In 2008, a Fox News article reported that two 18-year-olds in Orange County, California, hacked into their school’s computer network to alter grades and steal test material. One of the boys had infiltrated the school network multiple times and was charged with 69 felony counts which could add up to over 38 years in prison. The charges against him included altering and stealing public records, computer fraud, burglary, identity theft, receiving stolen property, and conspiracy.

Non-student criminals are also a concern for schools: Adult thieves may be involved in burglaries of hardware from laptops to smart phones to computer hard drives, in addition to remote hacking. These physical thefts give the perpetrators more time to lift data from stolen devices.

Because schools involve numerous operations beyond the classroom, they have a broad exposure to cyber risks: Schools present a multilayered profile that includes computer database administration, health care services, financial services, and possibly even retail merchandising activities. Data breach in any of these areas can be catastrophic.

In order to prevent such disasters, schools need to recognize all the businesses they are actually involved in and the cyber risks associated with these activities.

Here’s a checklist of some potential school data that is either sensitive and/or private:

  • Personal information of students, including contact information and Social Security numbers;
  • Financial information of tuition-paying parents, as well as that of students who receive financial aid;
  • Financial information of teachers, including payroll, pension/401k, and tax withholding data;
  • Student medical and health information, including health insurance documents;
  • Teacher employment records, including background checks and peer reviews;
  • Cognitive profiles of students receiving special services or accommodations;
  • Credit card data of parents, students, or alumni who make purchases at a school store;
  • Fundraising data, including financial information and donor names and contact information.

Web sites with parent portals and alumni web sites present privacy concerns, both in terms of data that can be accessed, as well as media content that may be subject to copyright or trademarks. Furthermore, data such as bus schedules can be used to stalk students, and vendor service companies can be defrauded electronically using data from sources like public school meal programs.

Schools that sponsor social media for teachers or alumni departments are subject to a whole different set of risks.

Schools’ duty to ensure the security of their records is regulated on both a federal and state level.

  • FERPA affords parents or eligible students the right to inspect all personal records held by schools and requires schools to keep private all student records except under specified situations.
  • HIPAA protects the privacy of personal health and health insurance information.
  • FCRA regulates the privacy of financial transaction and information.
  • PCI-SSC standards ensure the privacy and accuracy of credit card transactions.

Schools and their insurance advisors should review all the potential sources of data breach and devise strategies of data protection and crisis and notification planning.  Equally important, schools need to acquire insurance that includes protection for loss of data, regulatory costs, third party liability, and media content.

For more detailed information on cyber risks faced by schools, read our full-length article on the topic.