Only 14 school districts or postsecondary education institutions are documented as having self-reported data breaches, inadvertent data sharing and cyber hacks to the U.S. Department of Education over the last five years. All in 2018 and 2019.
Stricter data privacy laws and reporting mechanisms may need to catch up with the speed of school technology when it comes to breaches and exposures of student data at K-12 school districts and universities in the United States.
As it stands, only an optional self-reporting process is in place which recommends that districts and postsecondary education institutions with concerns about student data breaches and inadvertent sharing of student data report to the U.S. Department of Education (ED) when the Family Educational Rights and Privacy Act (FERPA) law may have been violated.
Not only are they not required to report the problems, but according to the preamble in a 2008 amendment to the FERPA regulation, itself, “The U.S. Department of Education does not have the authority under FERPA to require that agencies or institutions issue a direct notice to a parent or student upon an unauthorized disclosure of education records. FERPA only requires that the agency or institution record the disclosure so that a parent or student will become aware of the disclosure during an inspection of the student’s education record. … FERPA does not require an educational agency or institution to notify students that information from their education records was stolen or otherwise subject to an unauthorized release, although it does require the agency or institution to maintain a record of each disclosure.”
FERPA is a federal law which includes protecting the privacy of students’ education records and personally identifiable information. The law applies to all education institutions that receive certain funds from the ED. Funds may be withheld in certain instances, but education institutions are not required to report data breaches, they are only encouraged to do so, which weakens the agency’s enforcement capabilities.
The National Center for Education Statistics says, “Student education records are official and confidential documents protected by one of the nation’s strongest privacy protection laws…FERPA, also known as the Buckley Amendment, defines education records as all records that schools or education agencies maintain about students.”
But, with rise of online curriculum and communication, is FERPA strong enough?
According to the regulation, records protected under FERPA include the protection of Social Security numbers, students’ school identification numbers, dates and places of birth, addresses, grades, test scores, courses taken, academic specializations and medical, special education and disciplinary records.
On its web page, the ED admits that hundreds of FERPA violations are reported each year. But, according to officially documented FERPA violations reported by education institutions, who are only encouraged to self-report, just over one dozen education institutions officially did so, according to official records provided by the ED, which spanned the last five years.
The records were obtained by The Gunpowder Gazette through a Freedom of Information Act request. But the data did not include student and parent complaints where students’ data has been accessed or shared inappropriately. Those documented cases were unavailable through the public information request since the information is protected due to the same privacy law.
But when asked for school districts and universities who reported to the ED’s Family Policy Compliance Office proactively over the last five years, the request only produced 36 pages and only 14 such education institutions which reported any student data security concerns.
One complaint, which was invalidated by the ED, came from Baltimore City Public Schools which attempted to hit WBFF-TV with a FERPA violation due to the station’s reporting on student graduation rates despite high absences and failing grades. The district accused the station of having proprietary data although it could not determine where the station obtained the information.
Other reports ranged from small-scale accidental sharing of protected student data to large-scale exposures resulting from more significant security breaches and cyber-attacks. The remaining 13 education institutions reported the data privacy concerns out of an abundance of caution.
But even districts like Baltimore County Public Schools in Maryland where, in June, chose not to report a breach when highly sensitive student data were exposed after a Microsoft 365 update eclipsed with document sharing settings set inadvertently by some staff members to “public.” Under FERPA, the district was not required to, according the ED.
Reported FERPA violations
While FERPA violations can also be reported by and on behalf of students, enforcement action is only taken if an education agency does not comply with the Education Department’s requests after a breach or data exposure has been established.
The agency can also decide to conduct its own investigation of a breach, yet until stricter laws are enacted, the ED says it takes into consideration school systems’ effort to proactively come into compliance demonstrated by voluntarily notifying the agency which will assist the education institution in complying with the FERPA regulation.
Of themselves, violations do not come with any penalty or public announcement about an education institutions’ data exposure – even if the institution is a victim of a large-scale data security hack.
But while some school districts and universities prefer not to self-report potential violations of the student privacy law, the ones that did demonstrate how they chose how to handle their data exposures and precisely what led to them.
- At North Central Texas College in Gainesville, Texas, a professor inadvertently sent a student’s transcript in April 2018 to the wrong student. The ED was notified.
- Also in April 2018, at Coastal Carolina University in South Carolina, a professor mistakenly attached a gradebook in an email to his class when intending to send his hours of availability for final exam preparation. The ED was notified.
- The McKinney Independent School District in McKinney, Texas self-reported a possible October 2018 FERPA violation when a teacher shared students’ Google Sheets on her personal Google account. The information contained students’ names, dates of birth, student identification numbers and disability information and was not secured by the school district’s security protocols. The ED was notified.
- Washington State University reported an October 2018 data security incident via a mobile application that allowed expired and incorrect passwords to work after an operating system upgrade. The university said that potentially 3,777 students were impacted and reported the incident to the ED in December. Phil Weiler, the university’s vice president of Marketing and Communications, said “While WSU was not required to share this information with the U.S. Department of Education, we felt it was prudent to do so in the interest of transparency.”
