Three Reasons Why Schools Should Prioritize Data Privacy

Schools are Hot Targets

To be kept private, data must be kept secure. And academic institutions have a troubling track record when it comes to data security.

A 2018 report by SecurityScorecard ranked the education industry dead last in terms of cybersecurity readiness. A study by Malwarebytes published the following year found schools to be one of the most popular cyberattack targets. There’s no shortage of evidence to support both claims. Last year, Louisiana had to declare a state of emergency due to cyberattacks against its school boards. According to ZDNET, more than 500 schools in the US were hit by ransomware attacks in the first nine months of 2019 alone. And with vulnerability to cyberattacks comes vulnerability to data breaches, as the recent incident at SFU demonstrates.

Schools aren’t oblivious to these issues. According to EDUCAUSE, information security has been the top priority in academic IT for years. As of this year, privacy holds second place. So academic institutions recognize the risks they face and are working to mitigate them. But as long as these institutions remain such popular and vulnerable cyberattack targets, their private data will be under constant threat.

Privacy Laws are Proliferating

Ensuring data privacy isn’t just a security concern. It’s also increasingly a legal concern.

In 2018, the European Union introduced the General Data Protection Regulation (GDPR). Widely considered the most comprehensive privacy law ever passed, the GDPR guarantees unprecedented rights and protections to EU citizens, establishes strict guidelines for handling personal data, and lays out harsh penalties for organizations that don’t comply. The GDPR is likely a sign of things to come. Similar laws are proliferating around the world. The California Consumer Protection Act (CCPA), for example, came into effect on the first of this year.

This trend should concern the education industry more than most for one simple reason – cost. Schools are famous for operating under tight budgets. And these new laws come with crippling financial penalties for noncompliance. The CCPA, for example, mandates fines of up to $7,500 per record breached. In the event of a large data breach, this could add up to a staggering amount of money, especially for institutions that already struggle to balance budgets

The Cloud Complicates Compliance

The ongoing transition of software to the cloud is creating new technical challenges to protecting data and complying with privacy regulations.

The sync tools used to provision access to some cloud products raise significant privacy concerns. These tools work by creating accounts for everyone in an organization’s directory, giving the whole organization instant access to a product. This turnkey approach keeps things simple from an IT perspective. However, it requires allowing a piece of software to access basic personal information about all members of an organization and pull that information into an outside system – without those individuals’ consent or knowledge.

One could argue that these mass-imports of PII violate the GDPR’s stipulations on informed consent. Still, it’s a risk some schools may be tempted to take. Because the most obvious alternative is to have IT manually manage access to cloud products. This may be a viable option for private businesses, where all employees are typically licensed to use the same products until they leave the company. But for academic institutions, where product eligibility is often based on course load and can change with every new semester and course transfer, it can require a prohibitive amount of time and effort.