K-12 Data Protection: 10 Practical Tips from School IT Leaders

In the aftermath of a staggering 1,619 cyberattacks targeting schools between 2016 and 2022, a sobering revelation emerged: 80% of School IT professionals faced a ransomware attack just last year. This not only jeopardizes the learning experience but strains districts financially. With the digital landscape in education expanding rapidly, the call to shield our students' and faculty's data has never been louder.

In light of recent events, Brett McCrae sat down with Sunshine Miller, Director of Technology and Professional Development at Newfield Central School District (New York), Matthew Faul, Application Development Manager at Oakland County (Michigan), and Troy Lunt, IT Director at Iron County School District (Utah) to learn how School IT professionals can better safeguard their student, faculty, and staff data.

Here are 10 key learnings from their conversation about safeguarding student data in K-12 environments:

1. Stay Ahead of App Updates: It’s important to stay ahead of software updates. In the coming weeks, Google is enhancing app access controls to better protect student data privacy. Users designated as under 18 won't be able to access third-party apps that haven't been reviewed by admins in Google Workspace for Education on October 23, 2023. Admins are required to vet and establish privacy contracts for continued app use by the deadline.
   
   
2. Advance a Culture of Data Privacy: Human error is often the weakest link in the privacy chain. Privacy awareness and protection must be weaved into the fabric of organizational cultures. Safeguarding student data is a communal effort made easier when staff at every level understand its importance and have clear roles in its effort. The right to privacy is a human right, but data leaking can easily occur without protection. Data privacy laws are created to keep data safe. “They are not nefarious, but are tools and resources to help safeguard and manage data,” as Sunshine Miller states. These rules are meant to protect us and keep us safe, not confine us. Increasing awareness and advancing culture prevents incidents like the accidental publication of confidential student information online and the clicking on links in phishing attacks.
   
   
3. Keep Up with Legislative News: Make sure you understand what's coming in terms of legislation, at both the federal and state level. FERPA (Family Educational Rights and Privacy Act) **governs the laws and regulations of educational privacy on a federal level. Although federal requirements can be hefty, state regulations are often more nuanced and arduous. Once you become familiar with all the regulations that you are required to follow, developing a clear strategy becomes easier.
   
   
4. Stay Ahead of Audits by Conducting Your Own: Use internal audits to stay ahead of regulatory government audits. Conduct internal audits to prepare for government audits and ensure a secure environment. Conducting internal audits will also prepare you for app updates and minimize disruption to software use. Tracking is key for both state governance as well as incident management and reporting, which are crucial to insurance carriers.“Recently, insurance carriers have been requesting more details around incidents, like how they are documented, their severity, the number of stakeholders affected, what did remediation look like, and the outcome in general,” says Matthew Fall. They use audits to keep up with the demands of insurance carriers too.
   
   
5. Beware of Free Apps:  Free apps can be appealing to use as a resource in the classroom. However, there is often a secret price to pay –your data. As Sunshine Miller states, “If you're not paying for the product, you are the product.” Free apps often have links to a network of sites that all collect data on users. One free site can lead to a mass of sites collecting student data and loss of control. Preventative measures are key because regaining control after loss is often more arduous than maintaining control before loss.
   
   
6. BYOD (Bring Your Own Device): If you plan to follow a BYOD scheme, security measures must still be prioritized. Data becomes at risk once a device is connected to a public or an organizational network. “Connection comes with a price, and that’s your privacy,” as Sunshine Miller puts it.
   
   
7. Tap into Grants: Troy Lunt says that E-Rate is a great way to build networks, firewalls, and purchase security products. They return a percentage of the money that you spend. Your rate of return is based on your free and reduced free lunch rate. Sunshine Miller says that “without funding, you’re going to have to roll up your sleeves.” When she started working in the Newfield Central School District, the poorest district in the county, it was like the 1950s.
   
   There was no internet or infrastructure, but hardwork and 1.5 million in grants have yielded her district the success they enjoy today. She and her team were able to secure 350 hotspots, amongst other feats. She counts the ECF Grant as life saving, and says that E-rate was a lot more difficult to get. Some grants are easy to write, others require specialized grant writers, so having a team of grant writers is also crucial.
   
   
8. Build a Community with Privacy Peers: Rely on your peers. The truth is a lot of the grant money doesn't trickle down. A lot of it goes to schools who have money to hire grant writers. Schools without capacity get left behind. We all must come together to support each other and determine the best strategy to get ahead.
   
   
9. Expect the Unexpected: You can never plan enough. You can never plan for the unexpected. It’s important to complete your due diligence plus more. Always fix lingering issues and take preventive measures. When Troy Lunt and his colleagues returned from summer vacation during the second week of August, they thought everything was great! Unfortunately, the year became everything but that.
   
   In Troy’s words, “Everything that could possibly go wrong probably did. It was one of those things where we had to learn to expect the unexpected.“ Matthew Fall’s team experienced a similar situation during the same enrollment period. A monsoonal rain flooded Southern Utah. Iron County and surrounding districts experienced severe outages. “The outage was completely out of our control,” says Matthew Fall. Both had to adapt to changing circumstances.
   
   
10. Partner with Vendors: Leveraging the expertise of security vendors can significantly bolster your defense against cyber threats. These specialized providers offer a layered security approach, drawing on a depth of knowledge and tools often beyond the scope of individual school systems. 

Safeguarding student data is of the utmost importance because data leakage cannot be retracted. “Once it's out there, it's out there.” Although sometimes viewed as diametrically opposed, Data privacy and technology usage are married to each other. The safe use of technology requires encryption and security. That is why at Virtru we bridge the gap between ease of use and encryption, allowing you full range in your tech stacks and workflows. Feel free to book a demo with a member of our team.

And remember, ‘Technology is great, but it must be used for good to protect our kids, faculty, staff, and ourselves,” Sunshine Miller. This post is a recap from our webinar, “Back To School Preparing For A Year For Safeguarding Student Data,” you can watch the full video here.