If people working in the education space thought they were immune to the risk of cyberattack, think again: Educators across the country were welcomed back to school this fall by an FBI warning to tread carefully into the risky waters of education technology.
“The US school systems’ rapid growth of education technologies and widespread collection of student data could have privacy and safety implications if compromised or exploited,” the FBI warned in a September public service announcement.
The FBI also urged parents to learn more about the cybersecurity risks associated with education technology and to ask their local districts about how technology is used, and student information protected in their schools.
With the increasing concerns about security among individuals, families, districts and legislators, and increased teacher and student reliance on internet access, school cybersecurity is subject to more scrutiny and questions than ever.
It is critical that school districts know how to take appropriate actions to get ahead of cybersecurity threats and problems to prevent the exposure and loss of sensitive data which may include:
- - Personally Identifiable Information (PII);
- - Biometric data;
- - Academic progress;
- - Behavioral, disciplinary, and medical information;
- - Web browsing history;
- - Students’ geolocation;
- - IP addresses used by students; and
- - Classroom activities.
Malicious use of this sensitive data could result in social engineering, bullying, tracking, identity theft, or other means for targeting children.
Since 2016 there have been just under 400 reported incidents in the nationwide K-12 world including data breaches, phishing attacks and other occurrences that led to school and personal information being exposed.
Even after recent high-profile incidents, cybersecurity can seem abstract and non-urgent. Schools have valuable information to protect for both students and employees. However, as financial and physical security issues arise and need to be addressed, cybersecurity often tends to fall through the cracks being downgraded in priority on the to-do list.
Enter HB 1612
Granite State school districts have seen a couple of cyberattacks in recent years. Other school districts around New England have as well. Breaches, ransomware, phishing attacks, and even social media hacking leading to employees being targeted have become common.
- 2016 - Concord, NH - School District Phishing Attack
- 2016 - Exeter, NH - School District DDoS Attack
- 2016 - Lawrence, MA School District - PII Breach
- 2018 - Leominster, MA School District - Ransomware Attack
The State of New Hampshire and the Department of Education, has been concerned about these incidents and has taken steps to prepare and assist districts with the information they need to protect themselves and the privacy of student and teacher personally identifiable information (PII).
What is HB 1612?
New Hampshire House Bill 1612 (HB 1612) requires all public and non-public schools to develop a data security plan to protect students, teachers, and department records from cyberattack.
The specifics of HB 1612 are below:
Under HB 1612, each school district in New Hampshire is required to:
- a. Review all software applications, digital tools, and extensions and assure that they meet or exceed standards set by the department.
- 2. Create, maintain, and make publicly available an index of definitions of student
personally-identifiable data fields
- 3. Develop a thorough data security plan that includes:
- a. Privacy compliance standards
- b. Privacy and security audits
- c. Breach planning, notification, and procedures
- d. Data retention and disposition policies
- 4. The data security plan must require breach notification as soon as practicable to:
- a. Any teacher or student whose PII is believed to have been part of a breach must be notified as soon as possible
- b. Further notifications must also be sent to the governor, state board, senate president, speaker of the house, chairperson of the senate committee with jurisdiction over education, chairperson of the house committee with jurisdiction over education, the legislative oversight committee, and the commissioner of the department of information technology
- 5. The data security plan must require an annual data security breach report delivered
- a. The governor, state board, senate president, speaker of the house, chairperson of the senate committee with primary jurisdiction over education, chairperson of the house committee with primary jurisdiction over education, legislative oversight committee, and the commissioner of the department of information technology
- 6. Make publicly available students' and parents' rights under the Family Educational Rights and Privacy Act, this includes:
- a. The right to inspect and review the student's education records
- b. The right to request amendment of a student's education records that the parent or student believes are inaccurate or misleading
- c. The right to provide written consent before the school discloses student personally identifiable data
The bill was passed by the New Hampshire State Legislature and signed by Governor Sununu on on June 18, 2018. HB 1612 went into effect on August 11, 2018 and plans must be implemented by June 2019.
Interested in seeing how secure your workplace is? Sign up for a FREE Cyber Security Risk Scorecard and/or a FREE Leaked Credential Report Security7 Networks - Leaked Credentials from Security7 Networks.
If you have any questions and want to know how Security7 Networks can help you satisfy the requirements of HB 1612 please leave a comment below.