Data Privacy & Security Service Digital Digest_Summer 2019

Data Privacy & Security Service DPSS Digital Digest

IN THIS ISSUE: Chief Privacy Officers: The Unicorns of K-12 Education, Cyber Hygiene, and more!

The Summer Issue

Data Protection Officers: Who Will Be Your Unicorn? by Matthew Hejna, Nassau BOCES

POSSIBLE DUTIES AND RESPONSIBILITIES: • Primary point of contact for data security and privacy. • Implement privacy governance measures to manage the use of personally identifiable information to ensure compliance with Education Law §2-d (e.g. PII is only used for the benefit of students and the educational agency). • Coordinate the implementation of the policies and procedures required under Education Law §2-d and Part 121. • Monitor the educational agency’s compliance with state and federal data privacy laws and regulations. • Develop a procedure for parents and eligible students to file complaints about breaches or unauthorized releases of student data and for the complaints to be addressed. • Facilitate the delivery of an annual information privacy and security awareness training. • Review projects, contracts and procurements that will create, collect or process personally identifiable information for compliance (privacy impact and data security assessment). SOME SUGGESTED KNOWLEDGE, SKILLS AND ABILITIES: • Ability to gain a working knowledge of state and federal laws that protect personally identifiable information, including Education Law § 2-d, and FERPA. knowledge of basic data security and privacy concepts. • Ability to interact effectively with people at all organizational levels of the agency. • Ability to exercise leadership, influence change and implement solutions. • Ability to handle confidential and sensitive information with discretion. • Ability to gain a working

The proposed addition of Part 121 to the Regulations of the Commissioner relating to student data privacy (Education Law §2-d) requires the designation of a Data Protection Officer (DPO): “Each educational agency shall designate one or more employees to serve as the educational agency’s data protection officer(s) to be responsible for the implementation of the policies and procedures required in Education Law §2-d and this Part, and to serve as the point of contact for data security and privacy for the educational agency. Such officer(s) must have the appropriate knowledge, training and experience to administer the functions described in this part. This requirement may be fulfilled by a current employee(s) of the educational agency who may perform this function in addition to other job responsibilities.” While the proposed regulations are still pending, the Chief Privacy Officer has issued the following guidance so school districts can start considering what administrative position these responsibilities would fall under: ORGANIZATIONAL RELATIONSHIP: • It is recommended that the DPO’s reporting structure provide access to leaders with decision making authority. • It is recommended that the DPO/ school district annually report on the agency’s data security and privacy posture/performance to its Board. • A DPO will need to collaborate with internal stakeholders (IT, information security, internal audit, school attorneys, etc.) to effectively fulfil this role.

Two examples of how other school districts have approached similar positions are cited in an EdSurge News article by Emily Tate, “Chief Privacy Officers: The Unicorns of K-12 Education” (February 25, 2019). Both the Denver Public Schools’ Student Data Privacy Officer and Baltimore County’s Director of Innovation and Digital Safety work closely with legal and school leadership teams to establish vendor contracts and district policies and procedures to ensure that their schools are compliant with federal and state privacy laws and to build trust with their communities. The article also references a January 2019 report issued by the Center of Democracy & Technology, “Chief Privacy Officers: Who Are They and Why Education Leaders Need Them.” This in-depth study “focuses on a variety of practices that can support [the role of a Chief Privacy Officer], and is divided into two sections: first, the role that education organizations can play in making CPOs successful, and second, the role that CPOs should play in protecting student privacy across the organization.” This comprehensive brief also includes an appendix with a sample job description, along with examples of tasks for potential candidates to assess their content knowledge and working style. Regardless of when the new legislation is approved, the report advises school districts to take a proactive approach: “Rather than wait for a data incident or legal mandate, education leaders can support their efforts to effectively use data by being proactive and empowering a senior leader to ensure the organization fulfills its responsibilities to protect the student data with which it is entrusted.”

