Three data security risks are converging, creating the perfect security storm in today’s education sector—more student data, more breaches, and more federal and state regulations. While the security storm presents significant challenges, there is a solution that can help make data more secure and schools more compliant—data encryption.
One of the leading federal compliance regulations governing data privacy in schools is the Family Educational Rights and Privacy Act (FERPA). Signed into law in 1974, FERPA set some ground rules for educational institutions that receive federal funding, and gave parents the right to review, challenge, and consent to the disclosure of their children’s educational records.
Records protected by FERPA include grades, standardized test scores, health information and behavioral reports. After students turn 18 or transfer to an institution of higher education, those rights transfer to the student.
Essentially, FERPA prohibits K-12 educational institutions from disclosing personally identifiable information (PII) in education records without written parental consent. For students over the age of 18, or in higher education, they have more control over their educational records.
However, the world has changed a lot since 1974—due in large part to the proliferation of technology in the classroom—and additional protections are necessary to keep three leading student data privacy risks at bay, and stay compliant with FERPA.
FERPA Risk 1: Expansion of Student Data
Schools have always collected a wide range of data—including enrollment information, performance stats, test results, learning disabilities, special needs, health records, and disciplinary actions. With the advent of digital learning and devices in the classroom, new forms of data are now being created—and lots of it. It’s all adding up and putting schools, as the custodians of student data, in a precarious position.
Increased data creation and use has the potential to transform education for the better, and in many instances already is, but it can also put sensitive student information at risk of landing in the wrong hands through the misuse of technology, poor data security policies, and insufficient privacy controls. This puts schools at risk for breaches, public relations debacles, and non-compliance penalties.
Gaps in FERPA itself add to the challenges. For example, the regulation allows schools to share students’ education records under certain circumstances. Most educational technology companies, such as gradebook systems and classroom learning programs, receive student information under the “school officials” exception. It says that a school may share education records with third-party service providers if there is a “legitimate educational interest” in disclosing the information, the third party is performing a service the school would otherwise perform itself, or the third party is under the school’s “direct control.” But it’s not always clear what data third parties receive and what they do with it.
Another FERPA exception permits the disclosure of “directory information” as long as parents can opt out. Examples of directory information include name, address, telephone listing, date and place of birth, participation in officially recognized activities and sports, and dates of attendance. Once released, directory information may be used for any purpose.
FERPA Risk 2: Increase in Data Breaches
Data attacks within the education sector are on the rise. According to the annual 2018 Breach Level Index Report, the number of personal records exposed due to security breaches in the education industry ballooned from 4.5 million in 2016 to nearly 33.5 million records in 2017. In the first six months of 2018, the education sector experienced 86 breaches that impacted over 12 million records. Significant data breach incidents include:
- In December 2018, a San Diego School District announced that it had been hacked and that the data of more than 500,000 students and staff had been exposed. Over 50 email accounts of district employees were compromised in the attack, resulting in the exposure of a wide range of personal data—from health information to social security numbers.
- In 2017, a hacker stole 77 million user accounts from Edmodo, a social learning platform used widely in K-12 schools around the world. The breached information included usernames, email addresses, and passwords. The data was reported to be up for sale on “the dark web.”
- In April of 2017, a security researcher found that Schoolzilla, which offers data warehousing services and tools to school districts, had been backing up students’ PII to a publicly accessible location on Amazon S3. Data of over 1.3 million students and staff members were exposed.
- In 2013, the Social Security numbers of over 300,000 University of Maryland students and alumni were breached. This breach resulted in not only a huge FERPA penalty, but also a bill for $2.8 million for credit-monitoring services to those affected.
FERPA Risk 3: More Federal and State Regulations
Each year, state and/or federal legislative bodies continue to introduce more regulations surrounding student data. If schools don’t comply, federal funding is at risk. Non-compliance will also result in a hefty fine, with an average cost of $245 per breached record. FERPA isn’t the only federal law governing schools though. Schools must also secure student data under three other federal regulations:
Protection of Pupil Rights Amendment (PPRA)
The law applies to student surveys, instructional materials, and evaluations funded by the federal government that deal with highly sensitive issues. Parents have the right of written consent before their children are required to participate.
Children’s Online Privacy Protection Act (COPPA)
The primary goal of COPPA is to allow parents to control what information is collected online about children under 13. The law applies to websites, online services, and programs and apps that collect, use, or disclose children’s personally identifiable information (PII) at home or school.
Health Insurance Portability and Accountability Act (HIPAA)
The main goal of HIPAA’s Privacy Rule is to ensure that individuals’ health information is protected while allowing the flow of health information needed to provide high-quality healthcare. This includes healthcare data flowing from schools to healthcare entities and back.
Along with these federal laws, most states also have their own data security and privacy laws that schools must follow. As of April 2019, 40 U.S. states had passed 116 laws, with more state regulations predicted to come online in the near future. Effective policies and regulations at both the state and federal levels can help ensure that student data is used for its intended purpose—to support student learning.
How to Protect Your School with Data Encryption
In the face of rapidly expanding stores of student data, a rise of data breach threats, and the growing amount of data privacy legislation, today’s schools need a strong and dependable system to ensure the privacy and security of their students’ data, and their school’s compliance with every regulation. Data encryption can meet these demands.
Data encryption ensures that data is protected:
- From the moment it’s created, throughout its entire lifespan
- No matter where it goes and with whom it’s shared—only authorized recipients have access to read the messages
- Even if data gets into the wrong hands through user error or breach
Data encryption from a trusted source gives schools an added layer of data protection on top of the systems they already use—such as Google Workspace for Education or Microsoft Outlook—ensuring ease-of-use, familiar workflows, and high user adoption.
5 Ways Virtru Encryption Strengthens FERPA Compliance
Encryption strengthens data security and privacy in five critical ways:
1. Key Transmission
The right key management framework enables key sharing that is both secure and easy.
2. Authentication
Only verified recipients are able to unlock encrypted data, because only they receive the decryption keys.
3. Authorization
Verifies the actions that people can take on encrypted data once they’ve been authenticated.
4. Policy Management
Allows an organization to add and adjust security control capabilities for all data.
5. Key Storage
Schools retain control of their encryption keys rather than putting them into the hands of third parties.
It’s more important than ever that educators and institutions know the law, follow best practices and invest in security measures to protect students. Data encryption, while not a bulletproof measure on its own, is a critical component of a comprehensive information security policy to maintain student privacy—not to mention federal funding.
For more information on how K-12 schools are keeping their students’ data secure with an easy-to-use layer of encryption protection on top of their G Suite application, request a demo and talk to a Virtru data security expert today.
