Keep student information safe, secure when using school-issued technology

ORLANDO, Fla. — School system leaders are responsible for protecting the physical safety of students, but as information security breaches become more common in schools, those protections extend to students’ online personal information just as much, said Linnette Attai, founder of Playwell, LLC.

“We are responsible for their information,” she said. “We often talk about this as data privacy but think about it as privacy of the individual. It’s not their information, it’s them that we’re protecting.”

Serena E. Sacks, chief information officer for Fulton County (Ga.) School District, said threats can arise from just about anywhere these days, including among students.

During the session PII: What Schools Can Do to Protect Student Data Privacy at the 2018 National Future of Education Technology conference, Sacks shared some incidents that occurred in FCSD in the last four years.

In one case, a student hacked a school’s computer system and over the course of a year “downloaded teachers’ Social Security numbers and credit card numbers and changed grades.” In another instance, a student stole a vice principal’s online credentials and changed his teacher’s gradebook.

A more serious threat occurred last semester when a hacker siphoned funds from staff member accounts. The incident went unnoticed because the criminal disabled a capability in the system that would have alerted staffers of any direct deposit change and suspicious activity, she explained.

Getting started on data privacy, compliance

Sacks offered guidance to schools who are just getting started or wondering which areas to focus on to improve student data privacy and compliance programs:

• At minimum, require annual training for all district employees. Consider security awareness essential training and require district employees to acknowledge a Responsible Use policy similar to one that must be signed by students and parents before receiving school-issued devices.

• Encourage staff not to rely strictly on technology to solve a human problem. She encourages teachers to monitor students’ computer use during class activities and tells administrators to set a good example, but also involve parents in monitoring their child’s online behavior.

• Always adhere to district policies and guidelines when using technology. All staff and students are restricted from installing VPN proxy software, or browser extensions to bypass district firewall content filtering rules when using district-issued devices. “When the students are not on site, it’s as though they are,” she said. “Their traffic travels back through the district’s firewalls. “We are doing everything possible to keep kids safe. If they’re going to abuse it there are going to be repercussions.”

• Require that school software installation requests be approved by a district Application Governance Committee. This group ensures the selected software vendor adheres to federal, state, and district privacy laws.

• Implement a Think Before You Click staff awareness campaign. “Technology can’t prevent everything; [safety] is behavioral,” she said. “We want to try to make that very clear.” Staff and students must be vigilant for phishing emails that request personal information and think carefully before clicking to ‘agree’ to an app’s privacy policy, she added.

• Invest in cloud security tools to validate and monitor unauthorized account activity.
Cloud and external access to information anywhere, on any device, and at anytime creates a security risk if access is not validated by using tools such as multi-factor authentication, she said. FCSD has “layers and layers of security” and works with security experts to “figure out what we need.”

• Require digital citizenship training for all schools issuing student devices. FCSD partnered with Common Sense Media and other experts to develop curricular materials and a Device and Responsible Use policy that says schools can take disciplinary action if students misuse devices and internet access.

• Use “next-generation” tools to detect malicious activity. A firewall solution allows policies to be written for “application and malware signatures, in addition to port-based policies” and a zero-day malware solution allows the LEA to “detect malicious activity on workstations based on predictable patterns, while not relying on virus signatures,” she said.

Emily Ann Brown covers education technology and STEM education issues for LRP Publications.

Copyright 2018© LRP Publications