Data Privacy & Security Service Digital Digest Winter 2016

Data Privacy & Security Service

Issue 7 Data Privacy & Security Service

Winter 2016 (Issue 7)

Data Privacy & Security Service

Issue 7

PROTECTING STUDENT DATA

In this issue of the DPSS Digital Digest, you will find many resources and information about protecting student data. As the use of data in education continues to proliferate, the protection of student data becomes even more important. Student data is used in a variety of ways from SMS to LMS to State Reporting. In all of these scenarios it is crucial that users ensure that stu- dent data is secure. Protecting student data is not as simple as making sure that your firewall is up-to-date. In this issue you will see several instances where student data was compromised due to breaches outside of the district’s control. It is im- portant that all users that have access to student data are aware of the ramifications of data breaches and best practices to protect student data.

In This Issue

Education Week Spotlight on Student Data Privacy

Page 1:

In 2016, Education Week published a collection of articles entitled Spotlight on Stu- dent Data Privacy , which includes articles that highlight the importance and value of protecting student data and the ramifications of not properly protecting student data. On page 13, the article Making the Right Commitment to Student-Data Priv a- cy, highlights the reasons why all district stakeholders need to commit to protecting student data privacy and understand the importance of protecting it. “School ad- ministrators must understand that student-data privacy is not just a concern for IT administrators, but also for the executive leadership, who must take responsibility to drive the change needed throughout their organizations.” This not only requires education of all staff members, but in many districts requires a cultural shift. The Spotlight on Student Data Privacy highlights ways that districts can encourage this culture shift and provides helpful information districts can share with their stake- holders. tion, the Association of School Business Officials International (ASBO), and ASCD. The TLE Seal Program indicates that school systems have demonstrated adherence to a set of pub- licly available standards focused on the protection of student data privacy. The program requires schools to implement student data privacy protections that meet a set of high standards around five core practice areas: Leadership, Business, Data Security, Professional Development and Classroom. Within each core area are a number of specific practices that schools must have implemented in order to be eligible for the Seal. Use the following link to view the TLE Seal Application for a detailed description of the TLE Seal Prac- tices and supporting documents required to demonstrate evidence of each. Even if you are not applying for the Seal, the application is worth reviewing to evaluate how your district measures up. The application period for the second cohort will be open through February 15, 2017. Visit the Trusted Learning Environment web site for additional details. Trusted Learning Environment (TLE) Seal Program The Trusted Learning Environment (TLE) Seal Program is an initiative of CoSN (the Consortium for School Networking), in association with AASA, the School Superintendents Associa-

 Education Week Spotlight on Stu- dent Data Privacy  Trusted Learning Environment (TLE) Seal Program Page 2:  Forum Guide to Education Data Privacy  4 Companies Agree to Stop Tracking

Children Online After Settlement with New York Attorney General

Page 3:

 Comptroller’s Corner  PTAC Releases Guidance Video Con- cerning Use of Email and Student Privacy  Student Privacy Pledge  Recent FCC Ruling Page 4:

 Yahoo Email Breach  Recent Data Breaches Page 5:

 October 21, 2016 DDOS Attack Page 6:  DDoS Attack

Questions to think about:

Where is your district data?

Check out this infographic for more information about the TLE program.

Who is responsible for data in your district? Do those responsible for data know what to do and what not to do?

Contact info@trustedlearning.org for more information.

Worth a visit: In addition to TLE specific information, the TLE Resources page features links to a variety of useful web sites related to Student Data Privacy.

1

Data Privacy & Security Service

Issue 7

FORUM GUIDE TO EDUCATION DATA PRIVACY

What is Student Data Privacy? The National Forum on Educational Statistics seeks to answer that question in its comprehensive report called a Forum Guide to Education Data Privacy . The first chapter of this report looks at privacy laws at a federal level, privacy and security con- siderations needed to protect student data, and roles and responsibilities of SEAs, LEAs, and vendors with respect to data confidentiality. In the Winter edition of the Digital Digest , Chapter 1 of the research report will be highlighted. Additional chap- ters of this report will be highlighted in upcoming editions.

