These days, it is rare to read or listen to the news without hearing of an incident where sensitive personal information stored by private companies, universities, or government agencies is stolen or compromised.
Such incidents can be the result of the work of a sophisticated hacker, but in many cases, “human error” is a contributing factor such as leaving a laptop in the car or having easy-to-guess passwords.
The Privacy Rights Clearinghouse, a non-profit organization, conducts research regarding the use of technology in the workplace and school classrooms, and the impact of technology on individual’s privacy rights. Through a chronology of data breach research, the Clearinghouse reported that from 2005-2014, as many as 727 data breaches were reported by educational institutions, resulting in an estimated 14 million breached records containing sensitive student, faculty, parent, and vendor information. (Source: EDUCASE Higher Education Information Security Council, Just in Time Research: Data Breaches in Higher Education, 2014.)
Data and security incidences in a school district can be expensive to resolve, cause distrust of the district among employees and the school community, and create possibilities for litigation. If you question whether this can happen to you, it can. Experts in the field of cyber security caution educational entities from having the perspective that a data breach could never happen to them.
To protect the school district from a data breach, it is important for each district to begin the prevention phase by looking internally:
An annual or semi-annual review of internal protocols and plans related to cyber security, storage of electronic information, and most importantly, what steps to take in the event of a perceived breach should be as routine as reviewing the district’s emergency operations plan. If your school district does not have an information security program or plan in place, there is no better time than now to create one.
Create an Information Security Program
A simple way to begin the process of creating an information security program is to conduct a risk assessment and create the program or plan around the identified risks. The risk assessment should identify the varying types of information and data stored, collected, and maintained by the district, and identify vulnerabilities to the protection of the information such as the potential for hackers to infiltrate systems, downloading malware, or employee error.
Identify/Create an Incident Response Team
It is also important for districts to identify key personnel that should be a part of the incident response team in the event of a breach or perceived breach. Members of the team will typically include IT directors and technicians, but districts should also consider including human resource directors, community relations managers, business managers, and other pertinent administrators.
Fund Members who have property and/or liability coverage already have Privacy & Information Security coverage at no additional cost. The coverage includes access to one of the world’s premier providers of data breach response services, the Beazley Group.
When a school district suspects or knows that a data breach has occurred, the district should email us or call Marcy Barker, Claims Manager, at 855.295.8344. Visit the Fund’s Privacy & Information Security coverage page for more information about the coverage.
Editor's note: This article was originally published in November 2015 and has been updated for accuracy and comprehensiveness.