As reported by CNN, a high school principal in Pikesville, Maryland, found his life and career turned upside down when in January a recording suggesting the principal made racially insensitive and antisemitic remarks went viral. The school faced a flood of calls from concerned persons in the district, security was tightened, and the principal was placed on administrative leave. No doubt, a challenging situation for any human resources executive, one made far more difficult because of AI.

An investigation ensured, all the while the school principal maintained that he did not make the statements in the recording – it was not his voice, he claimed. Of course, the “recording” was good enough to put the school district on edge.  

It was not until months later, in late April, that a Baltimore County Police Department investigation concluded that the recording was a fake, a “deepfake,” generated by artificial intelligence (AI) technology. As reported by CNN, Baltimore’s County Executive, Johnny Olszewski, observed:

“Today, we are relieved to have some closure on the origins of this audio…However, it is clear that we are also entering a new, deeply concerning frontier.”

Deepfake AI is a type of artificial intelligence used to create convincing images, audio and video hoaxes. Although deepfakes might have some utility, such as for entertainment purposes, they blur the lines between reality and fiction, making it increasingly difficult to discern truth from falsehood. As in the case of the Baltimore school principal, misuse raises significant concerns, particularly in the workplace. It turns out that the deepfake recording may have arisen from an employment dispute that the principal was having with the high school’s athletic director.

The US Department of Homeland Security and other agencies have recognized the threat deepfakes present. At the same time, the technology is getting easier and easier to use and harder to identify. In this case, it took three months for the Baltimore County Policy Department to investigate and make a determination about the recording.

The World Economic Forum’s “4 ways to future-proof against deepfakes in 2024 and beyond” offers a sobering suggestion for dealing with deepfakes – zero-trust.

This mindset aligns with mindfulness practices that encourage individuals to pause before reacting to emotionally triggering content and engage with digital content intentionally and thoughtfully.

This may not be the mindset most HR professionals prefer to have at or near the top of their lists. But in this context, when presented with electronic material or even a photograph from an unknown source, despite how real it might appear, intentionality and thoughtfulness should prevail.

Consider being presented, as here, with a video, a recording, or some other image, photograph, or transcribed conversation, containing insensitive remarks purportedly made by an employee about another’s race, religion, gender, etc. An organization might not have a police department that is willing and able to assist, although they might have just as much pressure in the workplace from persons reacting to the content, believing it is authentic when it may be nothing more than a fake. Having an internal plan outlining a process for investigation and resources (internal or external) lined up to evaluate the material would help to ensure that intentionality and thoughtfulness. Such a plan might also guide decision making around the various employment decisions to be made along the way, including internal and external communications, should the investigation carry on.

This is only the beginning.

In a 2019 post about increasing cyber risks in K-12 schools, we cited a report, “The State of K-12 Cybersecurity: 2018 Year in Review,” that contained sobering information about cybersecurity in local school districts across the country. According to that report, in 2018, there were 122 publicly-disclosed cybersecurity incidents affecting school districts across 38 states. Not much has changed. A more recent article looking at ransomware activity in 2023 reports there being 120 attacks against school districts thus far in the year.

Yesterday, the Biden administration announced “new actions and private commitments to bolster the nation’s cyber defense at schools.” Among the actions:

Secretary of Education Miguel Cardona and Secretary of Homeland Security Alejandro Mayorkas, joined First Lady Jill Biden, to convene school administrators, educators and private sector companies to discuss best practices and new resources available to strengthen our schools’ cybersecurity, protect American families and schools, and prevent cyberattacks from disrupting our classrooms.

Perhaps more impactful in the short term are references in the announcement to (i) additional funding sources for schools, and (ii) recently released guidance, “K-12 Digital Infrastructure Brief: Defensible & Resilient,” jointly published by the U.S. Department of Education and the Cybersecurity and Infrastructure Security Agency (CISA). In particular, the guidance  outlines, among other things, some “High-Impact Recommendations,” such as implementing multifactor authentication. Potential sources for increased funding include an FCC proposed pilot program to provide $200 million over three years. School districts might also consider possibly allocating funds that remain available from the Elementary and Secondary School Emergency Relief Fund (ESSER Fund) established during COVID-19. Also, AWS recently pledged $20 million to a grant program designed to support for training and incident response at schools.  