Additional Resources

6 things schools can do to ensure student data privacy 1. Create clear governance policies 2. Lock down access to PII with identi- ty and access management 3. Manage data with precision 4. Randomize data whenever possible 5. Use encryption 6. Vet your vendors

When it comes to protecting student data and privacy, one size does not fit all accord- ing to the research conducted by the National Forum on Educational Statistics (NFES, 2016). Data is shared at alarming speeds across schools and districts as well as with agencies outside of districts all in the name of improving services directed to students. Parents appear to support the use of student data by teachers and administrators within school districts if the data is for educa- tional purposes. However, parents are less comfortable with data being shared with online service providers or third party ven-

dors. Parental concerns include: the use of data for advertis- ing or marketing purposes; the creation of student profiles that could later be used by vendors for marketing; sensitive information such as disciplinary records that could impact educational or employment opportunities later in life; identity theft; and data that is not properly deleted when it is no long- er needed (NFES, Future of Privacy Forum, 2015). Federal student data and privacy laws such as the Family Edu- cational Rights and Privacy Act (FERPA), passed in 1974 and revised in 2008 and 2011, require schools to give parents and eligible students (age 18 or older) the opportunity to review information contained in educational records. If information

is incorrect, amendments are to be made. Disclosure of personally identifiable information (PII) to a third party without consent is prohibited under FERPA. LEAs must notify parents and eligible students of their rights each school year under FERPA. The Report discusses the use of PII and audit or evaluation exceptions, directory information exceptions and FERPA exceptions. Additional federal requirements such as the Protection of Pupil Rights Amendment (PPRA), COPPA, HIPAA, National School Lunch Act, and Military Recruiters are included. Information must be protected from both technical and human threats. These threats can be mitigated through proper and ongoing professional development. The full context of chapter 1 is available here .

4 Companies Agree to Stop Tracking Children Online After Settlement with New York Attorney General

Most kids love cookies, but not the type that track their web movements. New York State’s attorney general, Eric Schneiderman, reached a settlement with four children’s companies for using technology to track movements on websites. These companies, Viacom, Mattel, Hasbro and Jumpstart Games, were in violation of the Children’s Online Privacy Protection Act (COPPA) that prohibits the online collection of personal information by persons or entities from children under 13 years of age.

2

Data Privacy & Security Service

Issue 7

Comptroller’s Corner

PTAC Releases Guidance Video Concerning Use of Email and Student Privacy The U.S. Department of Education through its resource called PTAC, the Privacy Technical Assistance Center, released its latest guidance video on the use of email in schools and student data privacy. This video is one of eight that PTAC has on its site. The videos on PTAC’s site are relatively short and are related to privacy, data use, directory information, parent information, and the Family Educational Rights and Privacy Act (FERPA). In the second report (2015), the Comptroller discusses the use of Student Grading Systems to record information about stu- dents’ grades. Because of the nature of this information, the Comptroller indicates that access to grades by teachers, adminis- trators, various staff members and external information technology support staff should be limited to a “business need” and users should have the minimum amount of access necessary to perform job responsibilities. The New York State Comptroller conducts audits of school districts on a regular basis. The reports produced can assist districts when it comes to evaluating their use of data and controls. In this issue of the Digital Digest, we are sharing two Comptroller reports with you. In the first report (2014), the Comptroller discusses the use of Student Information Systems (SIS) and the amount of personally identifiable data contained in these databases. The report states that only users with a “business need” should have access and be provided with the minimum access necessary to perform job responsibilities.

Student Privacy Pledge

Impact on Districts By signing the pledge, vendors commit to protect students’ data and privacy. For districts, protecting this data should be paramount. Vendors that have signed the pledge declare that they are committed to this goal. Districts should take this into consideration when choosing vendors to work with. The DPSS Inventory Tool helps districts to easily determine if a vendor has signed the pledge.

Recent FCC Ruling The beginning of the school year saw just over 300 companies signing the Student Privacy Pledge . This pledge was first introduced by the Software & Infor- mation Industry Association (SIIA) and the Future of Privacy Forum (FPF) in October 2014 and became le- gally enforceable for companies that signed the Pledge and provide services to schools. “The Pledge requires participating companies to follow 12 obligations in- cluding: not selling student personal information, not using collected information for behavioral advertising and clearly disclosing priva- cy” ( 300: Rise of Student Privacy Pledge , ¶3). The recent FCC ruling in October protecting consumer data does not go far enough. The FCC issued a ruling that ISPs need to get consent before sharing consumer information with third parties. ISPs have the ability to collect a variety of information ranging from a consumer’s loca- tion (GPS) to health information to items that they purchase. In the past, this information has been provided to marketers. Now, ISPs will need to provide its customers with information on the type of data they collect as well as how they keep sensitive data secure. They will also be required to notify customers of security breaches within 30 days. The FCC’s regulations do not extend to web-based companies such as Google, Facebook, Yahoo, and Twitter, to name a few. These companies can still collect, share, and market personally identifiable data.

