The State of K-12 Cyber Safety & Security: Student Data Privacy in Remote Learning

Katie Fritchen is the Senior Marketing Director for ManagedMethods, where this post originally appeared.

Districts are struggling to address the unique challenges presented by student data privacy in today’s remote learning environments. A white paper by McGraw-Hill Education defines student data privacy as, “…the use, collection, handling and governance of students’ personally identifiable information (PII).” The white paper identifies specific types of information including:

• Name and address
• Student ID
• Login information
• Academic, health, and disciplinary records
• Demographics and birthdate

This type of information is interesting to a variety of users, some criminal, and others (unfortunately) not so much. The issue of why student data privacy is important can generally be boiled down to two reasons. First, so children don’t become victims of identity theft, sextortion, and other types of cybercrime. Hackers can use PII singly or in combination to identify, find, and contact students.

The second reason is so that companies can’t use the information to build profiles on children throughout their lives, impacting their ability to go to college, get a good job, get good credit, etc. There’s also concern that companies will use student data to influence their purchasing decisions, among other things.

School district leaders are understandably concerned about protecting student data to keep their students safe from a variety of dangers. Two dangers stand out among the rest.

The (practically) overnight migration to K-12 remote learning and working due to COVID-19 made cloud security and student data privacy issues more apparent. But the truth is that the problems were already there, lurking behind a false sense of security provided by firewalls and content filters.

That is why we’re taking this look at the state of K-12 cyber safety and security through a remote learning lens, and hosting a panel discussion with Doug Levin at The K-12 Cybersecurity Resource Center and two K-12 IT professionals who are working through these—and many other challenges—that tech pros are facing today.

Why Student Data Privacy Matters

Cyber safety and student data privacy is not just a school issue. It affects parents, students, and society. School districts see two critical reasons to protect student data. All school districts must comply with student data privacy regulations, and they must also protect students’ health and wellbeing.

Student Data Privacy Compliance

Student data privacy laws are in place to try to protect our children, but a confusing jumble of regulations is often the result. The Federal government and individual states have passed regulations governing the collection, storage, and use of student data. For example, schools need to comply with the following Federal regulations:

• Family Educational Rights and Privacy Act (FERPA)
• Protection of Pupil Rights Amendment (PPRA)
• Children’s Online Privacy Protection Act (COPPA)

Additionally, 49 states have passed 400 pieces of legislation to address state-specific issues between 2013 and 2016. The combination of Federal and state regulations often launches district IT teams into a challenging juggling act. Now there’s the issue of student data privacy in remote learning that is making the compliance landscape even more complex.

Protecting Students’ Health and Wellbeing

Children are among the most vulnerable to internet scams. Since school districts store an extensive amount of student data, they are a prime target for cybercriminals according to 2019 cyber safety and security research.

When hackers steal student data, it can result in harm to students from threats to their safety, student identity theft, and a variety of other scams that threaten our children’s health and wellbeing.

What Makes Student Data Privacy in Remote Learning Different?

The rush to offer remote learning as the COVID-19 pandemic closed schools resulted in a remarkable edtech migration. School districts across the country did an amazing job of going from classroom to remote teaching approaches. However, that transition created a number of issues when it comes to data security and student data privacy. Because district staff had to, understandably, focus on remote learning enablement, accessibility, and support, few were able to stop and think through how to secure student data in this environment.

Unvetted EdTech Threats

One of the most critical threats is that almost overnight teachers, students, and staff began using a wide variety of remote learning resources, sometimes including risky EdTech. Unfortunately, in most cases, district IT teams didn’t have the chance to vet those resources for security and student data privacy compliance properly.

As a result, remote learning security risks are finding their way into district G Suite and Microsoft 365 environments. These risks increase your district’s vulnerability to ransomware, account takeovers, and data security issues. And, once that happens, threats to students’ health and wellbeing increases along with the likelihood that your district isn’t complying with privacy legislation.

Lack of Visibility and Control Over Cloud Applications

Most district IT teams work to protect the district’s network by focusing on firewalls and content filters. But, they don’t have visibility and control over applications that operate outside the district’s network. That raises another critical problem now that remote learning has increased the number of students, teachers, and staff using cloud-based systems such as G Suite and Microsoft 365.

You can’t protect those cloud-based systems using traditional network security tools—particularly in remote learning situations when they’re being accessed from outside of the school network. District IT leaders and admins are working to address the unique data security and student data privacy challenges that remote learning on a large scale has presented.

Join us for a free webinar to participate in a panel discussion with two respected K-12 District IT leaders and the founder of The K-12 Cybersecurity Resource Center discuss the lessons that they’ve learned in making the transition to remote learning and how they’re planning for different contingencies in the 2020/21 school year.