Three Tips for Securing K-12 Student Data

As school districts adjust to new and emerging technologies in K-12 eduction while cyber crimes continue to surge, student data privacy is top of mind for local and national officials. Here, we highlight three suggestions from leading experts on how local districts can help secure student data.

Cybersecurity is a top priority for all aspects of the public sector, including public education systems. The need to secure tech platforms and systems with access to sensitive student data has heightened amid the simultaneous increase in cyber attacks, including ransomware, against local school districts and the shift to virtual and hybrid learning.

The Federal Trade Commission (FTC) has taken a strong interest in the topic and has offered several pieces of advice to help local districts secure their systems. In May, the FTC published a policy statement indicating its intention to protect student data privacy in public schools, with an emphasis on cybersecurity. That statement noted:

The Federal Trade Commission (“Commission”) is committed to ensuring that education technology (“ed tech”) tools and their attendant benefits do not become an excuse to ignore critical privacy protections for children. When Congress enacted the Children’s Online Privacy Protection Act1 (“COPPA”), it empowered the Commission with tools beyond administering compliance with notice and consent regimes. The Commission’s COPPA authority demands enforcement of meaningful substantive limitations on operators’ ability to collect, use, and retain children’s data, and requirements to keep that data secure. The Commission intends to fully enforce these requirements—including in school and learning settings where parents may feel they lack alternatives.

The FTC continued its policy statement under the evolving backdrop of the COVID-19 pandemic and the switch to hybrid and virtual schooling:

Concerns about data collection are particularly acute in the school context, where children and parents often have to engage with ed tech tools in order to participate in a variety of school-related activities. School-issued personal computing devices and online learning services have provided substantial benefits to students, particularly as the COVID-19 pandemic closed schools and forced families to switch from in-person to remote learning for their children. At the same time, parents may have reasonable questions and concerns about the personal information that ed tech providers collect and how they use and potentially share that information with third parties, including for marketing purposes. And parent groups, among others, have expressed concern that children are a captive audience in the school setting and should not be targeted with advertising as they pursue their educations.7 School-issued devices and applications also enter families’ homes, potentially allowing for even more private information to be collected and shared. Commission staff has provided extensive guidance8 on COPPA’s application to ed tech providers to address these concerns.

Tips for local school districts

In light of the new emphasis on K-12 cybersecurity, K-12 Drive, an online platform on public education policy and news spoke to an expert on how local school districts can immediately work to secure systems and data.

Here’s what Doug Casey, executive director of the Connecticut Commission for Educational Technology, suggests local school districts do:

1. Take inventory of the ed tech you’re using:

As more districts sign contracts with more ed tech companies, Casey said it’s helpful for districts to do an inventory of all the applications and technology tools being used, and then consider consolidating them.

2.  Know your state and federal laws:

… as districts review contracts, it’s helpful to have a checklist aligning with state and federal laws on children’s data privacy protections. If doable, there should be a district leader who is very knowledgeable about state and federal laws, particularly COPPA and FERPA, Casey said.

3. Read a company’s terms of us:

… districts should try to look within their staff for anyone in addition to a district technology leader who can thoroughly examine a company’s data privacy policy, Casey said. This could potentially lead to partnerships among technology, academic and curriculum teams to share this responsibility, he said.

Casey added it’s key for district leaders to ask questions and push back on ed tech providers when striking up a contract. He said districts should be skeptical of companies willing to offer services to schools for free.

During the 2022 legislative session, the General Assembly passed a sweeping suite of policy reforms to guide Maryland’s privacy and cybersecurity policies, including those of local school districts. MACo worked with legislative leaders to ensure local governments were well-situated to access state aid and resources to implement the standards and goals set by the suite of bills.

Stay tuned to Conduit Street for more on cybersecurity in education and other topics relevant to local government.

Read the full K-12 report on keeping student data privacy secure.

Access the FTC’s policy statement on student data privacy.