The decision by a California judge to appoint a cybersecurity expert to maintain tight control over data on special needs students, which is required for a lawsuit, highlights the vulnerability of private student data being retained on school networks.
The lawsuit is being brought against the California Department of Education by the families of special needs students, who they feel aren’t getting enough services in California public schools. And though the specific legal issues in this case only impact California, the handling of the data for these students highlights problems with protecting sensitive data that impacts schools nationwide.
The challenges of protecting student data combine to form a sort of trifecta of circumstances facing schools. First, student data has become a high value target for criminal hackers, because the unblemished records of minor students make them ideal targets for identity theft. Second, schools are retaining more student data on their networks than ever before and it isn’t always clear exactly where that data is being stored – it could involve multiple servers and applications depending on the school. The third factor is that schools and school networks are considered soft targets. There are a number of reasons for this perception, including the influx of mobile devices, opening new threat vectors and making mobile data security more complex. More likely, it’s because many schools are using legacy security solutions with limited capabilities and they don’t have the deep pockets of large corporations, who can spend as much as they choose to on cybersecurity. Unfortunately, the loss of private student data being held by schools, which is what concerns the California judge, can follow minor students well into adulthood. Stories of high school seniors who apply for college loans only to discover their identity has been stolen and their credit rating ruined are not hard to find. It can take years to mitigate this sort of damage.
Regulations are in place and the problem isn’t that schools aren’t complying with CIPA or the new FCC rules that append it. Neither is there any issue with them complying with HIPAA rules that govern healthcare information. The problem is that these regulations are very vague when it comes to the type of technology schools must purchase. They can’t be forced to deploy technology that is powerful enough to provide the advanced threat detection and mobile data security required to defend against today’s complex and sophisticated threats.
In the 90’s, when CIPA became law, it only required that schools have technology in place to ensure that inappropriate Web content was blocked from student access. This means that simple URL filters were deployed on school networks – they weren’t even called secure Web gateways in those days. Today, many schools are sticking with their legacy filters because they know how to use them, they fulfill basic CIPA requirements and they can keep costs fairly low, because they don’t have any extras. However, the type of cybersecurity solutions that may have been considered “nice to haves” for schools, like solutions that provide advanced threat detection, are fast becoming “must haves.”
Read a paper on Protecting Student Data in an Age of Advanced Threats