Written by Julie Libby, Class of 2022
Introduction
Privacy regulations have been strengthening worldwide in recent years, but regulations continue to fall short regarding children’s data in K-12 education, specifically in the United States. Under current federal law, children’s privacy receives only face-level protections by not requiring protective measures to defend the mass collection of this class of vulnerable and valuable data. Future student privacy regulations are possible by creating a reliable structure to minimize threats experienced by students nationwide through evaluating leading federal and state laws, perceived inadequacies in recommended minimums, and developing trends at the state level. In the end, Congress bears the responsibility to enact mandatory minimum protections that effectively assume that even if a breach occurs, it was not due to the lack of sufficient protection.
Currently Enacted Federal Protections
The U.S. Department of Education regulates the most known student privacy law, the Federal Educational Rights and Privacy Act (FERPA) enacted in 1974.[1] The law prohibits the “disclosure of personally identifiable data in student records to third parties without parental consent.”[2] Unsurprisingly, over the years, many loopholes and exceptions arise, allowing disclosure where the information is relayed for audit purposes or “studies,” all without parental knowledge or consent.[3] Under this regulation, schools are required to maintain a “reasonable method” of protecting their students’ data.[4] FERPA provides guidelines, but no minimum requirements are explicitly set pursuant to the law.[5] Schools are motivated to adopt certain “reasonable” practices since any breach that exposes students’ personally identifiable data–where they have not instilled these guidelines–would violate the law.[6] Through the Privacy Technical Assistance Center (PTAC),[7] schools have access to resources such as a Data Security Checklist or Data Security and Management Training: Best Practices Guidance.[8] These resources, like the Data Security Checklist, provide vital information for maintaining children’s privacy by instilling a “comprehensive security program.”[9] The Checklist includes parameters like personnel security, physical security, network mapping, layered defense, firewalls, Intrusion Detection/Prevention Systems (IDPS), incident handling, and audits.[10] These guidelines provide necessary protections that are waived down to a “should be considered” standard instead of mandatory.[11]
While FERPA provides regulations for the school’s actions, the Children’s Online Privacy Protection Act (COPPA) looks to third-party involvement within the schools. The enactment of COPPA in 1998 aimed to give parents the ability to consent to whether websites or other online forums were able to collect information from their children under the age of thirteen.[12] The information these sites collect extends to the “children’s name, email, phone number or other persistent unique identifiers, and information about parents, friends and other persons.”[13] Additionally, COPPA, which the Federal Trade Commission regulates, allows schools to consent on behalf of parents when it is for the benefit and use of the school, not for commercial purposes.[14] Of course, entities like the Parent Coalition for Student Privacy emphasize the unlikelihood that schools are continually reviewing these sites’ privacy policies with due diligence.[15]
These laws are merely “face-level” due to each law’s perceived protections enshrouded with exceptions or loopholes, which act mainly for a school’s benefit. While these laws create protections for the active use or dissemination of the child’s data, data security for these mass collections remains minimal for enacting “reasonable” protection efforts. Across the United States, school systems consistently fail, as evidenced by the number of breaches, to ensure their students’ data is adequately protected by neglecting to apply reasonable protections as provided. These continued failures are part of why children’s data is under continuous threat in present-day school systems.
Continuous Threats to K-12 Data Under Present Regulation
Cyber-attacks have been a growing threat to K-12 schools in recent years, even more so since the start of the Coronavirus pandemic in March 2020.[16] Cyber-attacks targeting K-12 schools have increased by fivefold since 2016.[17] In 2020, a record number of disclosed data incidents—408 in total— occurred, with the number of projected cyber-attacks for 2021 expected to exceed that amount.[18] Hackers actively target K-12 schools[19] due to their minimal data security precautions and the often overlooked and unrealized value of children’s information.[20] Children’s data is valuable since it is less likely that parents or even children themselves can notice the data’s use before it is too late.[21] These intrusions are numerous but vital to reflect the dangers of this lapse of law.
