Understanding FERPA, CIPA and Other K–12 Student Data Privacy Laws

The Children’s Internet Protection Act also plays a role here. “CIPA is perhaps the most overlooked regulation” when it comes to student data privacy and security, Sander says. “Content filters are used as the measure for CIPA compliance, but as more student information is moved online in cloud storage, content filters cannot protect student data from ‘unauthorized disclosure, use, and dissemination of personal information regarding minors.’”

Other relevant laws include the Protection of Pupil Rights Amendment, which outlines restrictions pertaining to student privacy in federally funded surveys or evaluations. In addition, schools funded under the Individuals with Disabilities Education Act must ensure the confidentiality of personally identifiable information.

In addition to federal laws, 42 states and the District of Columbia have passed more than 128 student privacy laws, says Jim Siegl, a senior technologist with the Youth & Education Privacy team at the Future of Privacy Forum.

What Happens if a School Breaches FERPA?

To meet the demands of FERPA, a school must “take reasonable precautions to ensure that someone who doesn’t have a legitimate educational interest in accessing the records can’t get access to those records,” Rooker says. “If you’re doing emails outside, encryption is a reasonable precaution. If you’re storing sensitive information, make sure you have your firewalls in place.”

A breach occurs when protected student data is exposed to outside eyes, or a district simply fails to take reasonable precautions to protect data. Breaches can result in an investigation by the U.S. Department of Education.

An investigation usually is the result of a parental complaint, but that’s not always the case. “The Department of Education also has the authority to initiate its own investigation if, for example, something egregious has happened where the school district was obviously not making a reasonable effort to protect their records,” Rooker says.

Experts agree that IT leaders generally can’t be held personally liable for a breach. However, schools as a whole can be held liable, and there may be consequences.

FERPA does not have a private right of action (meaning individuals cannot sue). Rather, because FERPA is a funding law, “the ultimate penalty is that funding could be withdrawn,” Siegl says. While this is a possibility, it is not the first step the agency will take. In fact, Siegl says, he’s never seen it.

“To date, this has never happened,” he explains. “In general, the Department of Education attempts to have the institution correct the action.”

But there are also potential consequences beyond what the law imposes.

“We’ve seen students gain access to their peers’ information and use that to bully them,” Sander says. “We’ve seen criminals use parents’ information to try to extort ransom payments from the district. And we’ve seen them sell student information to identity thieves on the dark web. These incidents have real consequences to the long-term health and well-being of our students.”

GET THE CHECKLIST: Follow these five steps to secure student data.

Reduce the Risk of Security Breaches in K–12 Districts

Student data typically resides in on-premises systems and cloud services. “Even before the pandemic, the trend was moving toward cloud storage. COVID-19 sped things up,” Sander says. The shift to cloud brings inherent risk, as data is more readily accessible via the internet.

To mitigate that risk, Sander advocates for a multilayered approach. “There really is no one-size-fits-all tool,” he says. “Schools need firewalls, content filters, network segmentation, endpoint protection, cloud security, processes, training and more.”

Often understaffed and underfunded, school IT teams may struggle to get there. “They’re being pulled in a million different directions, usually with a primary focus on classroom technology,” Sander says. As a result, a lack of effective controls leaves student data vulnerable to exposure and abuse.

To begin, he suggests a methodical approach. “Assess your risk, prioritize your list and then go after it one bite at a time,” he explains. “Decide the one to three things, depending on your resources and talent, that are most pressing for your student privacy risks and start working to mitigate them.”

LEARN MORE: Schools turn to outside experts to beef up their security posture.

Siegl says basic steps include inventorying your data, updating and patching systems, enforcing multifactor authentication, requiring password managers, and implementing intrusion detection systems and endpoint protection.

The U.S. Department of Education “provides a variety of resources to help schools and districts manage privacy and security risks to student information,” a department spokesperson says. School leaders can find best practice resources on the agency’s website.