These days the common advice regarding preparing for a cyber security incident is not if but when.
With almost all data stored digitally and online - combined with a growing number of malicious threat actors - most organisations are one mistakenly-replied-to phishing email or a brute force password compromise away from having all of their stored data exposed.
When a cyber incident occurs, all companies or organisations are required by law to notify individuals whose private information (Personal Identifiable Information or PII) has been exposed by the incident. Educational institutions that fall victim to cyber incidents have the usual privacy considerations that any company or organisation has, such as HR records containing employees SSNs or direct deposit information. But because of both specific privacy regulations pertaining to schools and the nature of schools’ operations, they have special considerations and concerns regarding data privacy.
Consideration 1: Education records
The U.S. Congress passed the Family Educational Rights and Privacy Act (FERPA) in 1974 to regulate how schools and other educational institutions keep, share and disclose students’ education records. The law only applies to schools that receive federal funding; however, there are very few schools that do not receive some type of federal monies, which includes the National School Lunch Program.
FERPA protects disclosure of not just typical education records such as grades, disciplinary records, health records, transcripts and the like, but also protects “directory information” which includes a student’s address or other contact information, records of participation in school activities and even simply a student’s name because it discloses that an individual attended a school at some point.
FERPA was enacted fifty years ago, at a time when cyber incidents or even digital information was inconceivable. Thus, the law and its regulations as written are not clear on whether or which types of information protected by FERPA require individuals to be notified in the event of a cyber incident. A school’s privacy counsel will advise on what qualifies as notifiable educational information, but it should be a grave consideration that a school, by its very purpose, creates privacy concerns.
Schools can proactively protect educational records from a cyber incident by (1) anonymizing educational records where possible; (2) not sending education records over unsecured email; and (3) creating and storing education records in a secure database.
- Anonymizing records
Personal Identifiable Information usually requires a personal information data point as well as some type of identifier linking the individual to that record. An individual’s grade point average is not PII if the individual is not named or identified. The most common identifier is an individual’s name, but dates of birth or social security numbers can also identify an individual. When possible, education records should be anonymized by only associating the data with a student ID number or other identifying number that is not an SSN, state ID number or other government-issued ID number (which is also PII).
Anonymization can be a pain for educators who assign grades because they are familiar with the students and most likely need to associate an individual’s name in order to gauge their performance; however, any administrators between the educator and the person or program that creates or stores the grade reports do not need the students’ names. Before sending education records, the name (or SSN, DOB, etc.) should be replaced by the student ID number to protect the protected educational information.
- Unsecured email
Email accounts are far more commonly and easily compromised than data servers or other internal data storage systems. Not only should any education records be anonymized before sending them over email, but email should be avoided entirely for sending any protected educational information. Rather, the information should be created on a secure internal database and transferred or stored on a secure internal server.
- Secure database
Education records should be created, maintained and stored in a secure database. Having a secure database gives another layer of security to prevent cyber incidents and it has the additional benefits of keeping the records organized for compliance with FERPA and other record-keeping regulations. It also makes it easier to maintain and locate the records. In our experiences of reviewing school documents for PII, most schools have such a record-keeping database, but before the data goes into it the data is often created and saved locally in an Excel document and emailed, or written out, scanned and emailed. The best practice is to remove any intermediate documents and have the data both created and stored on the database. Data should be created, sent or saved from or in any other location.
Consideration 2: Health information
Most healthcare providers have to comply with another federal law, HIPAA (Health Insurance Portability and Accountability Act). However, even though schools do provide some sort of healthcare such as care for in-school injuries and illnesses, assistance and supervision with student medications, and counseling, a HIPAA exception for schools and educational institutions states FERPA health privacy applies to schools and they are not required to comply with the more stringent and specific HIPAA health privacy regulations.
Still, most student health information qualifies as protected FERPA data, and schools are also required to keep precise records of student-related health information. For instance, any student injury—such as during gym class or recess—is documented and maintained by the school. Depending on how a school keeps these records, student injuries or other health incidents can be found in many email records. From our experience reviewing PII for schools, we have found many incidents of injury reports or other student medical situations being reported over email or on a handwritten form that is then scanned and emailed or stored locally.
Similar to education records, schools can better protect protected health information by anonymizing the data on the injury or medical forms by only entering the student ID number and by never emailing these records. Any student health record (including allergy and vaccine records) should be created and stored on a secure database or server and never emailed.
Consideration 3: Minor information
Protecting the privacy of children is of special concern. The federal government enacted COPPA (Children’s Online Privacy Protection Act) in 1998 and many states have created elevated levels of protection and notification if the affected individual is a minor. For instance, an adult individual’s date of birth is only considered PII in two states, but for an individual under age eighteen the date of birth is considered PII in more states. For K-12 schools, almost all students are under eighteen. Schools should work with their privacy counsel to ensure compliance with any special data protection regulations for minors as well as anonymize their data, avoid transferring any private information over email and only create and store records in a secure database.
Beyond that, however, schools should also avoid receiving or creating information that is not necessary for the school to operate or for record-keeping compliance. Educators and administrators should avoid recording or making copies of a student’s PII such as social security numbers, passport numbers, dates of birth, health insurance information, payment or financial information unless absolutely necessary. Furthermore, if it is deemed necessary, it should be stored in limited spaces and on the secure database.
Execution
From the perspective of a team that spends all its time reviewing affected companies and organisations’ records for PII, it is easy for us to Monday morning quarterback and tell people what they should have done. We do recognize creating and following through with these policies is a lot more difficult in practice than in theory.
School faculty and staff are educated and skilled in a wide variety of areas, but not all of them are skilled or even familiar with digital software beyond Microsoft Word. In our reviews we commonly find class grade report tables filled out by hand, and I believe that is both understandable and acceptable. However, to both prevent exposed privacy and to comply with privacy regulations, all school faculty and staff should be trained on the reasons and rules of privacy laws and regulations as they relate to schools. They should be trained in how to create and store information on a secure database, and why that is important. If they have difficulty using the database, the school should either find a more user-friendly database or have a school administrator assist with creating the records on the database or transcribing the handwritten records into the database—whatever works as long as no one scans and saves the data locally and never ever emails it!
