July/August 2014

Keith Bockwoldt is director of technology services for High School District 214, Arlington Heights. The basis for this article was the subject of the district’s panel presentation at the 2014 NSBA Conference.

Over the past year, privacy has moved to a top tier concern of parents and policymakers. Lead stories on national security surveillance and Target credit card breaches have heightened those concerns. In education, concerns around privacy became the demise for the now defunct InBloom effort, and privacy concerns are increasingly being raised by voices on the political right and left.

As school districts become more reliant on technology to deliver curriculum and manage the day-to-day operations of the district, information technology planning and budgets must reflect the need to secure digital assets in order to protect the privacy of students, staff and parents. Additionally, with increased media coverage of businesses, government agencies and educational institutions having personal information compromised, there is more community awareness of the potential threat facing school districts.

In April, our district presented a panel at the National School Boards Association conference in New Orleans, entitled, “Questions Board Members Should Ask to Avoid Being the Next ‘Hacked’ Headline. Joining me was Bill Dussling, board president; Phil Hardin, retired executive director technology, Rowan-Salisbury School System, N.C.; and Keith Krueger, CEO, Consortium of School Networking.

A global perspective on the number of cyber-attacks taking place all over the world and in school districts was given. For example, Denial of Service attacks, which take down information networks allowing a hacker access to an institution’s information systems, are up a staggering 240 percent this year. At District 214, there are 6,500 of these attacks each day and on average 44,000 per week, and this is only one type of attack taking place regularly.

In certain cases, even students have compromised the digital security of schools. In the Rowan-Salisbury School System, students paid an Internet-based company to attack the district’s information network, which resulted in intermittent access to all information systems for more than a month until the students were caught. Widely available, unscrupulous Internet companies charge a small fee to attack a school district’s information network, including student information, finance or learning management systems. This stops business operations and students can’t submit their assignments, which is often the goal.

But it is not only about preventing hacking attempts. Keith Krueger said that one thing seems increasingly clear: education leaders must be ready to answer why they collect data as well.

While much of the current discussion is about compliance with federal laws such as FERPA (Family Education Rights and Privacy Act) and COPPA (Children’s Online Privacy Protection Act), most agree that mere compliance is the minimum effort required by school systems. It is difficult at best to apply laws that were written decades ago when no one could have foreseen the profound technological advances we are experiencing with mobile devices, cloud computing and data-rich apps. Coupled with the growing realization of the value of data for both educational and commercial purposes, school leaders are finding it difficult to navigate.

Bill Dussling provided some context from a board member’s perspective. Certainly, school board members always focus on the safety and security of students and staff. Today, that must expand beyond students’ physical and emotional safety to the safety and security of their personal and private information. In addition, we are concerned about hacking that may compromise any district information or cause our districts to lose the ability to function in support of our education mission.

He suggests school board members ask the following questions:

• What is the volume of hacking attempts made toward our district?

• What types of anti-hacking devices and software do we have to protect our district’s technology?

• Is our anti-hacking program only defensive or do we have proactive measures that seek and identify future hacking possibilities?

• Do we have a staff that is trained to operate and administer an effective anti-hacking program?

• What are the emergency procedures our district has in case there is a successful hack that occurs?

• Does the administration and board receive periodic briefings from our technology department regarding technology safety and security?

Our panel suggested that others should seek additional information on these topics. Two that stand out are the Consortium for School Networking: Protecting Privacy in Connected Learning Toolkit. The free toolkit can be downloaded at www.cosn.org/privacy. We also suggest that district officials visit the Council of School Attorneys: Data in the Cloud Guide. It seeks to raise awareness of student data privacy concerns, and provides a framework for comprehensive student data privacy approaches. The guide is available at: http://nsba.org/sites/default/files/reports/DataInTheCloud_Guide_NSBA_COSA.pdf