Data Security and Privacy Takes on Renewed Importance During Distance Learning

In light of the shift to distance learning due to the COVID-19 emergency, the security of student data has become a more pressing concern for school districts and BOCES. This article provides an update on recent cyber threats and a reminder of school district and BOCES’ responsibilities under Education Law Section 2-d.

Unfortunately, COVID-19 has not slowed the rise in cyber threats for school districts. Schools are already viewed as “soft” targets for would-be hackers, as schools generally maintain a vast amount of private data, and often have less sophisticated data protection systems as compared to businesses or larger government agencies. The shift to online learning and teaching staff working from home has only increased these vulnerabilities.

For example, students and staff may be connecting remotely on an unsecured wi-fi network, allowing hackers to more easily gain access to a school’s computer systems. The interruption of videoconferences by outsiders, or “Zoom-bombing,” has occurred in virtual classrooms and Board of Education meetings. Phishing scams also remain a concern, with fake websites promising COVID-19 cures or updates on stimulus checks in order to steal private information. In addition, teachers may be using new, unvetted software and apps to communicate with students and provide lessons and learning materials. Unbeknownst to users, these apps may be collecting and selling private data in violation of Education Law 2-d.

Keeping these risks in mind, we recommend that school districts and BOCES remain vigilant about cybersecurity, and continue working towards total compliance with Education Law Section 2-d. While this is a daunting task, we recommend breaking compliance into a step-by-step approach.

First, by July 1, the Board of Education every school district and BOCES must adopt a data security and privacy policy implementing the requirements of Part 121 of the Commissioner’s Regulations. This is also a good time to review your Parents Bill of Rights to ensure that it is up to date. Next, districts and BOCES should continue to develop a list of all vendors subject to the requirements of Education Law Section 2-d. This includes not only taking inventory of all software and apps used by students and staff, but also considering other vendors who may have access to student and/or teacher/principal data, such as school resource officers or afterschool programs.

Finally, school districts and BOCES should also keep in mind the employee training requirements under Section 121.7 of the Commissioner’s Regulations. This section mandates that any employee with access to personally identifiable information receive annual training on data privacy and security awareness. This training must include information on all state and federal laws that protect personally identifiable information, and how employees can comply with such laws.

Please feel free to contact us with any questions you my have regarding the foregoing.