The event's host, ManagedMethod’s Chief Revenue Officer David Waugh, offered an unequivocal reason for the webinar: The education community has a data security problem.
"It’s no secret to anyone that’s out there that works in education, or even if you’re just a casual follower of the media, you’ve seen that we’ve had an enormous amount of headlines involving our community in the cybersecurity world,” Waugh said. “In fact, the education community has moved into the top five most-targeted industries, alongside financial services, health-care retail and more. It’s no longer isolated to the business community.”
Over the course of the COVID-19 pandemic, ransomware attacks like those that shut down classes last year in New York's Buffalo schools, or caused a major data breach in Florida’s Broward County schools last year, have created headaches for IT personnel tasked with protecting student data.
Gaddis and Garrett said school districts adopting new educational apps and programs must do the work of properly vetting them, to learn whether they have protocols in place to secure student data or any other privacy safeguards to avoid creating new vectors for cyber attacks.
Gaddis noted that just because an app is free for teachers doesn’t mean it’s safe to use.
“With the pandemic, what happened was that everything had to be digital. ... All of a sudden, everything was open free to our teachers,” she said. “The problem is when you have free [tools], you’re talking about manually uploading student information, (with) no privacy or security checks on the backside because you don’t know which teachers are using what resources.”
While some states like California and North Carolina have consumer data protection laws and guidelines for what kinds of data ed-tech apps can collect, as well as what they can do with it, Garrett and Gaddis said federal regulations to protect student data privacy leave much to be desired.
“States have really picked up and rolled with their own laws,” Garrett said. “All of that shift has come about to prepare and give more guidance to both vendors in the arena, as well as school districts.”
Gaddis added that “there’s no teeth” to existing federal regulations for safeguarding student data on third-party educational apps, while some states have little to no additional regulations, leaving much of the task of securing student data up to IT staff in local school districts.
“It’s really about accountability,” she said. “I actually think there’s more work to be done with adding additional state laws around this, at least in several states, and I’ll include North Carolina in that.”
Citing advisories from the FBI and CISA designating K-12 schools as top targets for cyber criminals during COVID-19, Garrett noted that student data is particularly valuable to cyber criminals, which Gaddis said could lead to student data being sold on the dark web.
“You won’t know their credit is affected for 18 years,” she said. “When you do your annual credit checks, you now need to check your kids'.”
As school districts, states and policymakers at all levels grapple with the need to protect student data and vet ed-tech tools for privacy safeguards, parents and other K-12 stakeholders will play a key role in discussions of how to approach student privacy.
Gaddis noted that parents are asking more questions than before about what types of privacy protections schools and ed-tech vendors have amid the on-and-off shifts to remote learning during COVID-19, which has coincided with the adoption of new educational apps.
“Understanding what third-party apps and where our data goes and lives is going to become a literacy we’ve never had before, and that’s something we have to help our communities with as district leaders and state leaders,” she said, noting the need for tech vendors to be as transparent as possible about their terms of use and privacy protocols. “You've got to have the right partners in place, and you have to have honest conversations.”
Garrett said school districts must work to create a culture of cyber hygiene — teaching parents, students and staff how to protect themselves and be aware of the dangers that come with a plethora of new digital learning tools.
“It’s now a conversation where we have to teach the students, parents and staff how to keep themselves safe in this high-tech world,” she said.
