We observed in a post on this blog that government agencies, businesses, hospitals, universities and school districts are frequent targets of data breaches that can affect millions of individuals.   Cyberattacks on school districts continue to appear in the news. In January, students in the Pittsburg Unified School District (California) were left without internet access as a result of a ransomware attack, which compromised the schools’ servers and email. The Richmond Community Schools in Michigan suffered a similar cyber attack when threat actors infiltrated and locked down the schools’ servers and demanded a $10,000 ransom to return control of those servers.

The cyberattacks are compromising school vendors, too. In December, a student hacker committed a “brute force” attack on Naviance, an ed-tech provider that collects sensitive information on behalf of school districts throughout the United States. The attack on Naviance exposed the personal information of approximately 6,000 students. There are countless stories of other ed-tech providers sustaining similar cyberattacks.

It comes as no surprise in face of these cyberattacks that New York State regulators are taking action to protect personal information that schools and their vendors collect and maintain. We reported on this blog that the New York State Department of Education (“SED”) proposed new regulations (“Regulations”) to require school districts and state-supported schools to develop and implement robust data security and privacy programs to protect any personally identifiable information (“PII”) relating to students, teachers and principals. On January 14, 2020, the Board of Regents formally adopted the Regulations (which were modified since their initial publication). The Regulations were effective January 29, 2020.

While broad in scope, the Regulations include several requirements that are particularly noteworthy for schools and their vendors. They include:

  • School contracts – including “click wrap” agreements — with vendors who receive PII must state that the vendor will maintain all information in accordance with federal and state law and the school’s security and privacy policy.
  • Schools must include a Parent’s Bill of Rights in every contract with vendors who receive PII.
  • All schools must follow the National Institute for Standards and Technology Cybersecurity Framework (“NIST CSF”) as the standard for data security and privacy.
  • All schools must adopt by July 1, 2020 a data security and privacy policy that implements the requirements of the Regulations and aligns with NIST CSF.
  • Schools must publish their data security and privacy policies on their websites.
  • Schools must provide data privacy and security awareness training to officers and employees with access to PII.
  • Schools must designate a Data Protection Officer (“DPO”) who is responsible for the compliance program and to otherwise serve as a point of contact for the schools on data security and privacy matters.
  • Vendors that suffer a breach of PII must notify the affected schools within seven (7) calendar days; the schools must in turn notify SED within ten (10) calendar days of receipt of notification of a breach from the vendor; and the schools must notify the affected individuals of the breach without unreasonable delay but in no case later than sixty (60) days of discovery or receipt of breach notification from the vendor.

These Regulations certainly impose many new obligations on schools. Schools are urged to contact qualified legal counsel as they begin to develop and implement a comprehensive data security and privacy compliance program to comply with the mandates of the new Regulations.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

4822-0398-2004, v. 1

Image result for k-12 back to schoolA new school year is upon us and some students are already back at school. Upon their return, many students may experience new technologies and equipment rolled out by their schools districts, such as online education resources, district-provided equipment, etc. to enhance the education they provide and improve district administration. However, a recent report, “The State of K-12 Cybersecurity: 2018 Year in Review,” compiles sobering information about cybersecurity at K-12 schools. The report discusses 122 publicly-disclosed cybersecurity incidents affecting 119 public K-12 education agencies across 38 states in 2018. The trend seems to be continuing in 2019. Like other organizations, school districts should be allocating appropriate resources to ensure that the technologies and equipment they are leveraging and the third party vendors they are engaging to help students learn do not leave those same students (or their parents) vulnerable to a data breach.

Implementing technologies and other products and services for students in the course of their K-12 education often requires the collection of massive amounts of personal information about students and students’ parents. Children are enrolling in classes, sports activities, clubs, etc., providing immunization and health records, using school district equipment that could be tracking location and other metrics, paying for lunch and other goods and services with debit and credit cards, etc. It should be no surprise that K-12 school districts are targets and that security incidents are on the rise.

Why student data? In recent years, the marketing and sale of children’s personal information is growing. Criminals realize that students are not focused on their credit reports, nor are their parents. Left unchecked, personal data of children can be used to build new identities and engage in widespread fraud that could later come back to hurt unsuspecting students, and potentially their parents.

Reports of K-12 security incidents in 2019 suggest a continuing trend. Here are some examples:

  • The School of the Osage School District in Missouri reported a data security incident by an outside vendor used to provide support and educational services to individual students. The same incident is believed to have affected other school districts including the Rome City School District, the Carmel Clay Schools, and others.
  • San Dieguito Union High School District experienced a malware attack.
  • Student busing information concerning Cincinnati Public School children, including student names and pickup and drop-off locations, was inadvertently disclosed to unauthorized recipients, according to reporting by DataBreaches.net.
  • Camp Verde Unified School District in Arizona experienced a ransomware attack.
  • While reporting on a malware attack at the Watertown City School District in New York, Spectrum News also noted attacks at the Syracuse City School and the Onondaga County Public Library.
  • For more information about other reported breaches in the education sector, Databreaches.net provides an informative resource here.