While it is true that school districts are often understaffed and underfunded, including in the area of cybersecurity, there some areas of potential low-hanging (and relatively inexpensive) fruit more schools might be to address more readily. One of those is incident response.

Even if a district is not in a potion to take all the steps it might want to in order to prevent an attack, it might be able to vastly improve its plans to respond to an attack. Doing so, could significantly impact the disruption to students and related communities.

The White House report notes that during the prior academic year four school had to cancel classes or close completely in response to an attack.

Below are a few basic elements that should be included in an incident response plan (IRP):

  • identifying security incidents;
  • responding to security incidents; and
  • mitigating harmful effects of security incidents.

Certainly, each of these elements might look different district to district considering size, number of locations, information systems, prior experience, cyber insurance policies, type of personal information, and state laws. But they are important elements for any plan.

More specifically, school boards will want to think about who will be doing the responding – who is on the “security incident response team.” This is a team that is organized and trained to effectively respond to security incidents. Areas to consider when forming and building a team include:

  • A strong balance of skill sets among team members (IT, legal, communications, etc.)
  • Ensure lines of communication will be available among team members during a crisis
  • Consider external parties that can provide specific expertise concerning incident response
  • Commit to regularly practicing incident response procedures for different types of attacks.

Among other things, the IRP should help direct the team on mitigation efforts. Mitigation efforts are facilitated through measures such as contingency planning, robust data backup, and recovery processes. These are areas that should not be thought about by the school board or superintendent when a security incident occurs. For example, knowing that you have a backup of student data is not enough, regularly making sure you are able to restore from backups while maintaining integrity is key to minimizing disruption to the district.   

There is a lot that can be said about steps to take toward preparedness and IRP development, but the point is these are examples of measure that can be implemented more quickly and at less cost to help a district affected by a breach. Importantly, they can minimize the impact of the breach on the district and get kids back in the classroom more quickly.  

test

We observed in a post on this blog that government agencies, businesses, hospitals, universities and school districts are frequent targets of data breaches that can affect millions of individuals.   Cyberattacks on school districts continue to appear in the news. In January, students in the Pittsburg Unified School District (California) were left without internet access as a result of a ransomware attack, which compromised the schools’ servers and email. The Richmond Community Schools in Michigan suffered a similar cyber attack when threat actors infiltrated and locked down the schools’ servers and demanded a $10,000 ransom to return control of those servers.

The cyberattacks are compromising school vendors, too. In December, a student hacker committed a “brute force” attack on Naviance, an ed-tech provider that collects sensitive information on behalf of school districts throughout the United States. The attack on Naviance exposed the personal information of approximately 6,000 students. There are countless stories of other ed-tech providers sustaining similar cyberattacks.

It comes as no surprise in face of these cyberattacks that New York State regulators are taking action to protect personal information that schools and their vendors collect and maintain. We reported on this blog that the New York State Department of Education (“SED”) proposed new regulations (“Regulations”) to require school districts and state-supported schools to develop and implement robust data security and privacy programs to protect any personally identifiable information (“PII”) relating to students, teachers and principals. On January 14, 2020, the Board of Regents formally adopted the Regulations (which were modified since their initial publication). The Regulations were effective January 29, 2020.

While broad in scope, the Regulations include several requirements that are particularly noteworthy for schools and their vendors. They include:

  • School contracts – including “click wrap” agreements — with vendors who receive PII must state that the vendor will maintain all information in accordance with federal and state law and the school’s security and privacy policy.
  • Schools must include a Parent’s Bill of Rights in every contract with vendors who receive PII.
  • All schools must follow the National Institute for Standards and Technology Cybersecurity Framework (“NIST CSF”) as the standard for data security and privacy.
  • All schools must adopt by July 1, 2020 a data security and privacy policy that implements the requirements of the Regulations and aligns with NIST CSF.
  • Schools must publish their data security and privacy policies on their websites.
  • Schools must provide data privacy and security awareness training to officers and employees with access to PII.
  • Schools must designate a Data Protection Officer (“DPO”) who is responsible for the compliance program and to otherwise serve as a point of contact for the schools on data security and privacy matters.
  • Vendors that suffer a breach of PII must notify the affected schools within seven (7) calendar days; the schools must in turn notify SED within ten (10) calendar days of receipt of notification of a breach from the vendor; and the schools must notify the affected individuals of the breach without unreasonable delay but in no case later than sixty (60) days of discovery or receipt of breach notification from the vendor.

