Data loss prevention regulations are ubiquitous for all K-12 school districts. While all districts have to comply with federal-level laws, such as FERPA and COPPA, many have additional state data security and privacy laws to consider.
January is data privacy month, culminating in Data Privacy Day on January 28, 2021. In support of data privacy, we want to look at what data privacy means for K-12 school districts and the variety of stakeholders they serve. This is particularly important due to the amount of data that districts collect and generate, and the data loss prevention regulations that govern K-12 schools.
Many district leaders think about data privacy in terms of how vendors and other third parties use student data, and that’s an important topic. However, it is a narrow view of what data privacy in K-12 schools entails. A more accurate definition of privacy includes a district’s responsibility for preventing data loss. A data loss incident in a school district would result in a widespread violation of their community’s right to data privacy.
Let’s start by answering the question, what is data loss prevention? It’s a strategy for ensuring that sensitive and protected information doesn’t leave your district’s network. Sensitive information includes anything that resides on your system that relates to financial data or information that shouldn’t be distributed to the public. Protected information includes things like personally identifiable information (PII) about students, employees, and a child’s parent or guardian.
A breach of your systems that affects sensitive data can make it more difficult for you to safeguard PII. For example, if a hacker gained access to a list of passwords, they could easily access personally identifiable information.
PII includes things such as social security numbers, student identification numbers, student records that can include data about a student’s health, grades, disciplinary actions, and more. The number of cybersecurity incidents in K-12 districts is increasing at an alarming rate, meaning that data loss prevention is a critical issue for protecting data privacy.
If your data systems experience a data breach, the data privacy of your stakeholders is compromised. This is the core reason why data loss prevention is so important for districts. It should always be a part of your cybersecurity framework, especially in light of the data loss prevention regulations that affect school districts.
We were recently asked if data loss prevention regulations are part of COPPA, FERPA, or CIPA, which are the three student data privacy laws that govern how schools handle data. The laws relate to data stored from students, employees, and guardians or parents of the children in the district. They also apply to managing financial data. Let’s take a look at these three regulations and what they mean in terms of data loss prevention for K-12 schools.
The Children’s Online Privacy Protection Act (COPPA) is focused on regulating online services, commercial websites, and mobile applications that collect data from children under 13 years of age. The Children’s Internet Protection Act (CIPA) was enacted by Congress to limit a child’s access to obscene or harmful content on the internet.
FERPA, the Family Educational Rights and Privacy Act, protects the privacy of student education records. While data loss prevention regulations are included in all three laws in some form, complying with FERPA is most closely related to the issue of data loss prevention.
As you probably know, FERPA was enacted in 1974 to protect student data privacy and it governs access to students’ PII. FERPA doesn’t specify the exact controls or technologies that districts must use. However, it does require you to use “reasonable methods” to protect student data from both accidental and malicious data breaches and/or loss.
Despite this requirement, hundreds of data incidents are reported by school districts each year. In 2019 alone, 60% of the incidents related to unauthorized disclosure of data due to a security breach. Not only are these incidents in violation of FERPA, but they also expose students to the problems of identity theft, fraud, extortion, and cyberbullying.
While data loss prevention isn’t specifically cited or required by FERPA, it is a strategy for ensuring that student data protected under FERPA is not exposed in a way that violates the law. If your district experiences a data incident that exposes student PII—and you haven’t put reasonable practices into place to prevent it such as a data loss prevention strategy—you will be in violation of FERPA.
As mentioned, FERPA doesn’t require districts to use data loss prevention tools, which leaves the decisions up to the school district as to how they will prevent the unauthorized exposure of sensitive or protected data.
That being said, data security solutions designed to help K-12 districts meet their unique FERPA and COPPA regulations are beneficial in a number of ways:
If your district doesn’t have data loss prevention software in place, it’s time to start thinking about how to secure student data wherever it is created, stored, accessed, and shared—and to take action. You’ll be helping protect your students’ data privacy and complying with the laws that govern data privacy in K-12 schools.