Securing student data is a challenge that requires sufficient funding

For families across America, autumn means a return to school. New classrooms, new schoolbooks, and increasingly, new digital services that use student data to improve educational outcomes. 

This fall, schools around the country received a nasty back-to-school present: data breaches wrapped in disturbing threats. In September, the Columbia Falls (Montana) school district shut down for three days in response to a ransom letter. Penned by cybercriminals, the letter claimed that student data had been breached, made chilling references to the 2012 shooting at Sandy Hook Elementary School, and threatened to release sensitive student information.

A few weeks later, Johnston Community School District (Iowa) received a ransom note from the same group. Parents and students received text messages threatening to harm them. The district closed several schools. Then the digital intruders published a list of student data, stating that the information could be used by “any child predator [to] easily acquire new targets and even plan based on grade level.”

{mosads}The hacking group has now hit at least four districts — including Splendora Independent School District in Texas and Crenshaw County Schools in Alabama — and their Twitter feed alludes to two universities in New York and California that may have also been victimized. Schools appear to be the group’s newest target, following attacks and health care facilities and media companies.

At a recent meeting of state educational agency IT leaders, a U.S. Department of Education official explained why schools are increasingly at risk: while other industries are investing in greater IT security to protect against cyber threats, many schools are facing budget constraints that result in declining resources for IT security programs. Schools are becoming the one of the easiest targets for hackers.

Ransomware in schools is nothing new: K-12 education is one of the most targeted sectors for cyberattacks. However, “traditional” ransomware usually involved hackers locking up data held by a school, and charging a fee to recover the data. These new attacks are a different breed: the attackers demand a ransom, and pair the demand with threats against members of a school community, including threats to release sensitive data if schools don’t pay up.

Traditional ransomware attacks often work because they lock down administrative data that is necessary for schools to function; these newer attempts exploit information about students — including learning plans, health information, and internal school communications.

This is a burgeoning crisis. Children’s information should never be used to extort money, and no child should have to fear that sensitive data about them — whether special education, disciplinary, or their grades — could be publicized. Too many districts do not have the funding to support adequate technical safeguards, staffing levels, or comprehensive privacy and security training to safeguard student data.

When we are talking about “information” in this context, we are discussing the lives and learning of schoolchildren. We don’t know how to quantify the potential harm to a child’s education and wellbeing when their school experience is infused with the fear of having private information publicly revealed. The risks to individual children are difficult to precisely describe, but nonetheless crucial to prevent.

State and federal legislators are considering legislation that could reduce the threats from these hacks. However, this is not a problem that can be legislated into submission. Since 2013, more than 120 new student privacy laws have passed in 40 states, and many of those laws require security controls for districts or their contractors. However, legislating requirements for schools without budgeting additional funding to support these requirements is ineffective. Very few laws passed since 2013 fund additional security resources for schools.

Of course, state policymakers are funding many education priorities: improving college and career readiness, supporting personalized learning, creating better school climates, and ensuring equity, among others. Spending money on security or training isn’t always top of mind, and elected official can struggle to articulate how improving privacy safeguards is an issue that they can “run on.” However, educational priorities that reply on digital tools will fail if parents do not trust schools to protect kids’ data.

Parents and other stakeholders who are concerned about these attacks should encourage their state and federal representatives to fund better cybersecurity in schools. Student data should never be the easy target for criminals who would terrorize children for a quick payday. 

Jules Polonetsky is CEO of the Future of Privacy Forum, Amelia Vance is a policy counsel at the Future of Privacy Forum and leads the Student Data Privacy Project, and Bill Fitzgerald is the director of Privacy Review Programs at Common Sense Media.