These Regulations certainly impose many new obligations on schools. Schools are urged to contact qualified legal counsel as they begin to develop and implement a comprehensive data security and privacy compliance program to comply with the mandates of the new Regulations.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

4822-0398-2004, v. 1

Image result for k-12 back to schoolA new school year is upon us and some students are already back at school. Upon their return, many students may experience new technologies and equipment rolled out by their schools districts, such as online education resources, district-provided equipment, etc. to enhance the education they provide and improve district administration. However, a recent report, “The State of K-12 Cybersecurity: 2018 Year in Review,” compiles sobering information about cybersecurity at K-12 schools. The report discusses 122 publicly-disclosed cybersecurity incidents affecting 119 public K-12 education agencies across 38 states in 2018. The trend seems to be continuing in 2019. Like other organizations, school districts should be allocating appropriate resources to ensure that the technologies and equipment they are leveraging and the third party vendors they are engaging to help students learn do not leave those same students (or their parents) vulnerable to a data breach.

Implementing technologies and other products and services for students in the course of their K-12 education often requires the collection of massive amounts of personal information about students and students’ parents. Children are enrolling in classes, sports activities, clubs, etc., providing immunization and health records, using school district equipment that could be tracking location and other metrics, paying for lunch and other goods and services with debit and credit cards, etc. It should be no surprise that K-12 school districts are targets and that security incidents are on the rise.

Why student data? In recent years, the marketing and sale of children’s personal information is growing. Criminals realize that students are not focused on their credit reports, nor are their parents. Left unchecked, personal data of children can be used to build new identities and engage in widespread fraud that could later come back to hurt unsuspecting students, and potentially their parents.

Reports of K-12 security incidents in 2019 suggest a continuing trend. Here are some examples:

  • The School of the Osage School District in Missouri reported a data security incident by an outside vendor used to provide support and educational services to individual students. The same incident is believed to have affected other school districts including the Rome City School District, the Carmel Clay Schools, and others.
  • San Dieguito Union High School District experienced a malware attack.
  • Student busing information concerning Cincinnati Public School children, including student names and pickup and drop-off locations, was inadvertently disclosed to unauthorized recipients, according to reporting by DataBreaches.net.
  • Camp Verde Unified School District in Arizona experienced a ransomware attack.
  • While reporting on a malware attack at the Watertown City School District in New York, Spectrum News also noted attacks at the Syracuse City School and the Onondaga County Public Library.
  • For more information about other reported breaches in the education sector, Databreaches.net provides an informative resource here.

These risks are not new. Fortunately, there are steps that school districts can take to address them. Here are some examples:

  • Educate their district community. Districts can develop materials to help inform parents and students about the importance of safeguarding personal information and best practices for doing so. This should include informing student and parents on how to quickly inform the district about potential incidents.
  • Appoint a data protection officer. Districts can appoint a data protection officer to be responsible for implementing all required security and privacy policies and procedures.
  • Develop data security and privacy policies.  Districts can establish written policies and procedures for protecting personal information. These policies and procedures should be informed by a thorough risk assessment. A recognized framework for school security policies is the National Institute for Standards and Technology Cybersecurity Framework (“NIST CSF”).
  • Consider privacy and security at the outset of any new technology initiative. Protecting student data should not be an afterthought. At the start of a new initiative, districts can evaluate what information is necessary for the initiative to be successful and design the initiative to include only that information, and to maintain it only for as long as it is needed.
  • Establish a vendor management program. Districts work with many third parties to support and extend technology-based services to students. They can take steps during the process to procure service providers to ensure appropriate measures will be applied by the service provider to safeguard personal information. They can ask questions, review policies, examine their systems, etc. Districts can also obligate providers by contract to secure information, and make sure the information is destroyed or deleted at the conclusion of the services.
  • Provide training for administrators, teachers, staff, and others. Information privacy and security awareness training, online or in person, is critical to creating awareness about security threats and following best practices.
  • Develop an incident response plan. Districts can make sure they have a response plan and are prepared to quickly respond to an actual or suspected security incident. This includes practicing that plan so the response team is ready.