These risks are not new. Fortunately, there are steps that school districts can take to address them. Here are some examples:

  • Educate their district community. Districts can develop materials to help inform parents and students about the importance of safeguarding personal information and best practices for doing so. This should include informing student and parents on how to quickly inform the district about potential incidents.
  • Appoint a data protection officer. Districts can appoint a data protection officer to be responsible for implementing all required security and privacy policies and procedures.
  • Develop data security and privacy policies.  Districts can establish written policies and procedures for protecting personal information. These policies and procedures should be informed by a thorough risk assessment. A recognized framework for school security policies is the National Institute for Standards and Technology Cybersecurity Framework (“NIST CSF”).
  • Consider privacy and security at the outset of any new technology initiative. Protecting student data should not be an afterthought. At the start of a new initiative, districts can evaluate what information is necessary for the initiative to be successful and design the initiative to include only that information, and to maintain it only for as long as it is needed.
  • Establish a vendor management program. Districts work with many third parties to support and extend technology-based services to students. They can take steps during the process to procure service providers to ensure appropriate measures will be applied by the service provider to safeguard personal information. They can ask questions, review policies, examine their systems, etc. Districts can also obligate providers by contract to secure information, and make sure the information is destroyed or deleted at the conclusion of the services.
  • Provide training for administrators, teachers, staff, and others. Information privacy and security awareness training, online or in person, is critical to creating awareness about security threats and following best practices.
  • Develop an incident response plan. Districts can make sure they have a response plan and are prepared to quickly respond to an actual or suspected security incident. This includes practicing that plan so the response team is ready.

Like many organizations, K-12 school districts have quite a challenge – they need to increasingly leverage technology to deliver their services, which requires access to and processing of personal information, but may not have sufficient resources to address all of the risks. Getting started is half the battle and there often is “low-hanging fruit” that districts can adopt with relatively little cost.

On February 2, 2017, the IRS issued a warning to all employers regarding the resurgence of a W-2 based cyber scam. The scam, which targets the corporate world during tax season, is currently “spreading to other sectors, including school districts, tribal organizations and nonprofits.” (irs.gov/news-events).

This cyber-scam is simple, but highly successful. It consists of an e-mail sent to an employee in the Human Resources or Accounting department from an executive within the organization. Both the TO and FROM e-mail addresses are accurate internal addresses, as are the sender’s and recipient’s names. The e-mail requests that the recipient forward the company’s W-2 forms, or related data, to the sender. This request aligns with the job responsibilities of both parties to the email.

Despite appearances, the e-mail is a fraud. The scammer is “spoofing” the executive’s identity. In other words, the cyber-criminal assumes the identity and e-mail address of the executive for the purpose of sending what appears as a legitimate request. The recipient relies on the accuracy of the sender’s e-mail address, coupled with the sender’s job title and responsibilities, and forwards the confidential W-2 information. The forwarded information goes to a hidden e-mail address controlled by the cyber-criminal.

When successful, the cyber-criminal obtains a trove of sensitive employee data that may include names, dates of birth, addresses, salary information, and social security numbers. This information is used to file fake tax returns and requests for tax refunds and/or sold on the dark web to perpetrators of identity theft.

The IRS gives examples of these W-2 e-mail requests on its website:

  • “Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
  • “Can you send me the updated list of employees with full details (name, Social Security Number, Date of Birth, Home Address, Salary).”
  • “I want you to send me the list of W-2 copy of employees wage and tax statement for 2016. I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.”

These cyber-scams, known as business email compromise (BEC) attacks, or CEO spoofing, are a form of ‘spear phishing.’ Spear phishing targets a specific victim using personal or organizational information to elicit the victim’s trust. The cyber-criminal obtains and uses information such as personal and work e-mail addresses, job titles and responsibilities, names of friends and colleagues, personal interests, etc. to lure the victim into providing sensitive or confidential information.  Quite often, the scammers cull this information from social media, LinkedIn, and corporate websites. The method is both convincing and highly successful.

While an organization can use firewalls, web filters, malware scans or other security software to hinder spear phishing, experts agree the best defense is employee awareness. This includes ongoing security awareness training (see our white paper with best practices for setting up a training program) for all levels of employees, simulated phishing exercises, internal procedures for verifying transfers of sensitive information, and reduced posting of personal information on-line.

Although simple, the W-2 e-mail scam can have a devastating impact on an organization and its employees. And, although equally simple, employee awareness can help prevent it.

Instances of W-2 or similar attacks should be reported to the IRS at phishing@irs.gov and the Internet Crime Complaint Center of the FBI.

 

Mary Costigan is working with our Privacy, e-Communications and Data Security Group as part of an externship with Pace University Law School’s New Directions for Attorneys Program.

We are pleased to announce that Mary Costigan will be joining our Privacy, e-Communications and Data Security group today as part of an externship with Pace University Law School’s New Directions for Attorneys Program. Mary’s desire to return to legal work in this area shows the continued interest in cybersecurity and privacy issues and the surge in demand for expertise in this exciting and evolving space. We are honored that Jill Backer, Asst. Dean for Career and Professional Development Pace University School of Law and Director of the New Directions Program reached out to us to support the Program and help develop Mary’s expertise. Welcome Mary!