Cyber Hygiene

Ghost users are inactive but enabled accounts that are a key means for hackers to infiltrate a system/ infrastructure. Reportedly over 65% of companies have 1,000 state user accounts. Left unmonitored, attackers can easily steal data and cause disruption without being detected. Another Addressing and establishing security levels, as well as implementing multi-factor/ 2FA authentication, is paramount to data security protocol. You can also check out this arti- cle from the K-12 Cybersecurity Re- source Center that explains what the DBIR says about K-12 cybersecurity. human error giene and lack of attention to detail.

security vulnerability to address are accounts with non-expiring passwords. To combat this issue, the IT department needs to set expiration dates for all user accounts, monitor login activity, and deploy multi-factor authentication. Use this link to read more about this cyber hygiene best practice.

Ghost Users and Non-Expiring Passwords

The 2019 Verizon Data Breach Investigative Report is based on 41,686 security incidents of which 2,013 were confirmed data breaches. The report is 78 pages and packed with information dealing with types of breaches, where they took place, who was involved, and the motivation behind them. The most promising outcome was the consensus that many breaches are the result of poor security hy-

Getting Privacy Policies Right, the First Time

Privacy policies for schools should be written in clear and simple language for review by the school technology administrator and school board. The policy should also be reviewed by the contracting officer to ensure schools are only providing data as FERPA allows, and that the data is provided for appropriate educational use. Without taking these steps schools can’t be sure their privacy policy is compliant.

For more on this use this link.

39 States Have Passed 121 Student Privacy Laws as of 2019 Ferpa Sherpa, the Education Privacy Resource Center, posted a comprehensive list of all state student privacy laws passed from 2013 to present. The listed laws focus on student privacy or contain significant student privacy regulations. Use this link or click the map and learn how states across the nation are working to protect student data privacy.

What is Malvertising?

Malvertising, also known as mali- cious advertising, is the ability to spread malware through adver- tising and compromised systems. Malicious code is infused into ads that are legitimately displayed on various websites, exposing users visiting these sites to possible in- Our Satellites are Prime Targets for Cyberattacks

will be infected.

fection. The advertising networks and websites are not aware of this risk. In addition, it is difficult for cyber- security experts to identify which ad is the culprit, as ads continually change and not everyone visiting

Exploit kits are used to install mal- ware by bypassing security. The most popular kit currently in use is the Angler Exploit kit.

F or more on this threat click here.

Hackers are a threat to our digi- tal infrastructure, but an area that needs attention is the vulnerabil- ity of space satellites. There is no oversight agency or policy in place in regard to securing space infra- structure. While the FCC regulates communications, space security is in the hands of the private sector.

Access this link to learn more.

The FBI has reported that an on- going cyber insider threat involves former or disgruntled employees who exploit their access to net- works, software, login credentials and administrative permissions to harm companies. While the threat is motivatedmost- ly by a need for revenge, some also

engage in extortion for profit. This report outlines specific trends over the past three years, as well as steps to put in place to protect your community from attacks.

FBI Warns of Cyber Insider Threat Actors

Use this link to learn more about trends, methods and to see more recommendations.

Cybersecurity Resources

The Federal Bureau of Investigation is now providing additional guidance and resources to combat internet crime. The FBI’s Internet Crime Complaint Center (IC3) released their 2018 In- ternet Crime Report, filled with inter- net crime statistics and information about the IC3 department, as well as common scams.

The FBI has also started the Protect- ed Voices initiative to address the “risk of cyber influence operations targeting U.S. elections.” You can learn more about this initia- tive, and access a series of free train- ing videos, by clicking this link. Report internet crime to the FBI us- ing ic3.gov.

Click the play button to view the Protected Voices training video on Social Engineering

Data Privacy & Security Service Digital Digest

Contact your Local RIC for additional information. Click here to find your local RIC contact. For Subscribers to the Service: • Digests & Archived Digests • Digital Debrief • Inventory Tool • Information Security Online Professional Development • Digital Blasts

“Free” apps often come with hidden costs. This EdSurge article highlights three app privacy evaluation tools that can help you decide if an app is appropriate for students. You may find that “free” app might not be worth the “cost.”

Is this App Safe for Kids? These tools can help you decide

Page 1 Page 2 Page 3 Page 4 Page 5 Page 6

Made with FlippingBook Learn more on our blog