Professional Documents
Culture Documents
October 3, 2018
Data Breaches – Real Risks & Real Costs
RISKS – HACKERS & ERRORS
According to the Privacy Rights Clearinghouse, nearly half of all reported
data breaches in 2016 involved school districts. EdTech reports 355
cybersecurity-related incidents in 2018 as of August 20. A few older
examples include:
April 2016 – The Olympia (WA) School District fell victim to a phishing
attack on employee data. The district offered credit monitoring/identity
theft prevention to 2,164 affected employees.
April 2016 – The Concord (NH) School District suffered a breach in which
the perpetrator obtained employee names, Social Security numbers, and
other information using a phishing email. The breach may have resulted in
the filing of fake income tax returns.
November 2016 --Chicago Public Schools announced that confidential
information belonging to 30,000 students had been improperly distributed
to a charter school operator for marketing purposes (followed a May 2016
incident where CPS sent PII of 4,000 Students to vendors).
Digital Data Security & Privacy www.nhsba.org Slide 1
Data Breaches – Real Risks & Real Costs
RANSOMWARE - NETWORKS & DATA HELD HOSTAGE
Over the past few years, several school systems throughout the United States
(Leominster, MA.; Bigfork, MT; Roseburg, OR; Chester, SC, among others)
have suffered more debilitating attacks wherein hackers have used ransomware
(e.g., “WannaCry”) to seize control of the entire networks and servers of school
districts.
In most instances, hackers have infiltrated systems with the malicious programs
– by way of attachments to emails – sometimes legitimate. Once opened, the
files spread, often through out-of-date hardware or software (e.g., Windows XP),
and eventually embed enough to begin encrypting system data, rendering it
inaccessible by the school system. The hackers then hold the data hostage,
demanding ransom (payable through Bitcoin or other cryptocurrency) before
providing decryption keys.
Although some districts have been successful without making the demanded
payments, most capitulate if only to cut short the time the data is inaccessible.
As with other types of data breaches, school systems are particularly vulnerable
lack of employed or retained IT personnel with proper cyber security training.
Digital Data Security & Privacy www.nhsba.org Slide 2
Data Breaches – Real Risks & Real Costs
COSTS -
Several factors led to both the increased per record cost, as well as the
fact that the costs are higher for schools: first is the extensive use of
mobile platforms by districts, and second was systemic compliance
failure.
Slide 10
Data Governance & Data Governance Plans
What is data governance?
Slide 14
Role of Senior Administrators and Legal Counsel
Slide 18
New Hampshire Laws
Slide 21
Attachments & Additional Resources
ATTACHMENTS:
HB 1612
NHSBA sample policy EHAB – Data Governance & Security
Sample Inventory of Software, Programs & Applications
ADDITIONAL RESOURCES:
National Center for Education Statistics – Privacy Technical Assistance
Center Toolkit (information and best practices in privacy protection and
data security)
https://nces.ed.gov/programs/ptac/Toolkit.aspx
National School Boards Association – Data Security for Schools: A
Legal and Policy Guide for School Boards
https://www.nsba.org/data-security-schools-legal-and-policy-guide-
school-boards
Digital Data Security www.nhsba.org Slide 22
William Phillips
Staff Attorney & Director of Policy Services
NHSBA
25 Triangle Park Drive, Suite 101
Concord, NH 03301
(603) 228-2061
wphillips@nhsba.org
DISCLAIMER: The above information is copyrighted to the New Hampshire School Boards
Association. The information is provided for general information only. School board members
and administrators should consult with legal counsel to address local facts and circumstances.
www.nhsba.org Slide 23