Daily news headlines chronicle the constant threat of data breaches targeting the nation’s K–12 schools. More than 670 schools have been targets of cyberattacks since 2016, according to the K–12 Cybersecurity Resource Center. One reason for the frequency of those attacks, data privacy pro Amelia Vance says, is they’re easy targets.
In response to schools’ data privacy woes, legislators in over 40 states have passed more than 120 student privacy laws since 2013. But, Vance says, “it’s all about the humans.”
“You can pass all the laws you want, but this is all about how you implement laws.”
Vance is the director of education privacy at the Future of Privacy Forum, a key resource for school officials on data privacy laws and best practices.
She talked with EdTech: Focus on K–12 Managing Editor Marquita Brown about data privacy in schools, what school IT directors and administrators need to know about it, and how some school districts are successfully responding to or preventing cyberthreats.
SUBSCRIBE: Become an insider and get access to exclusive whitepapers, videos and articles on the latest in education technology.
EDTECH: What is one key thing educators should know about data security and what they should do to protect student information?
VANCE: I can’t emphasize data minimization enough, and there are a few aspects to that. You don’t have security breaches of data you don’t have.
One key step you can take at the beginning of any data collection project is simply to ask, “Do I need to collect that?” With a lot of apps, you can just sign up with a name and an email. They don’t need to know your favorite color, or what your ZIP code is. It’s very important to keep that in mind as schools continue to look at cybersecurity.
Because data storage is cheap and you don’t run out of space the way you used to run out of space in the filing cabinet, people just haven’t gone through a spring cleaning process. Thinking about that and how you build that in can be really critical in making sure that that data is never breached.
EDTECH: How can smaller districts prevent attacks, especially if they lack a security staff?
VANCE: The main thing is focusing on human error. So many issues occur entirely because of human error — from including the wrong attachment to clicking on a phishing email — but it also means that people can target those they think have administrative access. The more that districts focus on human error, the more they can mitigate these things.
Any steps are good steps. If schools improve even a little bit, that can help protect them from some of the attacks that will occur. This is a mitigation game, not an elimination game.
Districts should also engage with local CoSN or ISTE chapters because there’s strength in numbers. Regional service agencies can also help districts. There is more federal grant funding available than there used to be, which districts can take advantage of.
EDTECH: What should administrators know about protecting data in a way that maintains FERPA compliance?
VANCE: This is not something that happens overnight. It’s less about the laws and more about crafting a fundamental respect for privacy and understanding at the administrative and teacher level about the things that happen if you don’t respect privacy and security.
I’ve been studying the issue of what training administrators and educators need on privacy. A lot of it goes back to creating a culture of privacy.
It’s not about saying you’re complying with this law. At its core, it’s about being respectful of the data of the children that you’re serving.
Good training identifies fair and transparent information practices and principles.
It’s about ensuring people only have access to data when they need it for their jobs, and it’s about making sure all of these things are actually happening day to day.
This is much less about training people on FERPA every year and more about embedding those principles of privacy in everyday school life.
EDTECH: What are tools or resources administrators can use to stay on top of the legislation and other regulations around student privacy?
VANCE: The Future of Privacy Forum is the only organization that posts a list online of all of the laws that have passed on student privacy since 2013.
There is a free service we offer anyone for whom privacy is a slice of their job if they’re at a district or state level: monthly webinars and working groups where people can log on and learn about an issue.
The Data Quality Campaign does a really nice annual summary of the laws that touch on data, including the those that touch on student privacy.