Are your Google Workspace and Microsoft 365 cloud apps CIPA compliant?
You’re familiar with The Children’s Internet Protection Act (CIPA). But, like many IT leaders and managers, you may think of CIPA compliance in terms of blocking content from external sources, meaning other websites. Today, hybrid learning CIPA compliance has an expanded definition.
Now, you need to think about whether internal school cloud technology that includes email, file sharing, and chat apps are CIPA compliant as well.
CIPA Compliance and District Cloud Apps
School districts have been moving to the cloud for nearly a decade. But, the COVID-19 pandemic has motivated districts to go to part remote and part in-classroom teaching models, known as hybrid learning. As a result, the move to the cloud is accelerating as districts prepare for hybrid learning in the coming school year.
If you access E-Rate funding, hybrid learning CIPA compliance requires your district to adopt and implement policies addressing:
- Minors accessing inappropriate content on the internet
- Safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications
- Restricting minors’ access to materials that could be harmful to them
For school districts using cloud apps like those provided by Google Workspace and Microsoft 365, these requirements absolutely cover communications and access to content on these school-provided applications.
It’s a very real problem. There are many documented cases of students sharing improper content, images, and videos via school Google Drives, and other cloud-based communication platforms. Students also often use Google Docs as “chat rooms” because content filtering doesn’t stop them, and most school districts don’t have the ability to monitor for these unauthorized chat rooms.
Historically, putting an internet-filtering appliance on the network has been the answer from a technology standpoint. Today, administrators need to understand how students’ increasing use of school technology affects their CIPA compliance standing.
Students use the internet to access school technology such as Google Workspace and Microsoft 365, which makes their use of those apps and the content shared within them subject to CIPA requirements. Traditional, network-based web content filters are unable to monitor behavior such as text and image content sharing within cloud applications.
Browser-level tools are available to plug the internet access monitoring gaps in hybrid learning. IT admins can install a filter on individual devices, typically using a Chrome extension. But how effective browser-level tools are depends on if your district has implemented a 1:1 vs. BYOD program—and to what degree your district has a bit of both going on, officially or not. For districts using the BYOD model, admins can’t reasonably install browser-level tools on all of the devices accessing the district’s systems.
This is no time to let Google chat safety and security or Google chat CIPA compliance slip through the cracks. District IT teams should be prioritizing controlling their own applications for explicit content, cyberbullying, and discrimination monitoring in both text and image content.
Hybrid Learning CIPA Compliance and Data Security
District IT teams often overlook data security when evaluating CIPA compliance because student safety issues overshadow it. But, there are more CIPA requirements for schools accessing E-Rate funding to implement policies addressing:
- Unauthorized access, including hacking, and other unlawful activities by minors online
- Unauthorized disclosure, use, and dissemination of any minor’s personal information
Web content filters—whether those filters are hosted on-prem, via extension, or in the cloud—just don’t cover these two areas. They merely block students from accessing websites that contain specific types of information. And the K-12 cybersecurity problem is getting worse.
Microsoft’s Global Threat Activity Tracker found that the education sector experienced 60% of the 8 million total malware encounters over the last 30 days. Hackers are specifically targeting school districts because they know that districts are even more vulnerable than ever. Why? Schools are easy targets because they still rely on outdated network security protections, including firewalls, at a time when most of their users are off the network and in the cloud.
Hybrid learning models are only going to make this security issue more complicated. In many cases, students and teachers will be leaving and returning to the network over and over again in the coming school year. This means that hybrid learning CIPA compliance requires a zero-trust security posture by district IT teams.
This posture includes the ability to control 3rd party apps, a need that has alarmed many district IT teams in the wake of spring’s remote learning migration.
Hybrid learning security and CIPA compliance require that you protect data when it is stored, accessed, and shared in district cloud applications. How will your district comply?
Most districts will see school back in session in just over a month. Those districts that are using this time to fortify their cloud application security, and cyber safety monitoring policies and tools, will be in the best position to protect students from both cyber safety risks and data security threats.