3

Data Privacy & Security Service

Issue 7

Recent Events

Yahoo Email Breach

In late September 2016, Yahoo announced that their e-mail systems had been hacked in 2014. The hack included the theft of data/information from at least 500 million Yahoo accounts. This hack may be the largest ever by shear number of us- ers affected. A hack of this size, against an internet company of Yahoo’s stature, should serve as a wakeup call for all organizations that there is no such thing as being secure enough. As of now it appears that this hack may have been carried out by a state sponsor, but as with other recent hackings there is no reason to be- lieve that a sophisticated organization is required to carry out such an attack.

Impact on Districts The Yahoo e-mail breach has broad im- plications on data security. First and foremost being the potential compro- mise of user passwords. If a teacher or staff member in a district had their Ya- hoo account compromised there is a possibility that their school account password has been compromised as well. Many users re-use their pass- words across services and locations. Users should be encouraged to reset their passwords for all accounts includ- ing those related to school use. Districts should further consider implementing password complexity policies, as well as reset policies.

For further details on the breach visit here .

What ripple effects might the Yahoo data breach have on the rest of the internet? Visit this site for more information.

What should you do if you think your account was hacked? Visit these two sites for helpful tips:  Yahoo’s Data Breach: What to Do If Your Account Was Hacked  What to do if your Yahoo account was hacked The New York Times took a deep dive into Yahoo’s past regarding security policies and examined their decisions in contrast with that of other companies such as Google. The differences in reactions between the organizations is evidence of the importance of security and how differing priorities within the companies led to the breach that we have only recently learned about.

You can read the full article here .

Recent Data Breaches

There have been several data breaches around the country in the last few months related to student data. It is important to be aware of these breach- es and their origins. In most of the be- low breaches, the cause was users being careless with data. In one scenario (Katy ISD) a user uploaded data to a software application . In another scenario, lax network security policies led to students having access to files on the network that should have been protected.

Impact on Districts

Not all data breaches are caused by out- side parties and hacks. In many scenari- os, data breaches are caused by careless users or lax policies. Districts should remind users of the importance of pro- tecting student and staff data, and that a data breach doesn’t have to be a hack.

Losing a flash drive with PII data is consid- ered a breach and should be reported immediately.

Below find links including details regarding the various breaches that have occurred:

Upper Arlington Schools Data Breach: Click Here

Katy ISD Data Breach: Click Here

UCF Data Breach: Click Here

4

Data Privacy & Security Service

Issue 7

Recent Events (Continued)

Data Privacy and Security Service Digital Digest Winter 2016

October 21, 2016 DDOS Attack

On October 21, 2016 a significant DDOS Attack occurred against DYN, a provider of DNS services for websites in the United States. This DDOS attack led to many web- sites to appear offline. The map below shows the scope of the impact of the DDOS on internet users. In many regions, the internet appeared unusable for several hours until DYN was able to mitigate the DDOS attack. The attack itself was carried out using basic devices connected to the internet. They include DVR’s, Blu-ray play- ers, TV’s, Webcams, etc. These devices are connected to the internet and have ex- tremely weak security protections. The attack is an example of the vulnerability of the internet and our reliance on it. It serves as an example to be used with staff about having backup and alternative plans available. It is likely that this attack impacted teachers who had planned les- sons utilizing affected websites. Additionally, for technology personnel it can be used as a case study in mitigating a DDOS attack and having an appropriate response.

For Further Information Contact Your Local RIC. Click here to find your local RIC contact

For Subscribers to Service:

Digests & Archived Digests D 3 —Digital Digest Debrief

Inventory Tool

Information Security Online PD for Teachers

Image used with permission from WikiMedia .

Digital Blasts

Summary of Attack:

For more on how the attack was carried out and what it means visit this site .

For details on the devices used in the attack, visit here and here .

Ways to Respond and Mitigate DDOS:

Sophos has some helpful suggestions on what all users can do to help prevent fu- ture attacks. What should you do if you are under a DDOS attack? Visit these sites for helpful tips:

 Access to password protected resources on the RIC Data and Security website: http://www.nysdsp.org  Data Privacy and Security Professional Development

The 5 Essentials of DDoS Mitigation

How to defend against the internet's doomsday of DDoS attacks

5

Page 1 Page 2 Page 3 Page 4 Page 5 Page 6

Made with FlippingBook - Online Brochure Maker