a hacker in a hoodie uses a laptop


As another school year progresses with continuingly challenging and complex issues, your school district must pay attention to its obligations to protect student data. Threats of disclosure of confidential and sensitive student and employee data are numerous and dangerous.

Criminals have preyed on remote learning and remote work from home to initiate attacks on school district data. It only takes one person to compromise an entire school district’s data. All employees, including school board members, administrators, teachers, and all other staff, must be aware of their responsibilities for cybersecurity.

This article focuses on the most common incidents of attacks and breaches and explores some ways to reduce risks.

What to be worried about

Ransomware attacks are the most reported cyber incidents facing school districts. In these incidents, criminals hold school districts’ systems and data hostage in exchange for payment of cryptocurrency. These attacks often disrupt operations to the point of shutdown and can cost millions of dollars.

Not long ago, robust air-gapped backup systems reduced or eliminated the risks associated with such attacks. But the rise of the double ransom—where the attacker group requires payments to secure its promise not to release data on the internet—has limited mitigation by backups. As a result, school districts may face an uncomfortable decision with a short time fuse of whether to pay thousands or millions of dollars in ransom to avoid having student data released on the internet.

Overseas criminals are the perpetrators of many attacks. The increased availability of ransomware using a business model like that used in the software industry (ransomware as a service) has enabled more attackers to engage in illegal activity. Some criminal groups intentionally target school districts because of the lucrative result of the attacks and the percentage of districts that pay ransoms to restore systems and prevent exposure of sensitive data.

Data breaches may happen as part of a ransomware attack (a double ransom) or as a stand-alone event. Even an inadvertent disclosure or loss of a device with sensitive information may meet the legal definition of a breach. Each state and territory has its own data breach notification laws, some of which clearly apply to public school districts, some of which do not apply, and some of which are ambiguous. It is critically important to treat even potential breaches or compromises as serious and investigate each.

Vendors have custody (but not ownership) of districts’ most important and sensitive data. Do not assume that because the vendor has custody of data that it is solely responsible for keeping the data secure and is actually doing so. By default, under many state laws, the school district as the data owner bears responsibility for actually sending notice to affected persons after a vendor experiences a breach.

Social engineering fraud occurs when a criminal tricks a district employee into wiring or transferring funds to the criminal’s account. An example is a change to wiring instructions that is not properly verified.

What your district can do now

Leadership by the school board is crucial. These threats go well beyond the information technology department and can shut down the whole district for days. Boards that view cybersecurity as an IT-only issue will change that limited view when incidents threaten the operations or financial viability of the district.

School boards may engage these issues by:

  • Asking questions so that they are well-informed about the district’s current cybersecurity policies and procedures.
  • Dedicating resources, including financial resources, to cybersecurity.
  • Carefully reviewing contracts with vendors who have access to or custody of district data.
  • Reviewing internal district policies related to cybersecurity.
  • Ensuring the district carries appropriate cyber insurance to cover financial risks.

Training and awareness for all district staff can significantly reduce the risk of cyber incidents. The acts or failures of any single district employee (clicking on a phishing email, losing a device, wiring money incorrectly) can and often do affect the whole district.

Multifactor authentication, including two-factor authentication, is an effective tool to make unauthorized access more difficult. Even if an attacker gets a username and password (one factor), they are not as likely to have that person’s phone with the code required to log in (the second factor).

Cyber insurance policies may provide some financial protection for covered incidents. Not all cyber insurance is equal. Many school districts have purchased cyber insurance without careful examination of the policy, and they discover its limitations only when the districts make a claim.

Contracts with vendors are very important for reducing vendor-related risks. Contracts should treat in detail, among other matters, what the vendor will do to keep data secure, what insurance the vendor will carry, and who is responsible for what if a breach occurs. These provisions should be included in contracts with “free” vendors who have district data but to whom no payment is made to ensure they do not use data for improper purposes.

Cyberattacks and breaches are unfortunately inevitable. The risks to student data and district financial data have never been greater. However, school boards can manage these risks and the outcomes of incidents when they do occur.

Adam Griffin (adam.griffin@arlaw.com) is a partner with Adams and Reese LLP and advises school districts nationwide on issues about data privacy and security.

Around NSBA

Six students conduct a science experiment with potatoes and electrodes.

2024 Magna Awards: Silver Award Winners

The 2024 Magna Awards program recognizes 15 exemplary district programs in three enrollment categories as Silver Award winners.