In San Antonio, Texas, Judson Independent School District confirmed they spent $547,000 of taxpayer funds in June 2021 on one incident to ensure teachers’ and students’ sensitive and identifiable information remained unpublished to the public.[22] The incident involved a ransomware[23] attack that inhibited the District’s use of their technology and accessed their data. Director of the University of Texas at San Antonio’s Center for Infrastructure Assurance and Security, Gregory White, opined, “the fact that [the hackers] were successful . . . just encourages them to do it again.”[24] Even though this incident did not result in the public exposure of the ransomed data, the Broward School District in Fort Lauderdale, Florida, had 25,971 accounting files, which contained confidential and identifiable data, published as the result of a hack.[25] The school district refused to pay the $40 million, ultimately reduced to $10 million, ransom demanded by the hackers in March 2021.[26] A school representative offered the hackers a $500,000 buyout instead, but the hackers refused this offer.[27] Multiple jurisdictions[28] have felt the effects of these intrusions, but privacy professionals must question whether lawmakers are doing enough to curtail this increasing intrusion.
Independent State Action
Since there is no federal standard, a disparity exists between states that have passed parameters to protect children’s data and those that have not.[29] This disparity results in a lack of equivalent protections between children’s privacy rights from one state to another.[30] Recently, in 2020, there has been a significant shift where twenty-two states enacted regulations concerning student data and privacy.[31] Although a much needed and noteworthy movement, states still suffer from the same flaws noted within the federal regime by implicating a vague standard of “reasonable” safeguards. For example, Maine recently enacted the Student Information Privacy Act (SIPA) to regulate website operators geared to K-12 schools and collectors of students’ personal information.[32] In instilling their own protections, Maine has also required that “operator[s] shall implement and maintain reasonable security procedures and practices” to prevent unauthorized access.[33] Unfortunately, the lack of proscribed requirements leaves minimum protections wanting compared to other states leading in this area.
In contrast, Texas and New York have also recently implemented their own specified security parameters regarding K-12 school districts. First, Texas requires school districts to “designate a security coordinator, adopt a cybersecurity policy, and report any breach of student personally identifiable data to [the] Texas Education Agency.”[34] Cybersecurity policies must be consistent with the Texas Cybersecurity Framework (TCF).[35] The TCF aligns with the National Institute of Standards and Technology’s (NIST) framework and lists five “functional areas” for review: identify, protect, detect, respond, and recover.[36] Using this framework, school districts can identify potential risks or lacking provisions on a zero to five scale.[37] Texas also requires the cybersecurity coordinator to undergo annual training but, unfortunately, does not require a strict baseline for when school district employees receive such training.[38]
Likewise, New York’s Educational Law Section 2-d, also referred to as “EdLaw 2-d” provides third-party contractors and educational institutions with guidance on protecting students’ data and privacy.[39] Like Texas, the provisions of “EdLaw 2-d” require school districts to appoint a Data Protection Officer, develop policies, and adopt the NIST cybersecurity framework.[40] In addition, New York requires the publishing of a “Parent’s Bill of Rights,” which provides that every contractor who obtains children’s personally identifiable information (PII) receives “security training [by] educational agency employees” and requires contractors to present a ‘Data Security and Privacy Plan’ on how they will protect allotted PII for each agreement.[41] The minimum protections included within Texas’ and New York’s law provide a great example of minimum regulatory requirements that Congress can refer to.
Inadequacy of Federal Reform
Congress attempted to respond to the gaps within the federal law by passing the K-12 Cybersecurity Act enacted in late 2021.[42] The law attempts to address serious necessary protections but may not satisfy what the educational system needs.[43] The law requires the Director of the Cybersecurity and Infrastructure Security Agency (CISA) “to study the cybersecurity risks facing [K-12] schools and develop recommendations that include cybersecurity guidelines” to deal with the present threats.[44] However, from the perceived text of the law, schools are not required to adopt those guidelines, making their implementation voluntary.[45] Even with slight progress in this federal legislation, any serious protections have failed to become a fundamental part of these children’s educational institutions by making these guidelines voluntary. Therefore, this regulation, in effect, is no more efficient than the guidelines previously reflected in FERPA.