Like many organizations, K-12 school districts have quite a challenge – they need to increasingly leverage technology to deliver their services, which requires access to and processing of personal information, but may not have sufficient resources to address all of the risks. Getting started is half the battle and there often is “low-hanging fruit” that districts can adopt with relatively little cost.

On February 2, 2017, the IRS issued a warning to all employers regarding the resurgence of a W-2 based cyber scam. The scam, which targets the corporate world during tax season, is currently “spreading to other sectors, including school districts, tribal organizations and nonprofits.” (irs.gov/news-events).

This cyber-scam is simple, but highly successful. It consists of an e-mail sent to an employee in the Human Resources or Accounting department from an executive within the organization. Both the TO and FROM e-mail addresses are accurate internal addresses, as are the sender’s and recipient’s names. The e-mail requests that the recipient forward the company’s W-2 forms, or related data, to the sender. This request aligns with the job responsibilities of both parties to the email.

Despite appearances, the e-mail is a fraud. The scammer is “spoofing” the executive’s identity. In other words, the cyber-criminal assumes the identity and e-mail address of the executive for the purpose of sending what appears as a legitimate request. The recipient relies on the accuracy of the sender’s e-mail address, coupled with the sender’s job title and responsibilities, and forwards the confidential W-2 information. The forwarded information goes to a hidden e-mail address controlled by the cyber-criminal.

When successful, the cyber-criminal obtains a trove of sensitive employee data that may include names, dates of birth, addresses, salary information, and social security numbers. This information is used to file fake tax returns and requests for tax refunds and/or sold on the dark web to perpetrators of identity theft.

The IRS gives examples of these W-2 e-mail requests on its website:

  • “Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
  • “Can you send me the updated list of employees with full details (name, Social Security Number, Date of Birth, Home Address, Salary).”
  • “I want you to send me the list of W-2 copy of employees wage and tax statement for 2016. I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.”

These cyber-scams, known as business email compromise (BEC) attacks, or CEO spoofing, are a form of ‘spear phishing.’ Spear phishing targets a specific victim using personal or organizational information to elicit the victim’s trust. The cyber-criminal obtains and uses information such as personal and work e-mail addresses, job titles and responsibilities, names of friends and colleagues, personal interests, etc. to lure the victim into providing sensitive or confidential information.  Quite often, the scammers cull this information from social media, LinkedIn, and corporate websites. The method is both convincing and highly successful.

While an organization can use firewalls, web filters, malware scans or other security software to hinder spear phishing, experts agree the best defense is employee awareness. This includes ongoing security awareness training (see our white paper with best practices for setting up a training program) for all levels of employees, simulated phishing exercises, internal procedures for verifying transfers of sensitive information, and reduced posting of personal information on-line.

Although simple, the W-2 e-mail scam can have a devastating impact on an organization and its employees. And, although equally simple, employee awareness can help prevent it.

Instances of W-2 or similar attacks should be reported to the IRS at phishing@irs.gov and the Internet Crime Complaint Center of the FBI.

 

Mary Costigan is working with our Privacy, e-Communications and Data Security Group as part of an externship with Pace University Law School’s New Directions for Attorneys Program.

We are pleased to announce that Mary Costigan will be joining our Privacy, e-Communications and Data Security group today as part of an externship with Pace University Law School’s New Directions for Attorneys Program. Mary’s desire to return to legal work in this area shows the continued interest in cybersecurity and privacy issues and the surge in demand for expertise in this exciting and evolving space. We are honored that Jill Backer, Asst. Dean for Career and Professional Development Pace University School of Law and Director of the New Directions Program reached out to us to support the Program and help develop Mary’s expertise. Welcome Mary!

