A recent data breach at a large Texas school system exposed personally identifiable information (PII) of potentially hundreds of thousands of students dating back to 2010, reports the nonprofit Identity Theft Resource Center.
It’s just one example of a growing trend in which hackers steal, and then post or sell, student data. This crime affected potentially thousands of K-12 schools in 2021 and is expected to skyrocket as much as 86% in the current academic year.
Student data can include name, date of birth, Social Security number, family financial status, and medical conditions. Criminals can use the information to open a bank or credit card account, apply for loans, rent a place to live, apply for government benefits, and more. This identity theft can haunt students for years, disrupting their ability to obtain credit, college financial aid or other government assistance.
Yet many school systems are unaware of student identity theft – or even the breadth of student data in their datastores. This lack of awareness exposes them to cybercrime, lawsuits, and financial loss, and it impedes their ability to protect the data – along with students past and present.
Student identity theft also presents a potential equity gap. School systems with adequate budgets often have the resources to ensure cyber protections. Those in areas with a lower tax base – where students might experience outcome disparities based on demographic traits and intersectionalities – are more likely to remain unprotected.
The solution? School administrators and IT decision-makers need to understand relevant regulations, assess their data, and think beyond existing network safeguards – leveraging cost-effective encryption technology to protect the data itself.
Understanding relevant regulations
Multiple laws at the federal and state levels allow students and their families to access and modify their own PII as well as consent to how it’s disclosed. One example is the Protection of Pupil Rights Amendment (PPRA), which requires schools to allow parents to review instructional materials and surveys that could reveal certain types of PII. Another is the Family Educational Rights and Privacy Act (FERPA), which allows parents and students over age 18 to control access to their PII in school records. Some states also have their own compliance requirements, such as New York and its Education Law 2-D, which focuses on maintaining the privacy and security of student and staff PII.
Complying with these regulations requires schools to understand the types of PII they maintain and protect that data wherever it’s stored and shared. Failure to comply can result in a loss of funding.
For example, Consolidated High School District 230, in Illinois, implemented a cost-effective data security solution to help it comply with FERPA, the Illinois School Student Records Act, and other regulations. The solution safeguards the creation, storage, and sharing of student data through the use of encryption – crucial at a time when students have been attending classes virtually.
Assessing data stores and protections
Many schools believe they have a clear picture of their student data. But they might be surprised to discover that sensitive data is often shared with parents, state and local government organizations and other entities outside the school system. This data can also be stored and shared across the district, from the nurse’s office to the registrar, to individual teachers’ email inboxes. Without an end-to-end view of what data is ending up where, they can’t ensure regulatory compliance. Just as important, they can’t be certain essential data safeguards are applied wherever that data is stored and as it’s transferred from one location to another.
Iron County Schools, in Utah, has put in place a system to assess the types of student information it maintains, which data can be shared publicly, and which requires parental consent before it’s shared. For data that’s designated for public use, parents can opt their child out of participation.
Augmenting network security with data encryption
To safeguard data, schools traditionally have focused on antivirus, firewalls, intrusion protection and other network protections. These measures are necessary, but they’re no longer sufficient, especially in a virtual schooling environment. If cyber attackers can get through these defenses – and there’s a significant risk they eventually will – they have an opportunity to steal student data.
The solution is to achieve security at a more fundamental level, by securing the data itself. Encryption is one solution that applies computer algorithms to scramble data so that it can be read only by an authorized user who holds the digital key to decrypt it. Even if cybercriminals steal the data, they can’t read it, which means they can’t sell it. The data – and the student – remain protected.
The good news is that effective encryption needn’t be priced beyond the budget of cash-strapped school systems. Newfield Central School District in New York, for example, implemented an end-to-end data protection platform that encrypts student data both at rest and in transit. The district can now ensure comprehensive security and privacy for its students – and close the equity gap in student data protection.
Cybercriminals aren’t about to stop targeting students for identity theft. And their methods, from phishing to ransomware, will grow ever more nefarious. But by better understanding the issues at stake and by making necessary, cost-effective investments in data encryption, schools can go a long way in protecting student data – and the students they serve.
Sam Windfield is a Sales Director at Virtru, where he works closely with schools, school districts, and universities to safeguard the sensitive data they’re entrusted with protecting.
More from DA