Here’s What Independent Schools Should Know About Cyber Security Regulations

Cyber security breaches are America’s latest wake-up call and independent schools are no exception. School leaders should take preventative measures to ensure the safety of employees and students’ sensitive information. The history of cyber data breaches goes back as far as 1988 and now routinely affects businesses, individuals, and other organizations on the daily basis. 

All 50 states have passed legislation that requires private and public entities to notify anyone who is affected by a security breach of their personal information. However, some states, including California, Connecticut, Maine, Massachusetts, New Hampshire, New Jersey, New York, Pennsylvania, and Rhode Island, have a qualification that requires entities to notify individuals only if they believe their information has been compromised, according to legal consulting firm Carlton Fields. 

For example, a school in Rhode Island would not have to disclose information about a cyber security breach unless it had reason to believe the security violation “poses a significant threat to identity theft” — one of the most common outcomes to data breaches, according to the 2017 Javelin study.

Harm analyses are sometimes added to the qualification. In the event of a data breach, a harm analysis may or may not be enforced by state laws which would require the showing of the damages — mostly financial — resulting from a data attack, according to Carlton Fields. Despite some states enforcing qualifications, all states are still subjected to civil lawsuits and disputes if they don’t disclose data breach information.

Current school trends such as using student fingerprints for school lunches can easily lead down a slippery slope of violations with security breach laws. In 2014, a mother filed a lawsuit against Six Flags after her son, who was minor, went on school field trip and without her knowledge scanned his fingerprint to activate his season pass to the theme park, according to the lawsuit. An Illinois Supreme Court judge ruled in Jan. 2019, the theme park was in violation of the Biometric Information and Privacy Act (BIPA) by not notifying mother and therefore, the mother had a right to sue, according to the court records.

Some European Union regulations can affect U.S. independent schools. The General Data Protection Regulation (GDPR) is a European Union order that oversees any institution or organization that collects or process data of European residents — in and outside of Europe. The regulation was enacted to ensure the safety and privacy of European students’ data. It can also require certain companies to appoint a data protection officer to oversee GDPR compliance, the Digital Guardian reports.

If an independent school does not receive funding from the U.S. Department of Education, it is not subjected to Family Educational Rights and Privacy Act (FERPA), Carlton Fields reports. The act protects students’ privacy of their educational records. Most schools must have written permission from the parent, guardian, or eligible student in order to release any information from a student’s education record, according to the legislation. FERPA does allow schools to disclose students’ information to third-parties without their consent to certain parties such as schools that students are transferring to, specified officials for audit or evaluation purposes, and accrediting organizations.

Best practices for compliance with cyber security breach laws according to Carlton Fields include the following measures:

  • Routinely monitor potential risk factors
  • Assess third-party affiliate risk
  • Implement Oversight
  • Train Employees
  • Develop formal written information plans

Mariah Stewart is a staff writer for DiversityIS.