Teachers, education and technology companies, students, and parents were tossed into a digital storm when COVID-19 hit two years ago. They had to quickly shift to remote learning on a grand scale, which amplified weaknesses in student data privacy protections that were already a problem before the pandemic.
By many accounts, as most U.S. students have been back in the classroom this academic year, school systems and tech and education companies have applied the lessons learned and bolstered student data privacy.
“Schools and districts needed to pivot really hard and really quickly when the pandemic first hit,” said Linette Attai, the president of PlayWell LLC, a data privacy consulting firm. “There are two things we really learned over the last two years. One is that schools can be more agile than we ever imagined. They really rose to the occasion. The other is that technology changes constantly, but the norms and rules for protecting student data remain firm.”
But vulnerabilities clearly remain. In late March of this year, it came to light that the personal data of 820,000 current and former students in the New York City school system were compromised because of a security breach at Illuminate Education, an Irvine, Calif.-based student data vendor.
“There are so many issues” with the protection of student data generally, said Leonie Haimson, the co-chair of the Parent Coalition for Student Privacy. “The pandemic has given a lot of companies access to student data that has not been sufficiently protected.”
A massive breach of student data in the Big Apple shows more work needs to be done
In the New York City breach, a hacker gained access to student names, birthdates, and data on such characteristics as special education, English-language learner, and free or reduced-price meal status on platforms operated by Illuminate Education, according to news reports. The vendor did not collect students’ Social Security numbers or family income information, the reports noted.
Officials with the New York City Department of Education told local news outlets that Illuminate Education had failed to encrypt data on its classroom management, scheduling, and pupil data platforms as required by the contract between the company and the school system.
The platforms were out of service for a week in January. Teachers had to record grades the old-fashioned way and it was harder to track students who might have been exposed to COVID-19, the New York Post reported.
Illuminate Education, in response to an email query, acknowledged that some personal information in the New York City system was subject to “unauthorized access.”
“There is no evidence of any fraudulent or illegal activity related to this incident,” the company said in an email to Education Week. “The security of the data we have in our care is one of our highest priorities, and we have already taken important steps to help prevent this from happening again.”
Jim Siegl, a senior technologist with the youth and education privacy team at Future of Privacy Forum, a Washington, D.C., think tank, said that the New York City district’s access to the Illuminate system was disrupted for almost three weeks.
The school system was entrusting its information to one of the bigger data service providers in the K-12 marketplace, and that will inevitably offer some lessons in student privacy, he said.
“The district can outsource the work, but it can’t outsource the responsibility,” said Siegl, who is a former technology strategist for the Fairfax County, Va., public schools, the largest district in the state.
‘It’s not just the technology department [that is] responsible. It’s everybody’s job’
Student data privacy encompasses a broad range of considerations, from students’ own smartphones, to classroom applications discovered and embraced by teachers, to district-level data systems, to state testing programs.
“There’s not just one thing that people should do to ensure data privacy,” said Keith Krueger, the chief executive officer of the Consortium for School Networking, or CoSN, which serves school district technology directors across the country. “It’s not just the technology department [that is] responsible. It’s the superintendent, the curriculum office, the professional development trainers. It’s everybody’s job.”
Siegl agreed.
“The pandemic was an accelerator of education technology,” he said. “Everyone had to react very quickly. Most district [personnel] went home on a Friday [two years ago] and found out that come the next Monday, they had to be virtual.”
Parents who had varying levels of engagement with their children’s education and the technology used by districts “suddenly had that technology right across the kitchen table from them,” Siegl said.
Districts, schools, and often individual teachers were quickly embracing new online apps, sometimes bypassing normal district or school approval processes meant to ensure student data privacy.
The number of education tools and applications accessed per month by school districts increased from 952 just before the pandemic to 1,327 soon after, according to statistics from LearnPlatform Inc., a Raleigh, N.C.-based firm. By last school year, the figure had increased to 1,449.
