The shift may be due to a desire to avoid negative attention, says Karen Sorady, vice president for member engagement at the Multi-State Information Sharing and Analysis Center. “There’s fear because people don’t want to be exposed for having fallen victim to something they shouldn’t have.”
Districts may neglect to disclose incidents to avoid ire from parents and the community, in addition to gaining infamy from media attention. While the legal reporting requirements for educational institutions are weak, there are many benefits to reporting cyberthreats and attacks when they occur.
Do Schools Need to Report Cyberattacks?
In March 2021, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act into law, requiring “owners and operators of critical infrastructure” to report cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency within 72 and 24 hours, respectively.
Education, however, is not considered “critical infrastructure” as defined by CISA. The agency’s requirements apply only to:
- Commercial facilities
- Critical manufacturing
- Defense industrial bases
- Emergency services
- Financial services
- Food and agriculture
- Government facilities
- Healthcare and public health
- Information technology
- Nuclear reactors, materials, and waste
- Transportation systems
- Water and wastewater systems
The new legislation does align with a larger trend that Sorady sees in underreporting. “It’s not limited to schools,” she says. “In general, there’s underreporting of cyber incidents across the board, in government and in the private sector as well.”