- Broken Arrow Public Schools in Oklahoma asked the ED in July 2019 how to report a data incursion when “17,000 students might have been affected…It was a ‘ransomeware attack,’” the district said. Broken Arrow was told that there was “no obligation to report, but that districts are encouraged to report.” An investigation later showed that no student data were exposed.“Our staff is very conscientious when it comes to reporting quickly and transparently to local and federal agencies that govern our district,” said Charlie Hannema, the district’s public relations director. “During this incident, our cyber insurance carrier provided additional legal counsel and other experts to assist our general counsel in helping us through this process. The district’s position is that it is better to over report than underreport. We have consistently maintained our commitment to the public to be transparent, which has fostered a level of trust which we do not take lightly.”
- In April 2019, Campbell High School from the Litchfield Independent School District in New Hampshire exposed information housed on its Amazon’s S3 Total Registration (TR) Service, stating that settings had been misconfigured. As a result, certain files listing information about students’ exam registrations were exposed for 48 hours. Data included were the last four digits of students’ social security numbers, student ID numbers, College Board identification numbers, physical addresses and email addresses, Advanced Placement registrations, International Baccalaureate documents, PSAT/NMSQT exams, gender, date of birth, grade level and student ID numbers.
- Rockwood School District in Eureka, Missouri reported three incidents: In June, the district told the ED that seven students’ data were potentially exposed to the wrong families. In August, the school district said it had more than 6,000 students’ information exposed in a Pearson Clinical Assessment security incident. The school system told the ED that it offered students Experian monitoring as a remedy. Data exposed were name and date of birth. In September, a document containing student names, addresses, and student IDs was sent by a school nurse to 56 students’ guardians. The information pertained to students who were non-compliant with immunization requirements and contained medical and education records.Rockwood’s Chief Information Officer Deborah Ketring, said, “Rockwood School District takes data security and student data privacy seriously. We are partners with our families in the effort to protect their children’s information and value the trust they place in us. To ensure that trust remains valid, it is imperative that we are transparent about not only what we do when things are working well, but also when we experience a data security incident…”
- Making Community Connections Charter School in Keene, New Hampshire experienced a data breach in April 2019 due to a ransomeware hack. Records for 1,916 students were involved, and included the exposure of 5,106,800 fields in a database belonging to an administrator. All affected students were notified, according to documents from the ED to which the district reported.
- In April 2019, the Washoe County School District (WCSD) in Nevada told the ED that students’ directory information was exposed due to a breach of information from the Pearson Clinical Assessment. The ED encouraged the district to inform parents. Also at WCSD, in September 2019, a sponsored charter school reported an issue when a text was sent to the entire school district through its School Messenger app which included all students’ directory information as well as their student ID numbers.
Other exposures of information, not as widespread, were self-reported by school districts and colleges to ensure they did not violate FERPA laws.
- In August 2019, a school coordinator from the Roseville City School District in California sent a single email, containing the name, home address and bus route number to the wrong family. The district wanted to ensure they handled the exposure of student information correctly and reported the incident to the ED.
- Great Basin College in Elko, Nevada notified the ED after an English professor placed graded assignments in a box outside of her office door in May 2018.
- The Rose Tree Media School District in Delaware, Pennsylvania inadvertently released personally identifiable information in November 2018 when the district’s director of pupil services and special education accidently sent an email with instructions for accessing a parent survey. Rather than blind copying the parents, the parents were able to see all parents’ names and email addresses. No students’ personal information was released, but the ED was proactively notified.
- Mount Saint Mary’s College in Emmitsburg, Maryland self-reported a FERPA violation in February 2019 when two students were notified that they received a failing grade in the same email from their professor. Out of an abundance of caution, the university notified the ED.Donna Klinger, director of Public Relations and Communications, said the university is committed to student privacy and “believes that reporting on FERPA violations, no matter how inadvertent, demonstrates the university’s seriousness in protecting student privacy. The university educates ethical leaders; openness and transparency meets the high ethical standards called for through our curriculum and also in our operations.” Klinger said that the university took action “even though there was no formal complaints about the incident.”
Is technology outpacing federal protections and mandatory disclosures of data privacy breaches?
The U.S. Department of Education says, “Any organization with electronic records is vulnerable to security breaches, and education agencies are no exception.”
So, why are student data privacy concerns increasing?
FERPA, enacted in 1974, dealt with student records which were in pre-digital, paper form. The rise of districts’ move to online record-keeping increases data vulnerability.
An amendment to FERPA in 2008 allowed greater flexibility in obtaining students’ educational records by law enforcement, which was prompted by the 2007 Virginia Tech mass shooting in which a student with documented behavioral health issues killed 32 students and teachers.
At the time, according to the American Health Information Management Association, FERPA was viewed as an impediment to accessing vital communications and information in the perpetrator’s education records that, if disclosed, “may have resulted in professional intervention that could have prevented the tragedy.”
But when it comes to data breaches and inappropriate sharing of students’ protected information, students depend on education institutions to protect their data.
Due to current regulations, however, the ED is currently limited to only encouraging best practices and offers checklists for education institutions to follow, should they encounter a problem.US Dept of ED FERPA Checklist
For data breaches occurring at school districts and universities, the department’s Privacy Technical Assistance Center provides a Data Security Checklist for what it recommends should be done to prevent a data breach.
The agency also offers a Data Breach Response Checklist which includes validating the breach, choosing a response team, determining the scope of the breach and suggests school districts and colleges notify those whose data had been accessed or inappropriately shared.checklist_data_breach_response_092012_0 US Dept of Ed
All school districts who proactively self-reported their data issues to the ED were contacted for this story.