Missouri schools warned about lack of student data security
(Mo.) Student information often considered an afterthought is commonly mishandled in Missouri schools according to a state report which called on districts to reevaluate the way all student data is kept private.
The report, released by Missouri State Auditor Nicole Galloway, said that without the proper safeguards in place, hackers could gain access to families’ authorized bank accounts provided for child lunch plans, or health records provided to a school nurse, among other sensitive data.
"Missouri schools have access to a lot of information on students and their families, which means they have a responsibility to keep that information protected," Galloway said in a statement, noting that the report should act as a guiding tool for district leaders to begin addressing data security concerns.
Lawmakers have pushed for districts to emphasize student privacy policies as schools–often unprepared to handle a breach in data security–increasingly become the target of cyberattacks. Districts in South Carolina, New Jersey, Tennessee, Delaware, New York and Michigan have all been targets of hackers installing “ransomware,” which locks stored files until a ransom is paid, and then the files are unlocked. According to the FBI, almost 2,500 complaints about ransomware were received last year, costing the victims more than $24 million.
In addition to using cloud storage to back up information, the Department of Homeland Security recommends schools regularly update software and operating systems, restrict users’ ability to install software applications and remind employees to never click unsolicited links in emails which can allow outside users access to student information.
In Missouri, the Department of Education has already begun taking steps to reduce certain risks. Last year, the department stopped storing students’ social security numbers after an audit found it unnecessary to collect such data. In 2014, legislators passed a bill requiring the state’s Education Department to ensure contracts with third-party vendors keep student data from being used to target advertisements.
Five additional areas of concern not yet addressed in the Legislature were highlighted in the state auditor’s report released Oct. 13:
- Not all districts had a formal plan or guideline in place to respond to a breach in data security, or to help personnel quickly resume business as usual after a disruptive incident;
- Some districts did not have policies and procedures in place for authorizing, reviewing and removing user access to system, and in a number of cases, employees and staff were allowed to share user accounts and passwords, or were not required to change their passwords on a regular basis;
- Processes to ensure formal management of sensitive student and allow only the necessary personnel to access certain information data had not been fully established in every district;
- Security administrators and formal training programs to guide staff through important data security issues and risks were not present in some districts; and
- As has become an issue in many states, districts entered into contracts with third-party vendors to provide technology services that were not written in ways that provided assurances that certain protections would be put in place to keep student data confidential.
The report assessed five school districts specifically as part of Missouri’s Cyber Aware School Audit Initiative to emphasize data protection practices and information security.