“There were a large number of very well-intentioned companies that offered educational tools at the beginning of the pandemic,” Siegl said.
Haimson, of the Parent Coalition for Student Privacy, said her group is concerned about “the explosion of apps” used in schools, saying that “parents aren’t being informed about what data is being collected by private companies, how it is being used, and how it is being protected.”
“Even in states where there are privacy laws on the books, they’re not being enforced,” she said.
New cybersecurity measures to protect privacy of student data
Still, lawmakers are weighing or passing measures aimed at providing greater protections.
A CoSN report released in January highlighted a range of federal and state legislative measures aimed at boosting cybersecurity in the nation’s schools. These include the federal K-12 Cybersecurity Act of 2021, signed into law by President Joe Biden in October. It directs the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to “study the cybersecurity risks facing elementary and secondary schools and develop recommendations that include cybersecurity guidelines designed to assist schools in facing those risks.” The measure also requires the agency to create an online training toolkit for schools.
The massive federal infrastructure bill signed by the president in November may provide a more concrete improvement to cybersecurity in schools. It provides a $1 billion grant program for state and local governments to be used to secure networks, assess cybersecurity vulnerabilities, and bolster the workforce dedicated to improving cybersecurity.
The pandemic has given a lot of companies access to student data that has not been sufficiently protected.
The CoSN report also notes that 30 states passed measures last year designed to strengthen cybersecurity, either directly or indirectly, in K-12 and higher education.
“The proliferation of education cybersecurity bills and laws in 2021 is no surprise given the serious and persistent attacks on schools and other education entities and the massive operational and privacy consequences the attacks leave behind,” the CoSN report said.
A privacy seal of approval for districts follows a rigorous application process
One area where CoSN is trying to promote stronger protections of student data privacy at the school district level is with its Trusted Learning Environment Seal program. It was developed with the input of 28 school systems nationwide and AASA, The School Superintendents Association, the Association of School Business Officials International, and ASCD, formerly known as the Association for Supervision and Curriculum Development.
The TLE seal program requires an extensive application process focused on five areas of school district practice—leadership, business, data security, professional development, and the classroom.
Krueger says the process is valid for two years and encourages best practices.
“It really gives you a roadmap to get to continuous improvement,” he said.
The Rockingham County Public Schools, an 11,900-student rural district in the Shenandoah Valley of Virginia, earned the TLE distinction in June 2021.
Oskar Scheikl, the superintendent and a former teacher and technology director in the district, said the current tech director, Kevin Perkins, came to him with the idea of applying for the TLE seal.
Perkins said that with the pandemic, “all of a sudden we are [shifting] over to digital resources. They require student data. There is authentication. Teachers are able to track student progress. We want to make sure we were positioning ourselves to protect student data as best we could.”
Teachers are used to taking advantage of free offers, he said, so some were signing up for classroom apps without going through the district’s vetting process.
“We have to take a pause and say, ‘Hey, wait,’” Perkins said. The district developed a digital resources request process. It also created a 14-page agreement for technology vendors. And the district tests its own staff members by sending fake phishing emails, such as one that tells employees that the district has signed them up for COVID-19 prevention training.
“To sign in, please use your email address and your network password,” one such email stated.
“The first campaign had a 30 percent click rate,” said Perkins. “Now it’s down to about 10 percent. One of the components of the TLE process is cybersecurity. Our people need to be aware that when you are online, you have to be careful.”
Scheikl said that while he has tech credentials that relatively few other superintendents have—an advanced degree in cybersecurity and service as the district’s technology chief—those aren’t the most important characteristics for a superintendent to have for effective student data privacy.
Instead, it is a commitment from top district leadership to effective data privacy strategies at all levels, he said.
“Inevitably, you are going to wish you had a plan in place,” Scheikl said. “Something [challenging] is going to happen, and when you have a framework in place, it makes it easier.”
