Your child’s school records used to be stored in a paper file either in their school’s main office, at their school district building, or both. Nowadays, school districts and charter schools are increasingly turning to outside companies to electronically house sensitive student records on the internet. One such company boasts of covering 75% of students in the United States. These outside agencies may in turn hire other contractors and companies to manage some of their security and data storage operations. Are your child’s confidential school records safe? The answer might surprise you.
Two years ago, high school student Bill Demirkapi hacked into Follett Corp. and Blackboard Inc.’s student information systems, which are technology platforms used to store and manage student data from schools across the country. He attacked both systems by crafting queries allowing him to access and modify entries in databases owned by the system. He found data from over five million students and teachers and thirty-four thousand immunization records from more than five thousand schools located in effectively unprotected databases. These databases also contained students’ disciplinary records, GPAs, and letter grades. With Demirkapi’s technique, any malicious attacker could view, change or even erase all of a child’s sensitive information.
When Demirkapi tried to warn Follett about the bugs in their computer system, the school district told him not to disclose what he had found. But he refused to give up. After pressuring the school, Demirkapi arranged to meet with a representative from Follett who reviewed his claim but did not
fix the vulnerability in question. Demirkapi had similar difficulties contacting Blackboard about the security weakness in their student database.
In both cases the school and the information system provider were aware their systems were compromised to the point where sensitive student information could not only be read but also modified by unauthorized third parties. Knowing this, they did not immediately respond and fix their system’s problems, instead choosing to ignore and then downplay the incident and then attempt to cover it up. With the information of our children at stake, this is a fundamentally irresponsible way for schools to act.
Effective as of January 1, 2016, California’s Student Online Personal Information Privacy Act (SOPIPA) makes third party service providers like Follett and Blackboard directly liable for security breaches of sensitive student data. SOPIPA requires the service provider to implement and maintain “reasonable security procedures and practices” to protect the privacy of student information. Nevada passed a similar law, which becomes effective on January 1, 2020. Despite these privacy laws, information relating to approximately 800 California students was recently hacked and may have been placed on the dark web. University of Southern California cybersecurity expert Jim Zimmerman opined that the incident was “clearly a very serious breach.” Equally disturbing, school officials reported earlier this month that more than 650,000 Nevada students including those from Clark County and Washoe County School Districts had personal assessment information exposed in a data breach.
In addition to grades and assignments, online school files can include personally identifiable information such as names, addresses, phone numbers, social security numbers, as well as
disciplinary reports (even if disputed), juvenile dependency records, special education data, standardized and IQ test scores and even health records. How can you protect your child’s sensitive school records?
- Carefully review your child’s school records at least once each year to ensure that they are accurate. Particularly with online data, it’s easy to mistake one child for another and input the wrong information into the computer system.
- Remember that malicious hackers can change, delete or replace records. Therefore, you should consider requesting and safekeeping a hard copy of key student records such as report cards, attendance records, disciplinary reports, special education files and the like.
- Parents are entitled to know where all of their child’s school records are kept. If you believe you have not been given access to your child’s records, ask the school principal to provide them to you along with the locations where all of your child’s school data is maintained.
- Demand a copy of your school district or charter school’s student record privacy policy. If they refuse to provide it, send a written demand for this information under the California Public Records Act.
- Report any suspected breach immediately. If you believe your child’s records have been tampered with, first report the suspected breach to your school district or charter school. If they fail to respond right away, proceed directly to the service provider.
Special thanks to ADAMS ESQ cybersecurity advisor James Adams for his contribution to this article.