If there is an Achilles’ heel to a future of robust personalized learning for all K-12 students, it is the uneven attention to the cybersecurity risks facing school information technology assets and data. In this post, I offer emerging lessons about real and perceived information security issues facing schools from the data underlying the K-12 Cyber Incident Map.
Companies are exploiting the education space for sales and public good will, and parents and educators should be questioning how those in the public sector are carrying the branding and marketing of private companies.
Earlier this week, an unknown person or persons launched a short-lived, but clever cyber attack against Google Docs’ users. While apparently not targeted toward schools, it very quickly found its way to K-12 classrooms nationwide, resulting in alarm and confusion. Based on my investigation of the exploit, here are the three lessons I believe those of us in K-12 education should take from this incident.
Today, I am pleased to introduce and launch the “K-12 Cyber Incident Map.” It is a visualization of cybersecurity-related incidents reported about U.S. K-12 public schools and districts from 2016 to the present. Painstakingly assembled from public reports, it was created to begin to build a data-based awareness of the scope and variety of digital security and privacy threats facing K-12 public schools and districts, as well as to shed a light on the need for uniform standards for disclosing cyber incidents affecting schools, students, and educators.
It is time to reboot the social contract for public education in a digital age. At the same time, we must remain clear-eyed and recognize the ways in which technology also introduces new issues and potential threats. What we need are terms of service that provide every student and their family assurances that their interests remain at the fore.
Select state government audits of school district IT security procedures find a concerning state of affairs. State departments of education should adopt and promulgate digital security expectations and best practices for schools, provide technical assistance and resources to districts to support implementation, and conduct regular audits to ensure compliance.
Every school district should be able to answer three very simple questions about their IT and student data security practices.
According to an alarming new study, school districts are routinely sharing individual student data about discipline with colleges as part of the admissions process, and colleges are in turn using that data to deny admissions to students. With no empirical evidence to support the practice, a lack of written policy, and demonstrable harm to students, this practice must cease.
Advocates would have us believe that school districts are incapable of making responsible decisions about technology-related privacy and security issues affecting students. Even if they are correct about the current state of affairs – and they just might be – it doesn’t abdicate our responsibility to help schools and educators do better.