The New Directions for Attorneys Program assists attorneys in returning to traditional law practice or an alternative legal career. Its participants are graduates of many different law schools, and have practiced in numerous types of settings, including not-for-profit organizations, government agencies, law firms, corporations, and others. According to Ms. Backer, “the Program is critical in getting successful attorneys who stepped away from practice for a few years, back to work.” The Program has been in existence for 10 years and touts more than 260 alumni. The Program has been recognized numerous times in the media, including The New York Times, Bloomberg News, MORE Magazine, The Huffington Post, The Harvard Business Review, CNN, and many others. 

You can find more information about the Program here. In the meantime, we are looking forward to working with Mary.

As previously reported, in a March 2014 filing titled H.W. v. Sterling High School District, a New Jersey high school student filed suit claiming school officials had violated her constitutional rights when they punished her for content she posted on Twitter which criticized Sterling High School’s principal.

The settlement, which was approved by the Sterling High School District in April and entered by the Court on July 29, 2014, provides that the district will reimburse the student $9,000 for her legal fees.   However, the district will not pay additional damages to the student.  In addition, the school district agreed to revoke punishments imposed against the student for her Twitter postings, expunge documents related to the incident from the student’s academic record, and abandon its attempted requirements for drug testing of the student.  Specifically, the agreement provides that the student is eligible for graduation upon completion of outstanding assignments, is allowed to attend the senior class trip to Florida, and if the student does not seek press coverage or disclose the settlement terms she will be allowed to participate in prom and the graduation ceremony.

Beyond agreements directly between the school district and the student, the settlement also calls of the school to modify its student handbook to specify that administrators “may be monitoring student discussions on Facebook, Twitter or other social media outlets and may seek to impose penalties in accordance with the student code of conduct if such discussions cause a substantial disruption at the school.”

On December 13, 2013, Fordham Law School’s Center on Law and Information Policy published a study (Study) that paints a sobering picture of how many public schools across the country handle student data, particularly with respect to data they store and services they (and students) use in the “cloud.” There is little doubt that many school districts are strapped for cash and, indeed, utilizing cloud services provides a new opportunity for significant cost savings. However, according to the Study, some basic, low-cost safeguards to protect the data of the children attending these public school are not in place.

For example, some of the Study’s key findings include:

  • 95% of districts rely on cloud services for a diverse range of functions including data mining related to student performance, support for classroom activities, student guidance, data hosting, as well as special services such as cafeteria payments and transportation planning,
  • only 25% of districts inform parents of their use of cloud services,
  • 20% of districts fail to have policies governing the use of online services, and
  • with respect to contracts negotiated by districts with cloud service providers
    • they generally do not provide for data security and allow vendors to retain student information in perpetuity,
    • fewer than 25% specify the purpose for disclosures of student information,
    • fewer than 7% restrict the sale or marketing of student information, and
    • many districts have significant gaps in their contract documentation.

A data  breach can be significant for any organization, and school districts are not immune. Parents are also beginning to pressure districts for more action, particularly as children can be an attractive target for identity theft.

The Fordham Study provides a number of helpful recommendations for public school districts. Indeed, based on the Study and consistent with basic data privacy and security principles (not to mention FERPA and other laws concerning the safeguarding of student data), there seems to be quite a bit of low-hanging fruit school districts can use to address the risks identified. These include, for example, establishing basic, written privacy policies and procedures that apply to cloud and similar services, implementing more thorough vetting of vendors handling sensitive personal information, and adopting and implementing for consistent use a set of strong privacy and security contract clauses when negotiating with all vendors that will access personal and other confidential information.

"Back to School" is upon us and over the next couple of weeks millions of parents (including me) will be in local stores getting our kids the stuff they need for a successful school year. The Federal Trade Commission (FTC) reminds parents, for good reason, to be mindful of how their children’s personal information is used and disclosed. In fact, the agency provides a guide for parents that could be very helpful. As we have written and others have reported, the risk to children’s untouched credit histories and other information is real.  

In addition to concerns about social media, school districts across the country need to address a growing interest in the personal data of the students they educate. No, this interest does not stem from a desire to see if kids are reading at the desired level, or if the children have the resources they need to receive an adequate education. Data thieves want this information to commit identity theft. 

As reported by the Huffington Post:

Identity theft in schools is more than theoretical. Last July, Sheyla Diaz, 44, a former Broward County, Florida high school teacher, was sentenced to six months of house arrest for stealing the identities of former students. In 2009, Jonathan E. Kelly, who worked as a police officer for the Palm Beach County School District, was sentenced to eight years in prison for stealing the identities of former students and teachers.

The thieves know that children have pristine credit and that school districts, hampered by substantial budget cuts, may not be doing all they could to safeguard this information. Parents and school districts need to take steps to address this growing risk.

URL