When Equifax is getting hacked, how can districts keep data secure?
On Board Online • October 23, 2017
By Jeffrey S. Handelman
Deputy Director of Administration
Is your district's student data secure? Are you sure? In a world where technology is changing quickly, there is not enough money or time in any district to remove all possibility of a data breach, attendees at a workshop on Data Privacy and Security Service learned. When even a company as large and seemingly impregnable as Equifax is vulnerable to hackers, school districts need to do all they can to minimize risks.
That means having the personnel and policies in place to ensure that personally identifiable data on students, teachers and principals is kept secure and private.
Workshop presenters Valerie D'Aguanno, from the Nassau RIC, and Joseph Fitzgerald, from the Lower Hudson RIC, stressed three questions that superintendents ought be able to answer:
One problem is that districts have many product databases they don't control, but are responsible for. It is common for teachers to find free educational software and unknowingly put the district at risk of violating state or federal data security laws.
In 2015, there were 3,500 K-12 software programs, a number that is growing at 14 percent a year. It is the fastest growing segment of the software industry. Tracking individual students' progress is an almost universal feature.
Laws such as state Education Law sections 2-c and 2-d, the federal Family Educational Rights and Privacy Act (FERPA) and the federal Children's Online Privacy Protection Act (COPPA) are laws meant to protect personally-identifiable data. But districts don't control third- party vendors, or subcontractors of those vendors. And if districts had a complete catalog of all forms of data kept about students in every app or software package, monitoring all the safeguards would be an overwhelming task.
Under section 2-d of the Education Law, districts must develop a Parents' Bill of Rights for Data Privacy and Security. What can districts promise parents when so much data is free, wearable and shareable, and no one knows what form the next killer app will take?
The state comptroller's office has put together a security assessment that is available at www.osc.state.ny . The report, "Protecting Sensitive Data and Other Local Government Assets: A Non-technical Cybersecurity Guide for Local Leaders," includes the following suggestions:
Another report on the comptroller's website, "Local Government Management Guide Information Technology Governance" also contains relevant information for districts.
D'Aguanno and Fitzgerald emphasized two points as the workshop concluded. The first is that one person in the district must be responsible for data security, and the second is the importance for districts to do a risk assessment of their data and software systems.
The comptroller's report contains specific recommendations for conducting a cybersecurity audit as well as a variety of solutions. Districts have many resources at their disposal. For additional assistance with this topic, contact one of the state's 12 Regional Information Centers.
Editor's Note: On Oct. 16, the State Education Department announced that it is creating a Student Data Privacy Council that is expected to develop guidelines to minimize the collection of personally identifiable information by apps and other classroom technology with cloud storage.