Nothing is sacred—or secure—when it comes to data. Breaches have become a fact of life as they indiscriminately target the digital services that we rely on, from Equifax to Target, Ebay to Yahoo. Schools increasingly find themselves in the crosshairs as well. More than 207 incidents have targeted K-12 public schools since January 2016, according to this tally from industry consultant Doug Levin.
As schools and districts increasingly rely on digital tools, what have companies and districts learned about safeguarding sensitive information? How can buyers be savvier when reviewing privacy and security policies?
Survivors from high-profile breaches at two education technology companies—Edmodo and Schoolzilla—shared what they learned at the SF Edtech Meetup on Sept. 20, 2017. Joining them were Emily Tabatabai, a data privacy and consumer protection lawyer at Orrick, and Kyleigh Nevis, an instructional technology coordinator at Oakland Unified School District.
Hacks may be technical by nature, but proper employee training is key to prevention. The conversation focused on how companies and schools can create the protocols and culture to keep everyone smart and alert. “Most incidents occur from human mistakes,” says Lynzi Ziegenhagen, CEO of Schoolzilla. Back in April, a security researcher discovered the company had nixed a configuration setting and inadvertently exposed sensitive user information to the public.
“We’re working in education—and education is key to all of this, adds Mollie Carter, Vice President of Marketing and Adoption at Edmodo. “Districts, companies and users have to be educated” around the best practices to protect sensitive information. (This May, hackers accessed and put for sale 77 million user accounts. She says no one purchased or accessed that information.)
Minimize Data Collection
The best way to secure data is to not collect any. That’s not possible, of course, but companies ought to think about restricting what they collect, says Carter. “Sure, we would like a lot more data on students. In some cases it could actually improve the learning outcomes. But it’s always a balance between how much data you collect, and building a very secure, private tool.”
In an age where data is more valued than oil, technology companies are often tempted to hoover up as much information as possible. “It’s not the right approach to be collecting data in the same way you collect things to store in the garage and say ‘Someday I might need it,’” advises Ziegenhagen. Keeping unnecessary data for some unforeseen future “when you could add value to your product is just not worth the risk and cost,” she adds.
Yet minimizing data consumption can also be costly. “It takes engineering time and money to collect less data,” notes Ziegenhagen. “For example, if we’re pulling a table from another system, it’s so much easier to get all the data in that table.” There may be fields with sensitive information that are irrelevant to the service, and “we’ve spent a lot of time to configure [our systems] to not take everything.”
For most edtech startups, however, “it’s just faster and easier to take the whole table,” she observes. “But it’s a shared responsibility to only collect what are actually going to use to help kids.”
Read the Fine Line
A few years ago, recalls Tabatabai, most conversations on data security focused on federal legislation such as FERPA and COPPA. “Schools weren’t as aware of what they needed to be doing, and it was the company’s job to educate the educators” about privacy and security laws, she says.
That’s no longer the case. “Schools are not naive anymore,” says Tabatabai. “They are incredibly well-versed about what they need to be doing” to safeguard student data. Today’s vendor contracts often include specific clauses around where data can be stored, how it should be encrypted. “These are things that have nothing to do with the law in the state, but school districts decide these are the security provisions they want to have in place.”
Sometimes, what the law requires will differ from what a school district demands. “School contracts can be far more restrictive and have a lot more variation” than state rules, says Tabatabai. Connecticut, for example, requires companies to notify institutions of a data breach within 30 days. Yet some of the school contracts she’s seen ask vendors to communicate within 48 hours.
“These contracts are probably going to be your most crucial piece of regulation, and a lot of [vendors] are signing them without reading them,” says Tabatabai. “I know it’s important to get customers onboard, but you have to read them, because some of them can be very burdensome.”
‘Scare’ Your Employees
BBC reported that Equifax’s Argentina division used “admin” as both the username and password, proving that the laziest habits can be as dangerous as the best hacker.
Nevis says training is crucial, especially as teachers scour the web for tools to try in their classrooms. Particularly problematic is when “teachers find a program that may be very engaging for a student and sign the terms of service,” she shares. “But those terms of service are for the teacher, not the district. How do we make sure those programs are under the district’s watch so that everyone’s properly protected?”
“It’s like the Wild West for districts,” she adds.
Companies often provide training sessions for their users, and these events offer an opportunity to model best practices, says Ziegenhagen. “Some people just don’t know you’re not supposed to send your password in an email,” she says.
Proper training is perhaps the most inexpensive way to prevent security incidents. On everyone’s first day at Schoolzilla, “we try to scare them” into the importance of best data security practices,” offers Ziegenhagen. “We try to drill home the message that we are entrusted with data that does not belong to us, and if we do not treat this with serious concern, everything could go away—your job, our work.”
Another tip she’s learned is to create a culture where mistakes are okay. “If a person makes a mistake, it was because it was too easy to make one, and something needs to be changed in the process,” she adds. “We do celebrate when someone makes a mistake and informs us right away. Everyone knows to call me and CTO, and then we thank people for telling us quickly.”
“The human thing you want to do, when you mess up, is to sweep it under the rug. Make sure that doesn’t happen,” says Ziegenhagen.
Should a breach occur, “know who you are going to call, and know who’s going to be available,” advises Carter. Usually that involves a lawyer and an outside data forensics team. Another tip she gives to all companies: “You have got to have a playbook for what to do when these situation happen.”
