Schools Learn Lessons From Security Breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.edweek.org/ew/articles/2015/10/21/lessons-learned-from-security-breaches.html

When an employee of the Provo, Utah, school district mistakenly clicked on
a phishing link in an email last year, the private data of about 500
employees were put at risk.

District officials personally went to every school and district department
to meet with employees face to face and explain what occurred. The district
also paid the bill for a year of credit monitoring for employees.
Afterwards, the district altered its practices on sharing sensitive
information to improve data security, and employees were retrained to
better recognize suspicious links and other scams.

"It was a kind of learn-as-we-went-along kind of thing," said Caleb Price,
the spokesman for the 13,000-student district.

Many districts have found themselves in similar situations. They are
vulnerable to outside hacking, in-house errors, and even technology gaps at
companies they work with. The consequences of a data breach can be
embarrassing and expensive, with the potential for costly lawsuits and
other problems.

One challenge is that school systems often lack specific plans for dealing
with data breaches once they occur, experts say. But in today's climate,
where major corporations like Home Depot and Target are having a difficult
time fending off hackers, security experts say school districts need to
prepare.

"Right now, we are at a crossroads with how to deal with data breaches,"
said Amelia Vance, the director of education data and technology for the
National Association of State Boards of Education. "Parents want to know
the data that schools have can be protected, … but when you're dealing with
data, there's always a level of danger."

Lawmakers are starting to take action. Forty-seven states have data-breach
laws that apply to public entities, including school districts. Many states
have also passed laws or introduced bills aimed specifically at protecting
education data. Some of those states—including California, New Hampshire,
and Utah—have passed laws that require districts to notify students,
parents, or employees if the security of personally identifiable
information is compromised.

But districts are still catching up, said Dane Lancaster, the chief
technology officer for the Marin County, Calif., office of education, which
supports 19 area districts. Lancaster is also chairman of the Technology
and Telecommunications Steering Committee of the California County
Superintendents Educational Services Association, which has produced a
data-privacy guidebook for districts containing a range of best practices,
sample vendor contracts, and steps to take when a data breach occurs,
Lancaster said.

Districts are "probably not" prepared, he said. "Many districts don't have
the resources."

Hacking and Phishing

To help districts prevent and prepare for such data breaches, the
Consortium for School Networking has developed SEND, or Smart Education
Networks by Design, as a guide. It recommends a host of
technical-network-security strategies to keep private data secure. The
organization's cybersecurity-planning framework also aims to help districts
determine whether they have prepared adequately in areas such as
technological readiness, data-breach handling when it happens, and
minimizing the impact on students and employees.

Chris Paschke, the director of data privacy and security for the
86,500-student Jeffco public schools in Golden, Colo., said his district's
technology infrastructure is constantly being probed for
weaknesses—students getting teachers' passwords and hacking into the
system, phishing links, and denial-of-service attacks, he said.

The key, he said, is to be prepared, including the drafting of a formal
preparedness plan. He also said the district prioritizes what he calls "log
management," so if a security breakdown occurs, the district can track it
and determine what took place. Some districts are also investing in
insurance policies to cover litigation that might result from data that
don't remain private, as well as to cover the cost of cleaning up from a
cyber attack, he said.

"What's unique to our industry is balancing that need for teachers to be
able to explore and be innovative and creative with technology, versus
keeping kids and their data and all of our district members' data safe," he
said.

School systems may find themselves walking a fine line when a data breach
occurs, said Noelle Ellerson, the associate executive director of policy
and advocacy for AASA, the School Superintendents Association. Districts
need to be open about a breach to make sure they inform those affected and
make sure it doesn't appear they're hiding anything. But before announcing
an incident, school leaders also must make sure to correct the problem and
seal off any other data that could be at risk, she said.

"You don't want to sit on it and look like you're trying to be sneaky,"
Ellerson said. "But if you haven't been able to fully address the problem,
you don't want to call attention to it."

'Everybody Is Vulnerable'

Having a relationship of trust in place between district leadership and the
school community before an incident occurs makes a difference in that
process, said Judith Saxton, the director of communications for the
5,400-student Mount Pleasant, Texas, district, which discovered a data
breach in January. A district investigation determined that about 915
former employees had their private data accessed. The superintendent
notified employees and the public, and the school community appeared to
accept that the district was taking necessary steps to rectify the
situation and protect data, Saxton said.

Though the private data accessed was only that of former employees, the
district provided all employees with credit-monitoring services for a year,
at a cost of $36,000, Saxton said. Since former employees were difficult to
track down, district officials said they were not given credit-monitoring
services.

"We were open and honest and direct," she said. "The community here knows
that if something happens, we're going to be as transparent as possible."

During the investigation by Mount Pleasant officials, Technology Director
Noe Arzate said he discovered the district system itself had not been
breached and that the incursion was likely through a third-party
vendor—possibly a health-care company—that did business with the district.
"To this day, we really don't know how this data got out," he said.

Many states, including California, provide technical expertise to districts
in these situations. In the 4,000-student Southwest Licking Local district
in Pataskala, Ohio, two students hacked into district data earlier this
year and retrieved Social Security numbers for about 100 students. To
investigate, the district used its own personnel plus technical help from
the Licking Area Computer Association, which provides technical services to
local districts, said district spokeswoman Paula Brunton.

The security lapse was corrected, and the breach was traced to the two
students, who were expelled from the district and prosecuted by local law
enforcement, Brunton said. The students whose private data were accessed
were offered credit-monitoring protection. All school secretaries were
equipped with a statement to provide to concerned parents, and the district
went through a "refresh" with staff, having them update passwords and
review proper data-security procedures, Brunton said.

"Everybody is vulnerable" to cyberattack, she said. "It's not inevitable,
but it certainly is possible."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!