The New Directions for Attorneys Program assists attorneys in returning to traditional law practice or an alternative legal career. Its participants are graduates of many different law schools, and have practiced in numerous types of settings, including not-for-profit organizations, government agencies, law firms, corporations, and others. According to Ms. Backer, “the Program is critical in getting successful attorneys who stepped away from practice for a few years, back to work.” The Program has been in existence for 10 years and touts more than 260 alumni. The Program has been recognized numerous times in the media, including The New York Times, Bloomberg News, MORE Magazine, The Huffington Post, The Harvard Business Review, CNN, and many others. 

You can find more information about the Program here. In the meantime, we are looking forward to working with Mary.

As previously reported, in a March 2014 filing titled H.W. v. Sterling High School District, a New Jersey high school student filed suit claiming school officials had violated her constitutional rights when they punished her for content she posted on Twitter which criticized Sterling High School’s principal.

The settlement, which was approved by the Sterling High School District in April and entered by the Court on July 29, 2014, provides that the district will reimburse the student $9,000 for her legal fees.   However, the district will not pay additional damages to the student.  In addition, the school district agreed to revoke punishments imposed against the student for her Twitter postings, expunge documents related to the incident from the student’s academic record, and abandon its attempted requirements for drug testing of the student.  Specifically, the agreement provides that the student is eligible for graduation upon completion of outstanding assignments, is allowed to attend the senior class trip to Florida, and if the student does not seek press coverage or disclose the settlement terms she will be allowed to participate in prom and the graduation ceremony.

Beyond agreements directly between the school district and the student, the settlement also calls of the school to modify its student handbook to specify that administrators “may be monitoring student discussions on Facebook, Twitter or other social media outlets and may seek to impose penalties in accordance with the student code of conduct if such discussions cause a substantial disruption at the school.”

On December 13, 2013, Fordham Law School’s Center on Law and Information Policy published a study (Study) that paints a sobering picture of how many public schools across the country handle student data, particularly with respect to data they store and services they (and students) use in the “cloud.” There is little doubt that many school districts are strapped for cash and, indeed, utilizing cloud services provides a new opportunity for significant cost savings. However, according to the Study, some basic, low-cost safeguards to protect the data of the children attending these public school are not in place.

For example, some of the Study’s key findings include:

  • 95% of districts rely on cloud services for a diverse range of functions including data mining related to student performance, support for classroom activities, student guidance, data hosting, as well as special services such as cafeteria payments and transportation planning,
  • only 25% of districts inform parents of their use of cloud services,
  • 20% of districts fail to have policies governing the use of online services, and
  • with respect to contracts negotiated by districts with cloud service providers
    • they generally do not provide for data security and allow vendors to retain student information in perpetuity,
    • fewer than 25% specify the purpose for disclosures of student information,
    • fewer than 7% restrict the sale or marketing of student information, and
    • many districts have significant gaps in their contract documentation.

A data  breach can be significant for any organization, and school districts are not immune. Parents are also beginning to pressure districts for more action, particularly as children can be an attractive target for identity theft.

The Fordham Study provides a number of helpful recommendations for public school districts. Indeed, based on the Study and consistent with basic data privacy and security principles (not to mention FERPA and other laws concerning the safeguarding of student data), there seems to be quite a bit of low-hanging fruit school districts can use to address the risks identified. These include, for example, establishing basic, written privacy policies and procedures that apply to cloud and similar services, implementing more thorough vetting of vendors handling sensitive personal information, and adopting and implementing for consistent use a set of strong privacy and security contract clauses when negotiating with all vendors that will access personal and other confidential information.

"Back to School" is upon us and over the next couple of weeks millions of parents (including me) will be in local stores getting our kids the stuff they need for a successful school year. The Federal Trade Commission (FTC) reminds parents, for good reason, to be mindful of how their children’s personal information is used and disclosed. In fact, the agency provides a guide for parents that could be very helpful. As we have written and others have reported, the risk to children’s untouched credit histories and other information is real.