff and faculty. Most schools are also incorporating cybersecurity and safety training into their curriculum for students. This has the double benefit of helping to protect schools and students, but also laying the groundwork for the next generations of cybersecurity professionals.
Free Resources:
Cybersafety and student data privacy are critical to every district’s mission to provide a safe learning environment where students can thrive. You can be your district’s data privacy hero by addressing these school data privacy risks and creating an online learning and working space that is protected from both intentional and accidental data exposure.