School Districts Are Being Held For Ransom Over Data. Are

It’s no secret that the education system is struggling to adapt to the new digital risks that come with its rushed switch to digital forced by the pandemic. But it’s something that lawmakers are only beginning to wake up to.

Just last week, the director of the Cybersecurity & Infrastructure Security Agency, Jen Easterly, listed K-12 as one of three “target rich, resource poor” priority sectors for the agency, which is tasked with toughening the country’s cybersecurity infrastructure.

Looming in the background of Easterly’s comment was an attack by the educational “ransomware gang,” Vice Society, which infiltrated the systems of the LA Unified School District, scooped up some of its student and staff data, and then dumped 500 GB of files on the dark web in early October after the school system refused to pay an unspecified ransom.

But it’s not just schools themselves who are easy targets: Hackers have hit the edtech vendors that schools work with as well, most notably Illuminate Education, where a breach earlier this year exposed the data of millions of students across the country.

Such incidents end up causing great expense and learning loss for already stressed out students, since schools have to shut down critical tech tools as they investigate and shore up systems.

What’s Next?

Lawmakers have been taking note, resulting in a steep increase in data-related bills affecting education since the start of the COVID-19 pandemic. But it’s not yet clear how effective new legislative measures will be in solving these tangled problems, which are connected to the inner workings of our digital infrastructure.

A new annual review by the nonprofit advocacy group Data Quality Campaign dug into the new legislation to see what’s new and if it’s moving in the right direction. They found that this year saw 131 bills related to education data introduced, and 42 of them actually became new laws. Those laws cover the spectrum, from early childhood to workforce issues.

So, how effective are those bills? If you ask the nonprofit, they’d give them a “B.”

“I think generally things are pretty good,” says Taryn Hochleitner, associate director for policy and advocacy at the Data Quality Campaign. “I think the majority of [bills] we see are kind of like they could have a lot of impact or not, depending on how they’re implemented.”

What’s In The Bills?

This year’s throng of bills indicates a desire to know more about K-12 students’ learning environments, including those outside of academics, the Data Quality Campaign says.

That means a lot of bills put a greater emphasis on finding out about school climate, attendance and discipline. For example: New Jersey passed a bill that makes schools report on the number of mental health professionals they have, as well as how many security personnel they employ.

But the bills have also reflected another big trend in education: workforce concerns.

With students questioning the return on their education, legislators are rushing to provide more information about what happens after high school, including a bill in Virginia that publicizes information about median wages for college graduates and the average cost of attendance.

The most encouraging trend? Agencies being required to talk to each other more, and share data.

One of the knottier problems is getting agencies and districts to share information, which some observers say could help to thwart hacking gangs that tend to recycle the same attacks. Though it didn’t pass, Alabama introduced a law, praised by Hochleitner, that would have brought members of the public and students into decisions about how data is collected and used.

The bills also reflect a new emphasis on bringing the community in on decision-making. “We’re pretty encouraged to see that there was pretty clear focus on non-policymaker audiences for data,” Hochleitner says.

Even so, policies alone aren’t enough. More than a third of the bills add additional responsibilities for districts, schools or postsecondary institutions, the DQC report says. But it’s a lot rarer for those bills to give schools more resources to actually implement those policies. “So we just always want legislators to be thinking about providing support for that capacity—because data requires people,” Hochleitner says.

‘Honey pots of highly sensitive information’

But is all this legislation poised to solve the data problems in education right now?

Policymakers are just beginning to open their eyes to the magnitude of school cybersecurity vulnerabilities, says one of the more prominent voices in this space, Doug Levin, national director of K-12 Security Information Exchange, a nonprofit threat intelligence and best-practices sharing community.

There’s often an overly narrow focus on data privacy issues, Hochleitner of Data Quality Campaign suggests. Those bills expand things like requirements for parental consent on data collection. But those sorts of policies can interfere with the ability of schools to provide essential services. So far, though, none of these overly broad “parental consent” bills introduced this year became law.

School districts—and teachers—are the ones actually using the data, says Cody Venzke, senior counsel for the Center for Democracy in Technology’s Equity in Civic Technology Project. And that means that any legislation has to walk a line between protecting student privacy and allowing schools to perform necessary services, he says.

One of the solutions that the DQC argues for is new data collection measures by states. The nonprofit points out that many of the latest legislative measures embrace this approach, with 120 of the bills either specifying new data collections or updates to existing ones.

But researchers like Levin worry that building up such troves of data is part of the problem in the first place. State departments of education are fat targets, which haven’t historically been able to protect data, he argues.

“In an increasingly politicized country, creating these, essentially, honey pots of highly sensitive information about school community members—students, teachers, parents, families, educators—it’s almost guaranteed that it will be exploited at some point for either personal or political gain,” Levin says.

And there’s potential for misuse of the data by officials. Venzke’s organization, CDT, published a report in August suggesting that districts are using data to discipline students more often than to keep them safe. Post-Roe, Senators Elizabeth Warren and Edward Markey, of Massachusetts, suggested that the data collected by at least four student surveillance platforms—Gaggle, Bark Technologies, GoGuardian and Securly—could plausibly be used to punish students searching for information about reproductive care.

To Levin, this is a problem that the educational agencies—especially K-12 schools—need to take hold of, despite the fact that their resources are stretched thin already. “This is not something that somebody else is going to protect them from,” he adds. “There is no internet cop out protecting student data systems that is separate from what the schools are doing.”

But there are lessons from other sectors that can be learned, he says.

Disclosure agreements are a good start, he indicates. On example: California just passed a bill requiring states to report incidents affecting more than 500 students. And ultimately, the data collections at the state and regional level need to adopt a “cybersecurity risk management framework,” which are approaches to handling cybersecurity risk. There are several nationality recognized ones, he adds.