Safety & Security (Prepare and Be Aware)

Battling Cyber Delinquents



Computer hackers are everywhere these days. Russian hackers apparently attacked candidates’ digital records during the recent presidential election.

In another notable case, the Office of Personnel Management was hacked in an effort that ultimately exposed the personal information of 21.5 million workers.

Who are these hackers. Some are backed by nation states and seek to disrupt government and business operations. Others are criminals interested in stealing personal information that can be sold. Then there are cyber vandals who hack for the heck of it.

K-12 Cyber Risks

K-12 schools are at risk, too. Hackers literally shut down the Horry County School District in South Carolina earlier this year. The criminals demanded $10,000 in digital Bitcoin, an Internet currency that is difficult to trace. Horry County district officials didn’t want a standoff that would shut down education in the district indefinitely; so, officials decided to pay the ransom and get the schools back up and running.

In another case, a 17-year-old student hacked 15,000 student records in the Sachem School District on Long Island and posted personal information online. Experts say that hacking school records is an epidemic problem that has no easy solutions.

Another pathway into a district’s computer systems lies with vendors. Hackers sometimes manage to infect a vendor’s hardware or software, and infect district files through an installation.

Are There Any Solutions?

“School hacking is a complex and moving target, and no district should attempt to go it alone,” says Jim Flanagan, chief learning services officer with the International Society for Technology and Education (ISTE). “Small and large districts alike should find a partner with expertise and insights into the problem and its solutions.”

Where can a district superintendent find a partner? Flanagan recommends talking to officials at the district’s state education agency, which can provide useful resources.

Flanagan also points to state ISTE affiliates and state Councils on School Networking (COSNs). “COSN has great technical expertise in this area,” Flanagan says.

“Additional resources to investigate are collaboratives. Almost every district nationally is part of a collaborative. Some states maintain collaboratives as local or statewide structures.

“There are lots of collaborative flavors. Some states, for instance, have large counties and the schools there may be collaboratives unto themselves.”

Flanagan suggests drawing vendors into collaborations as well and points to two adjacent districts in Massachusetts. There, Chief Information Officer Steve Smith of the Cambridge Public School District and Mark Racine, director of Technology with Boston Public Schools, have created an effective collaborative focused on preserving data security.

They have created a document that can be used as an addendum to a vendor contract, Flanagan says. The document defines data privacy and security requirements for vendors that contract with school districts.

With such a tool, individual districts need not start from scratch, they can pick up this boilerplate language and add it to their vendor contracts.

“Of course, the contract language states what is required of vendors,” notes Flanagan. “But you also have to test vendors and require them to prove that their software actually satisfies the contractual requirements.

“Most vendors make a good safe effort, but all it takes is one app that doesn’t meet the standards and your system may be breached.”

Flanagan goes on to say that districts that implement this system can be sure that they are using the latest and greatest requirements. He also notes that the contractual anti-hacking language is constantly updated to account for new developments.

Student Data Privacy Consortium

Flanagan also recommends investigating the Student Data Privacy Consortium (SDPC) set up and facilitated by Community (A4L) and
several learning organizations, governmental agencies and vendors.

The Consortium’s mission is to develop tangible solutions that help solve operational privacy issues for schools as well as vendors — by combining its own tactical, real world efforts with those of the various organizations working to buttress student privacy.

“Districts that have put into practice the recommended procedures to ensure student data privacy realize that this requires a great deal of time and resources,” says Steve Smith, Cambridge Public Schools CIO and Chair of the SDPC. “Not all schools have the required resources to implement these procedures effectively.

“Many of these best practices can be replicated across LEAs (Local Education Agencies) and vendors through agreed upon procedures, contract terms and common expectations. The Student Data Privacy Consortium is bringing together LEAs, SEAs and Vendors to create a more seamless process for ensuring student data privacy such that all districts can meet expected best practices.”

Another Tool: The Cloud

The cloud can help, too. “More districts need to look toward the cloud,” Flanagan says. “In a cloud based service, you get software from the cloud and store documents there. Your server is in the cloud instead of in a district service room or data center.”

IT directors can acquire Software As A Service (SAAS) from vendor servers in a cloud.

But won’t IT directors lose some control over their systems and data by doing this? Is that a good idea?

“You can buy network space in the cloud and operate your own system,” Flanagan says. “The cloud isn’t a panacea, but I would rather have my data with an organization whose primary business is securing and distributing data — versus my own data center.”

Train Administrators, Faculty and Students

For these measures to function effectively in securing data, administrators, faculty and students must handle data in secure ways. That requires training for everyone.

“There are great training resources available for K-12,” Flanagan says. “Common Sense Media, for example, is a non-profit organization with great programs.”

Common Sense Media offers training programs for students as well as administrators and faculty.

Resources include lesson plans, videos, interactives and assessments in units for grades K to 2, 3 to 5, 6 to 8 and 9 to 12. In addition, there are professional learning materials, family outreach tools and a turnkey curriculum.

The Common Sense Media website offers much more than student privacy ideas. All in all, says the website, the offering is everything needed “to take a whole-community approach to digital citizenship.


West Corporation’s West Education Group has developed nine best practices that educators can use to promote data security.

Here they are:

  1. Legal compliance is the basis of developing school norms and culture.
  2. Check the quality of your current practices by comparing them with current regulations and norms.
  3. Managing regulations and norms and insisting on accountability form the basis for safeguarding student data.
  4. Extend your efforts through communications with parents.
  5. Support parents in their data access and awareness of related rights and possible risks.
  6. Student privacy requires data security.
  7. Schools should direct and manage data access for thirdparty vendors and partners.
  8. Staff awareness and training in data security is essential to success.
  9. Continuing student education reinforces good practice.

This article originally appeared in the issue of .