Why student data privacy hacks can have long-term effects on students and their families
Every school district is required to comply with student data privacy and online safety regulations from the Federal government and the state where the district is located. However, even if there were no regulations governing student data privacy, you would still need to protect your students’ data because you are responsible for protecting your students’ health and wellbeing. Poor cybersecurity infrastructure that leads to data breaches make it impossible for you to meet that responsibility.
In general, the term student data focuses on Personally Identifiable Information (PII), which in the K-12 environment, is more than just a name and address. To be clear, your responsibility to protect student data privacy includes:
- How you collect, use, and manage students’ PII
- How you govern the use of students’ PII
- Protecting all information that could be used to identify, find, or connect with a student, including name, address, student ID, demographics, birth date, and login credentials
- Protecting academic, health, and disciplinary records
- Protecting information that could be merged to identify a specific student
Compliance is One Reason Why Student Data Privacy is Important
Regulatory compliance is critical. Not only for your students, but also for your district. If you don’t comply, your school district will face penalties that can have a long-term negative effect. The Federal government and the states are very concerned about student data privacy, as evidenced by the list of regulations that you must address.
Federal Government Regulations
- Family Educational Rights and Privacy Act (FERPA)
- Protection of Pupil Rights Amendment (PPRA)
- Children’s Online Privacy Protection Act (COPPA)
States differ in their approaches, but they’re all looking at the issue of student data privacy and trying to achieve some common goals. They want to:
- put additional safeguards in place governing how schools manage PII
- identify and control the activities that online service providers may perform
- ensure that service providers and school districts can’t sell or profit from PII
- expand the regulatory definitions of PII
Between 2013 and 2016, 49 states introduced 400 bills on the topic. For example, the state of Texas enacted Senate Bill 820 in 2019. Among other things, that bill requires that each school superintendent appoint a cybersecurity coordinator who must report to a state agency concerning a successful or attempted cyberattack.
The state of New York mandates the naming of a Chief Privacy Officer. Nevada has legislation prohibiting school service providers from displaying targeted advertising. The compliance landscape is getting more complex all the time.
Student Data Privacy and Child Health and Wellbeing
It’s critical to keep in mind that protecting a student’s data also has a lot to do with protecting their health and wellbeing. Children are among the most vulnerable to a hacker’s schemes.
Student Data Privacy and Child Safety
Part of keeping children safe is making sure that threats don’t come from their participation on the internet at school. Bad things can happen when hackers obtain private student data. In 2017, a group known as Dark Overlord took credit for releasing student information from a school district in Iowa. Parents and children also received threats to harm students.
The FBI has a section called Crimes Against Children/Online Predators that addresses cyberbullying and activity on social networking sites. What would be more tempting to a child than hearing from someone who seemed to know all about them?
Student Data Privacy and Financial Security
Undoubtedly, access to student data is one of the reasons why school districts are so attractive to hackers. With the right information, a hacker can take advantage of students’ untarnished credit reports to start a booming identity theft operation. Cybercriminals who are active on the black market often pay up to $350 for a student record.
Students need to be aware of the problem and learn how to protect their data. But, when cybercriminals go after their data through their school, it becomes the school district’s responsibility to block that avenue of attack.
Student Data Privacy and Ethics
Is it ethical for anyone to collect a student’s PII in the K-12 environment? Certainly, school districts need some PII information to administer their schools. However, companies who specialize in data collection can now begin to build profiles on children at a young age.
Just imagine how long it would take to get the records corrected when a cybercriminal steals a child’s identity. And, in fact, that type of correction isn’t always successful. The demolished credit history will follow that child into adulthood.
The issue of protecting a student’s data privacy is so much more important than just allowing a school district to comply with regulations. Poor data security can have a huge impact on each student’s life.
Parents can only do so much to help their children. If someone steals their child’s information from the school, the parent is helpless. It’s the responsibility of each school district to prevent the unauthorized distribution of student PII. Sadly, schools aren’t doing a good job of meeting that responsibility.