The True Cost of a K12 Data Breach

#Data Read time:
Unpopular opinion: We should tell families what to expect if their child’s data is stolen.

We prepare children in schools for life-changing disasters every single day. Getting your personal information stolen is one of them, even if it doesn’t get adrenaline pumping quite as much.

How do districts handle the threat of fire, weather, and other in-school disasters? They practice, and often manage to do so without being too scary (miraculous!). With the stakes in mind, consider the value of practicing for a data breach, plus balancing what to reveal in reassurance and what to keep mysterious to protect your network.

 

Two Sides of the FERPA coin

First and foremost, share the protections every student enjoys from the Family Educational Rights and Privacy Act.

While families may think of this act in terms of their right to see student records, it’s crucial to emphasize that FERPA protects students inside school servers as well. This is because FERPA mandates student records are only accessible to educators with a vested interest in student records—that is, educators directly responsible for teaching that student.

This type of mandate is made possible in part through permission-based roles in student information system (SIS) software. This extra layer of protection is called into active duty if bad actors do manage to access systems—depending on the credentials stolen, criminals may only be able to see certain students’ information.

Edtech vendors must also be sensitive to privacy laws and rights, and their preparedness trickles down to every single user. When your edtech partners are equally (or more!) vigilant about cybersecurity, student data is safer.

What to share: Information about what FERPA does and doesn’t protect in classrooms, assurances that edtech vendors have been vetted and are trustworthy.
What not to share: Details about the inner workings of your SIS.

 

K12 cyberattacks target children

There are no two ways around it: when cybercriminals steal children’s personal identifying information (PII), those children are victims of an online crime. Talk about an upsetting new revelation for families, grown-ups, and students themselves.

Anticipating this emotional upheaval is unpleasant and instructive. Consider the timeline for after a data breach. Educators, administrators, vendors, legal consultants, and other teams might sit with the reality for days before sharing information publicly, ripping the proverbial Band-Aid off the wound again. District teams may face the brunt of the anger families want to direct toward perpetrators of a crime against their child(ren).

Emotions run high because all people in school districts care what happens to children. It’s worth practicing and pondering how you’d respond in theory, queasy as it may be.

What to share: Realities of cybercrime trends in K12, reassurance, resources.
What not to share: In the vitriol, tempting as it might be.

 

Ripple effects for life

Despite assurances bad actors will totally delete all that valuable private data, there’s no guarantee. In fact, it’s frankly a bit naive to trust a cybercriminal.

Students whose data is lost to a stranger face lifelong consequences. These may include but are not limited to:

• Financial loss
• Reputational damage
• Continuing threats to students

Identity monitoring benefits offered from organizations expire eventually, and it’s unlikely any organization will offer lifelong protection. 

What to share: Resources from reputable financial and legal sources if available.
What not to share: Details about past attacks, legal advice, anything outside the scope of your district’s response plan.

 

Get serious about security

With the high stakes in mind, districts can offer a glimpse into their security plans (but only a brief overview—cybercriminals play the long game and will use intelligence any way they can). Some ideas to implement and explain:
MFA: Multifactor authentication protects school data by prompting folks for an additional, often temporary, credential. It can circumvent attacks that use a stolen password and tip-off IT squads to respond quickly. Learn more about MFA and edtech.
Task-based limits: If credentials are stolen, role-based limits to what users can see, download, or otherwise access can help curb systemic consequences. Learn more about task-based security in edtech.
Recovery plan: Before disaster strikes, plan your response. Learn how the data recovery timeline works.
Security squad: When it’s quote-unquote “everyone’s job,” it’s no one’s job. Place cybersecurity ownership with a dedicated team. Learn what cybersecurity teams may look like for K12 schools.

What to share: Tidbits of the proactive strategies you’re taking to protect children’s educational data.
What not to share: Detailed security strategy, names of your team members, MFA credentials with folks other than the individual user it’s meant for.

In K12, it’s not so much “if” as it is “when” will we experience a cyber-incident. Proactive preparation pays off.
 

Follow-up resource: Proactive vs. reactive costs

It requires investment to prepare, but how much more do organizations who wait for an attack end up shelling out? Find out now.




 
Share this story: