NBC News recently published an article titled Hackers are leaking children’s data — and there’s little parents can do, in which an investigative team looked at hacker websites to see how widespread the sharing information and school-age children was on the Web. “In 2021, ransomware gangs published data from more than 1,200 American K-12 schools, according to a tally provided to NBC News by Brett Callow, a ransomware analyst at the cybersecurity company Emsisoft,” noted the article.
One of the alarming discoveries was that many schools where student information had been hacked were unaware of the problem. Even more problematic, most schools have no plan in place to protect the private information of their students. Student information collected by schools often includes sensitive information like birthdays, parental marriage status, health conditions, and even social security numbers.
Under new consumer privacy laws, such as the California Consumer Privacy Act and the Colorado Privacy Act , public schools and other public sector institutions are currently exempt from compliance with the strict regulations facing businesses in their handling of consumer information. Given the prevalence of children’s information on hacker websites, this begs the question of whether schools and public agencies should be required to comply with data privacy regulations, and what responsibility they have to manage student information responsibly.
In some cases, it is not hackers, but schools that are taking an active role in policing students’ online presence, blurring the lines between enforcement of school policies and free speech. In 2020, two students were suspended from a Georgia high school for posting a picture of a crowded hallway during the Covid-19 pandemic, with many students not wearing masks. “One of the disciplined students, [a]15-year-old sophomore, [said] she received a five-day suspension for posting one video and one photo to Twitter, neither of which were the original viral photo,” reported a BuzzFeed article. The fact that the school not only tracked posts on her personal social media feed, but took disciplinary action demonstrates how the digital lives of children can collide with real-world consequences. Many parents and media outlets raised alarm that the student was not the original photographer, and yet received a suspension for sharing someone else’s photo.

This may change with a recent 2021 Supreme Court decision in the “F-Bomb Case,” which found a Pennsylvania school had violated a student’s free speech when it suspended her for using the F word on social media (click here for more). Of note, while the Supreme Court decision addresses free speech protections for students, it does not address whether schools have the right to monitor and capture information about students online in the first place. An important question to consider here is what methods schools use to track and where they store such information. In some cases, schools have reported hiring third party companies to help them track social media posts form students. In such cases, would the third party company be required to comply with data privacy laws like the CCPA and others even while schools are exempt?
Schools and school districts tend to store a lot of data on children, and often they don’t have the money to pay for dedicated cybersecurity experts or services, Doug Levin was quoted as saying the NBC article. Levin is the director of the K12 Security Information Exchange, a nonprofit organization devoted to helping schools protect against cyberthreats.“I think it’s pretty clear right now they’re not paying enough attention to how to ensure that data is secure, and I think everyone is at wits’ end about what to do when it’s exposed,” Levin said. “And I don’t think people have a good handle on how large that exposure is.”
Recent ransomware and cyber attacks against public schools are accelerating, forcing parents and educators to see that their students are easy targets for hackers. According to a report released by the K12 Security Information Exchange and the K-12 Cybersecurity Resource Center, 2020 marked a “record-breaking” year for cyber attacks against public schools in the U.S. The report includes data from the center’s K-12 Cyber Incident Map, which recorded 408 publicized school cyber attacks in 2020, representing an 18 percent increase over the previous year.Nearly 40 percent of K-12 cyber incidents included data breaches and leaks, while approximately 12 percent involved ransomware (source: https://www.govtech.com/policy/2020-marks-a-record-breaking-year-for-cyber-attacks-against-schools.html)

Schools have been steadily increasing their use of technology, even before the pandemic forced them to shift to online learning. Despite the increase in technology adoption in learning environments, security measures have not kept pace. Strapped budgets for many years have lead to big lapses in cybersecurity protections and little or no thought given to data privacy for students.
With students heading back to school this fall, the question of who protects their personal information will be at the forefront of parents’ minds. Data privacy regulators should take note.