Since 2013, there have been 65 reported breaches of educational institutions (www.privacyrights.org). Of these 65 School Cybercrime breaches, 15 involve K-12 institutions. The breaches ranged from lost laptops and students accessing records to successful hacks by outsiders. These cases show that data breaches not only happen in the corporate world, but cybercrime occurs within our school systems as well.
How School Cybercrime Is Governed Federally
Just as HIPAA protects patient information in the medical industry, there is a federal law that governs the privacy of information collected by educational institutions (K-12 and universities alike). This law is commonly referred to as FERPA. But unlike HIPAA, FERPA is strictly a privacy law. It is not a data protection law.
Since FERPA is not a data protection act, FERPA does not hold educational institutions to specific measures on how to protect data from disclosure. It is up to each educational institution to decide how to protect the data themselves. Oftentimes, schools will speak with their general counsel to confirm if any information can be distributed to third parties. While general counsel may confirm that the school is within FERPA guidelines in this effort, the school may not necessarily know that more needs to be done to protect information.
Information Storage Makes School Cybercrime A Prime Target
Schools not only store information regarding teachers and employees, but schools also retain scores of information regarding students and alumni. Focused on fundraising, schools are also retaining information on corporate and individual donors. In terms of School Cybercrime, storing this type of information requires compliance with additional data protection acts such as PCI DSS or state data protection acts.
Hackers are fully aware that educational institutions are treasure troves of information. Cybercriminals view schools of all types as straightforward targets, quickly compromised for student and employee data as well as easy footholds into larger organizations that have ties to the school, such as corporate donors. Donors, parents, and students should rightfully ask how their information will be protected before providing it to an educational institution. You have the right to know how well the system is suited against School Cybercrime.
The Future Of School Cybercrime
FERPA may one day be revised to require specific data protection requirements. However, schools cannot afford to wait for this to occur and should seek the most complete data protection plan possible now. Schools should also confirm if they must comply with data protection laws, widening the scope of accountability in school cybercrime above and beyond FERPA. By taking these steps, schools can take a well-planned proactive stance and protect themselves from the costly aftermath of an unexpected disclosure.