Proposed Reform
No educational system is perfect, but the United States can enact viable protections for children’s, i.e., their students’, personal data. To institute real reform, Congress must require schools to apply prescribed minimum protections ensured by previous legislation, like FERPA. Congress and educational institutions, alike, must understand the seriousness of the issues at hand and apply these parameters to provide vulnerable student data with adequate safeguards. Any proposed regulation should extend beyond the accepted notion of “reasonable” because, as any legal professional will ask: what is reasonable? The implementation of prescribed minimums are necessary for three reasons: (1) it prevents K-12 systems from circumventing adequate protection under the guise that their policies are “reasonable”; (2) it reduces the disparity between student protections in different states; and (3) it directly addresses the threats K-12 institutions face from hackers.
States like Texas and New York have demonstrated the ability to propose minimum requirements to ensure student data protection, and Congress should follow their lead. The implementation of protections by Congress does not require technologically detailed guidelines but rather a non-static privacy program. This program would need to require the addition of a privacy officer who would oversee the program and develop a district policy.[46] The policy would need to address, at minimum, training, access management, monitoring, audits, penetration testing, encryption, and reporting requirements.[47] These requirements nationwide should minimize any disparity students feel in states where there are no data protection regulations or states that rely on a “reasonable” standard. Congress should dismiss any belief that “reasonable” measures are needed based on the constant evolution of technology or the desirability for districts to have flexibility in this area. Desired flexibility in this area does not omit the need for minimum parameters, and Congress can promote flexibility by adjusting the level of protection required depending on a specific entity’s size or collection level. The implementation of these types of minimums are necessary for Congress to establish, only then will a child’s virtual identity finally retain viable protection from K-12 school systems.
Conclusion
Students in K-12 institutions continuously face the threat of their data becoming compromised, and the federal government should address this threat by mandating the presently optional guidelines. Students should not be left vulnerable based on the school’s individual decision not to protect their information adequately. Instead, Congress should ensure student data protection by requiring minimum protections required for each applicable educational entity and enforceable by the federal government.
**I would like to acknowledge and give my warmest thanks to Professor Scott Bloomberg for his guidance and advice on this work.
[1] Federal Laws Enabling Parents to Protect Their Children’s Privacy: FERPA, PPRA and COPPA, Parent Coalition for Student Privacy, https://studentprivacymatters.org/ferpa_ppra_coppa/.
[2] Id.
[3] Id.
[4] Katie Fritchen, Are Data Loss Prevention Regulations Part of FERPA?, Security Boulevard (Jan. 7, 2021), https://securityboulevard.com/2021/01/are-data-loss-prevention-regulations-part-of-ferpa/.
[5] Id.
[6] Id.
[7] The PTAC is a subsidiary of the U.S. Department of Education’s Student Privacy Policy Office that works as a resource for “education stakeholders” in regard to their “data privacy, confidentiality, and security practices.” About Us, U.S. Department of Education, https://studentprivacy.ed.gov/about-us.
[8] Data Security: K-12 and Higher Education, U.S. Department of Education, https://studentprivacy.ed.gov/Security.
[9] Data Security Checklist, Privacy Technical Assistance Center (revised Jul. 2015), https://studentprivacy.ed.gov/sites/default/files/resource_document/file/Data%20Security%20Checklist_0.pdf.
[10] Id.
[11] Id.
[12] Parent Coalition for Student Privacy supra, note 1.
[13] Id.
[14] Id.
[15] Id.
[16] The shift from in-school to virtual learning only worsened privacy conditions since many schools resorted to using un-vetted technology to ease the transition. Joseph Duball, Shift to Online Learning Ignites Student Privacy Concerns, International Association of Privacy Professionals (Apr. 28, 2020), https://iapp.org/news/a/shift-to-online-learning-ignites-student-privacy-concerns/.
