On September 13, the Federal Bureau of Investigation (FBI) issued a public service alert to raise awareness of cybersecurity concerns for K–12 students. While education technologies have helped to engage community involvement and improve the educational environment, security risks lurk beneath the surface. Large amounts of student data are collected and stored online, and this data is at risk of compromise or exploitation if not stored securely enough to escape hackers.
Education technologies include software programs and online apps used in classrooms, mobile apps to enhance the learning experience, administrative platforms that assist educators and administrators with class and school management, and others. At-risk data collected by ed-tech can include students’ personally identifiable information, behavioral and disciplinary information, academic records, biometric data, geolocation, and more. The FBI warned that malicious use of this data can lead to social engineering – using deception to manipulate people into disclosing confidential or personal information – identity theft, bullying, tracking, and other means of targeting children.
School Security Hacks in 2017
The FBI’s alert included reports of two serious security breaches in 2017. In the first, multiple school districts’ servers across the country were hacked, giving the hackers access to student contact information, education plans, medical records, and counselor reports. This information was then used to contact, extort, and threaten students with physical violence and release of their information. Parents received text messages, and students’ private information was publicized and posted on social media, giving child predators access to new targets.
Additionally, two large ed-tech companies were breached in 2017, resulting in public access to the data of millions of students. One of the companies had stored their data on public-facing servers, and breached data from the other company was posted for sale on the dark web.
FBI Recommendations
The FBI recommends that parents be aware of student privacy requirements, discuss ed-tech with their local school districts, conduct research for support and additional resources, research security breaches to inform of vulnerabilities, consider monitoring credit for identity theft, and conduct regular internet searches on their children.
Issues for Schools
Always at the bottom line, additional security costs additional money. Schools that face budget decisions and scarce resources for internet security may prioritize value-added expenditures over those with no visible benefit, such as cyber security.
School District Legal Requirements
School districts should know and consider legal requirements when adopting ed-tech resources and considering the importance of cyber security.
The Family Education Rights and Privacy Act (20 U.S.C. § 1232(g); 34 CFR Part 99) as well as state law (R.C. § 3319.321) and board policy place stringent restrictions on how “student records” must be maintained and protected. Board records retention schedules require districts to maintain certain types of records for years, if not permanently. Staff should be trained to understand what constitutes an education record as well as state and federal laws and board policy that limit release and maintenance of student records.
The Children’s Online Privacy Protection Act (15 U.S.C. § 6501–6506; 16 CFR Part 312) imposes requirements on operators of websites, internet services, and apps directed to children under age 13 and on operators that have actual knowledge that they are collecting personal information online from a child under age 13. The purpose is to give parents control over their children’s information that is collected online by seeking parental consent. Schools that contract with third-party websites or apps solely for the benefit of students can consent to data collection and the use or disclosure of students’ personal information by acting as an agent on the parents’ behalf. Such consent is restricted to educational purposes only. Additionally, at the school’s request, the operator must provide a description of the types of personal information collected, the opportunity to review the child’s personal information and/or have the information deleted, and the opportunity to prevent further use or online collection of a student’s personal information.
Tasked with enforcing COPPA, the Federal Trade Commission recommends that schools or districts – not teachers – decide whether a provider’s information practices are appropriate. Districts should have a centralized process to assess these practices. The FTC cautions that schools should know how student information is collected, used, and disclosed. Districts should also ensure that these operators appropriately protect the security, confidentiality, and integrity of student information and should understand the operator’s data retention and deletion policies.
The Protection of Pupil Rights Amendment (20 U.S.C. § 1232h; 34 CFR Part 98) requires that districts adopt policies and provide direct notification to parents at least annually regarding the specific or approximate dates of activities involving the collection, disclosure, or use of students’ personal information for the purpose of marketing or selling that information (or otherwise providing the information to others for that purpose), as well as the parents’ right to opt out of these measures.