Skip to main content

The Current State of Data Security in U.S. Schools: How to prepare for and prevent privacy threats



Over the past few years, there have been several high-profile cyberattacks on schools and districts, but there are many more threats to data security occurring than appear in the news — and they sometimes arise from unexpected sources.  

According to the 2022 State EdTech Trends Report, released by The State Educational Technology Directors Association (SETDA,) 70% of all 50 state respondents reported that either the SEA (state education agency) or at least one LEA (local education agency) was the victim of a cybersecurity threat or attack in the past year. 

A large number of these attacks involve data security. And, in many cases when data have been compromised, there hasn’t been an “attack” at all, but rather a situation involving human error or a technical glitch. 

There are hundreds of causes for data breaches, but education leaders can take steps to safeguard against many of them. Let’s take a look at some of the most prevalent issues.

1. Lack of training. Data can be compromised unwittingly by educators, teachers, administrators, staff at centers, school board members, and others who haven’t received proper guidance, or who are working within vulnerable systems. Without ironclad password protocols, for example, it’s easy for someone to create and expose a weak password. 

Safeguards: Create clear policies and ensure that everyone adheres to them. In the case of passwords, employ multi-factor authentication, end-to-end encryption, frequent updates, and enforcement of strong passwords. Be aware of who has access to shared systems and where your data is stored. 

2. Vendors and school suppliers whose systems may not be thoroughly vetted. 55% of K–12 data breaches are caused by vendors, according to the 2022 report The State of Cybersecurity from The K12 Security Information Exchange (K12 SIX), a national nonprofit organization dedicated to helping protect K–12 schools from emerging cybersecurity threats. In addition, many of the apps used in schools—including news apps such as USA Today, the language-learning app Babbel, and the popular Wordle, have disturbing data-sharing trends. A 2022 report from Internet Safety Labs reveals that “Nearly all apps [used in the classroom] (96%) share children’s personal information with third parties, 78% of the time with advertising and monetization entities, typically without the knowledge or consent of the users or the schools, making them unsafe.”

Safeguards: Conduct due diligence on all vendors to ensure that their systems are as secure as your own. Have signed agreements in place with vendors that lay out exactly what data they’ll need, how they’ll use it, and for how long. Be cautious about violating student privacy through the use of activity monitoring software, which, according to the Electronic Frontier Foundation, a nonprofit organization committed to defending civil liberties, is “used to filter, block, and flag vast amounts of student activity on their school-issued, and sometimes personal, devices.” And evaluate the apps that teachers are using; do multiple apps serve the same purpose? The more apps you have, the more information is potentially being dispersed—often to the wrong parties.

3. Online hackers/terrorists who take advantage of security gaps to breach databases and gain access to Personally Identifiable Information (PII). Many of these malicious actors seek out and specifically target school districts using sophisticated methods, sometimes leveraging the data they steal to extort money from their victims. Just one phishing attack in 2018 exposed personal data from more than 500,000 students and staff in the San Diego Unified School District. (Source: Mashable)

Safeguards: Your entire data security system is only as strong as your weakest link. Just one person falling prey to a clever phishing attack can open the door to a cybercriminal and compromise thousands of records. Proper, ongoing training for every stakeholder about how to spot and avoid phishing tactics is critical.

4. Students who intentionally or accidentally gain access to data. Tech-savvy students might employ their skills to hack into a school database to cause trouble, or could unintentionally find their way there because of chinks in security systems. For example, in 2021, a student working in the office with the tech director in the Amarillo Independent School District in Texas accidentally gained access to a database table of protected student information—all due to a faulty security setting. (Source: K12 SIX)

Safeguards: If you don’t have a robust data security system in place, anyone could gain access to private data. Ensure that your network, data centers, software, and more are all up to date and are being tested regularly. 

Stay Informed About Data Security

The first step to ensure data security is to become aware of the risks—know what you don’t know and take steps to fix it. 

The report What You Don’t Know Can Hurt You, from The EdWeek Research Center and Managed Methods, reveals that 23% of survey respondents are “very concerned” about data breaches/leaks and 41% are “somewhat concerned.” But those who are sleeping well at night may have false confidence. “Survey results suggest that too many ed-tech influencers are under-informed about the steps being taken to protect their online assets. Some are also unsure whether key systems are located in the cloud or on-site.”

Since so much is stored in the cloud these days—including financial information, HR systems, and student records—it pays to be obsessively cautious about this highly sensitive information. 

Plan for the Best, Prepare for the Worst

When it comes to data security, it’s crucial to not only be proactive, but to have a plan in place should you experience a breach despite your best precautions. If data has been compromised, you’ll need to trigger your communications and media relations plan so that you can jump into action and allay concerns. Hiding the error will likely backfire.

The more that school districts learn and share strategies to safeguard data privacy, the stronger the chance that we can lessen the quantity and severity of data breaches.  

“Encourage open dialogue, transparency, and honesty among all the state’s school districts,” says SETDA, in their report 4 Cybersecurity Concerns for State Leaders. “Cyberattacks are becoming increasingly common and should not be viewed as a stigma; instead, schools should leverage their experiences to help their peers and inform best practices.”

Keep Security, Privacy & Compliance at the Core of Your Education Technology 

When evaluating new and existing technology partners and vendors, prioritize the EdTech solutions/providers that have security, privacy, and compliance at the core. Exposures of learners’ and educators’ privacy, interruptions to impactful programs, and financial losses for families, schools, and education centers can have far-reaching results for decades.  

TORSH is committed to partnering with school districts to securely support coaching and professional learning with our FERPA compliant, secure platform, TORSH Talent. We safeguard data privacy with:

  • SRP (Secure Remote Password protocol), which enables secure remote authentication
  • Data centers with strictly-controlled physical and virtual access
  • Data protection and auditing with end-to-end encryption
  • Network security with firewalls, DDoS mitigation, and more
  • Third-party testing with vulnerability scans and threat identification

Take a look at how TORSH Talent can securely streamline and amplify the impact of your professional learning program. 

More Posts

Thanks for subscribing to our blog! You should receive a confirmation e-mail soon.