THE Journal Spotlight

IT Experts Call For Transparency and Accountability

• By Kristal Kuykendall
• 05/01/22

The nation’s public K–12 schools need help to address widespread cybersecurity vulnerabilities and a crippling shortage of resources for those needs, and state and federal legislators have begun to propose ways to meet those needs.

But there’s another element to K–12 cybersecurity that, so far, education leaders and lawmakers have been hesitant to bring into the spotlight: The potential dangers to staff and students when a cyber incident occurs and data is stolen or potentially stolen.

In several recent reports from national cybersecurity nonprofits and the private sector, IT professionals are calling for greater transparency and accountability from school districts in their cybersecurity efforts — including mandated public disclosure when student or staff data has been breached.

Transparency is Currently the Exception

In its annual State of K–12 Cybersecurity Year in Review report released in March, the national nonprofit dedicated to public schools’ cybersecurity K–12 Security Information Exchange said that ransomware — where a school’s student and/or staff data is stolen and a ransom is demanded — has become the most common type of publicly disclosed cyber incident at U.S. schools, but many districts impacted by cyber incidents are sharing little or no information to the community stakeholders affected by them.

K–12 schools are not required to publicly disclose cyber incidents, and requirements for vendors to disclose incidents — where mandates exist — are weak and rarely enforced, the report said. Vendor data breaches tend to impact scores, if not hundreds, of schools at a time, K12SIX’s report noted, and companies can face fines and lawsuits if they decline to disclose such incidents.

Public K–12 schools, however, are not overseen by any regulations requiring disclosure of cyber incidents or data breaches. Higher education institutions are required to report data breaches of any size, under a 2018 U.S. Department of Education rule affecting any college or university that accepts federal student aid funds.

The report illustrates the lack of transparency that’s become increasingly common in the public education system, particularly when it comes to cyberattacks and exposure of student data. Last year alone, dozens of school districts declined to inform parents of cyber incidents and, in some cases, took “extraordinary measures” to conceal the reach and impact of data breaches and other incidents, the report noted.

“There’s no question schools should be disclosing these incidents to their communities,” K12SIX National Director Doug Levin said. “Maybe they think they can avoid backlash from the community if they don’t disclose a cyber incident. But these schools are spending the community’s tax dollars. School board members and those with oversight of the school budget need all the information to do their jobs appropriately, and the community needs to know whether the district’s resources are being spent on the right things.”

Every public school impacted by a cyber incident should be disclosing basic information such as the fact an incident occurred; who was affected in a potential data breach; the amount of money recovery will cost the district; and recommended steps those affected should take to protect themselves, he said.

Levin, as national director at K12SIX, is tasked with tracking all publicly disclosed cyberattacks at K–12 schools in the United States. He helps school district IT leaders across the country to improve their protections, and he advocates for more resources and stronger security standards alongside cybersecurity officials at the state and national level as well as with tech companies whose IT and security products are used in public school districts. “Cyber incidents at K–12 schools are being kept secret all the time,” Levin said, including incidents where student and staff data has been compromised.

“In our State of K–12 Cybersecurity report, we featured some investigative journalism where cyber attacks were not disclosed until the journalists began looking into them or published documentation of them; they wouldn’t disclose it at all unless they were called on it,” he said. “Then there’s another set of schools that didn’t even know they had a cyber incident or data breach: There are plenty of examples of security researchers finding student data on the dark web and when they reached out to the district, the district apparently had no idea that it had happened.”

K–12 Data Breaches Are Already Impacting Millions

The theft of student and staff data from schools — information such as birthdate, Social Security number, and home address — is a widespread problem that has been growing for years.

In fact, through last September, more than 3.8 million records have been reported stolen from U.S. K–12 schools since consumer tech advocacy website Comparitech.com began tracking the public disclosure of data breaches in 2005. According to Comparitech, primary, secondary and post-secondary schools in the U.S. have disclosed 1,851 data breaches since 2005, with the total number of student and staff records stolen topping 28.5 million.

An analysis by NBC News of K–12 school data published on the dark web solely during 2021 found that the leaked school data includes all kinds of private information: “Some of the data is personal, like medical conditions or family financial statuses,” the report said. “Other pieces of data, such as Social Security numbers or birthdays, are permanent indicators of who they are, and their theft can set up a child for a lifetime of potential identity theft.”

Levin said the damages from identity theft are far greater for a minor than for an adult.

“You’d think that getting the identify information of an established adult is worth more to a criminal, but it’s not; minors’ identity information can be abused and their credit record can be hijacked and used for five to 10 years before anyone figures out their identify has been compromised,” he said. “An adult will figure it out usually within a month or two, certainly by the end of the year or at tax time.”

The risk to those whose personal data is stolen is not hypothetical, Levin noted. “We’ve seen false tax returns filed on behalf of educators where their identity was stolen through a data breach at their school, and we’ve seen credit fraud and identity theft perpetrated not only school employees but also students — in some cases as young as elementary students — resulting from school cyber incidents.”

For those reasons, it is imperative that K–12 schools disclose cyber incidents to their communities, Levin said. Parents have little recourse when their child’s identity information is breached, but they can set up credit monitoring to ensure their child’s financial future isn’t ruined before they turn 18.

Even if there is no data breach, public schools should disclose any cyber incident, because it is very likely to interrupt school operations and it almost certainly will impact the district budget for IT spending, he noted.

More Attention from Lawmakers, But Actual Help Hasn’t Materialized

To be sure, cybersecurity has been getting a lot more attention at state capitols around the country in recent years.

According to the Consortium on School Networking, in 2021, 30 states enacted 51 new laws addressing cybersecurity in one way or another. There were at least 120 others proposed by legislators in 40 states directly or indirectly addressing cybersecurity in schools that did not pass, CoSN said.

None of those new laws explicitly require districts to disclose cyberattacks to their stakeholders nor to the students or staff whose private information may have been compromised; in some states, such as Texas and Georgia, the records of school cyber incidents are considered exempt from Freedom of Information laws.

Rules governing whether public schools need to disclose cyber incidents and data breaches remain murky at the federal level, as well.

The government spending bill signed by President Joe Biden recently includes a new requirement for “critical infrastructure operators” to report a cyber incident or a ransomware payment, and it’ll be up to the Cybersecurity and Infrastructure Agency to decide — as it irons out the details and writes new regulations over the next two years — who will collect those reports for each type of organization.

Even that may not impact K–12 schools, though, Levin said, because they are not explicitly designated as “critical infrastructure” by Congress.

There have been other recent efforts in Congress to not only help K–12 schools address cyber vulnerabilities but also require them to disclose cyberattacks and share information to help each other avoid further costly breaches. None of those bills have made it out of committee.

The K–12 Cybersecurity Act of 2021 is also likely to fall short, Levin predicted. “They didn’t give CISA any money to do any actual work; the law charges CISA with writing a report and making recommendations, but CISA can’t propose any new regulations. They will issue guidance — probably guidance that already exists — and repackage it for schools.”

There is plenty of advice for school districts on how to protect their environments, Levin noted. “Advice, or a lack of guidance, is not what is holding schools back,” he said. “It’s a lack of resources and a lack of oversight. Schools are mostly viewed as the place where you train cybersecurity workers of the future. What we are trying to convey is schools are under assault right now from cybercriminals, and schools need support right now.”

This article originally appeared in the Spring 2022 issue of Spaces4Learning.