[17] Nic Querolo & Shruti Singh, Schools Brace for More Cyberattacks After Record in 2020, Bloomberg Citylab (Aug. 9, 2021), https://www.bloomberg.com/news/features/2021-08-09/schools-brace-for-more-cyberattacks-after- record-2020.
[18] Id.
[19] It is important to note that schools not only contain data relating to children but also data relating to their parents, teachers, vendors, etc., containing an absurd amount of minimally protected and ignored information.
[20] Joseph Marks, The Cybersecurity 202: Schools are Another Prime Ransomware Target, The Washington Post (Jul. 12, 2021), https://www.washingtonpost.com/politics/2021/07/12/cybersecurity-202-schools-are-another-prime- ransomware-target/.
[21] Id.
[22] Jessie Degollado, Judson ISD Confirms $547,000 Ransomware Payment in Taxpayer Funds, KSAT (Aug. 4, 2021), https://www.ksat.com/news/local/2021/08/05/judson-isd-confirms-547000-ransomware-payment-in-taxpayer- funds/.
[23] “Ransomware is a type of malicious software (malware) that threatens to publish or blocks access to data or a computer system, usually by encrypting it, until the victim pays a ransom fee to the attacker.” What is Ransomware? proofpoint, https://www.proofpoint.com/us/threat-reference/ransomware.
[24] Degollado, supra note 22.
[25] Scott Travis, Hackers Post 26,000 Broward School Files Online After District Doesn’t Pay Ransom, EducationWeek (Apr. 20, 2021), https://www.edweek.org/technology/hackers-post-26-000-broward-school-
files-online-after-district-doesnt-pay-ransom/2021/04.
[26] Id.
[27] Id.
[28] As of January 21, 2022, there have been 1180 disclosed reports of cyber incidents since 2016. The K-12 Cyber Incident Map, The K-12 Cybersecurity Resource Center, https://k12cybersecure.com/map/.
[29] Charlie Sander, Student Data Security and Privacy Must Be Taken More Seriously, The Journal (Jan. 24, 2022), https://thejournal.com/ articles/2022/01/24/student-data-security-and-privacy-must-be-taken-more-seriously.aspx.
[30] Id.
[31] Id.
[32] Scott Bloomberg, The Development and the Future of Privacy Law in Maine, 73 Me. L. Rev. 215, 237 (2021).
[33] M.R.S.A. tit. 20-A, § 953(2)(A).
[34]CoSN High Level Summary of New Texas Cybersecurity Laws Adopted in 2021, Texas Education Technology Leaders, https://www.tetl.org/cpages/cybersecurity.
[35] Lucas Anderson, 4 Cybersecurity Regulations You Need to Know About, InsideRM (Oct. 25, 2021), https://www.
tasbrmf.org/learning-news/insiderm/home/coverage/privacy-information-security/4-cybersecurity-regulations-you-need-to-know-about
[36] Texas Cybersecurity Framework, Texas Department of Information Resources, https://dir.texas.gov/information- security/security-policy-and-planning/texas-cybersecurity-framework.
[37] Id.
[38] Anderson, supra note 34.
[39] Editorial Team, Strengthening Student Data Privacy with New York EdLaw 2-d, Virtu (Sept. 18, 2020), https://www.virtru.com /blog/new-york-state-educational-law-edlaw-2-d/.
[40] Id.
[41] Id.
[42] K-12 Cybersecurity Act of 2021, Pub. L. No.: 117-47.
[43] Id.
[44] Id.
[45] David Nagel, K-12 Cybersecurity Act Signed into Law, The Journal (Oct. 8, 2021), https://thejournal.com/articles/ 2021/10/08/k12-cybersecurity-act-signed-into-law.aspx.
[46] See NY EDUC § 2-d.
[47] Id. See also 23 CRR-NY 500.0-500.23 (A New York code that provides “cybersecurity requirements for financial services companies.” Provides an example of broad yet proscribed requirements Congress may refer to.)