However, hackers are interested in more than just credit card and bank account numbers. Sure, it’s easier to steal money when you have the right digits, but one can often steal even more with other identifying details like Social Security numbers. Most people take great pains to keep such information secure, and only share it when absolutely necessary. And one time that it is necessary to share personal data? When enrolling in school, whether you’re an 18-year-old in your final year of high school or a returning graduate student in your 40s.
As it turns out, educational institutions, both public and private, are a prime target for hackers. The educational sector was the source of nine percent of all data breaches in 2013, including a massive breach at the University of Maryland that exposed the Social Security numbers and other personal data of almost 300,000 students and alumni. Educational data theft happens on a smaller scale as well; in April 2014, six people in Tennessee were indicted on identity theft charges stemming from data they stole from a local high school. These are just a few cases in a growing problem, and schools are beginning to realize that data protection needs to be a bigger priority.
Student data is protected by Family Educational Rights and Privacy Act, or FERPA. Under the terms of FERPA, parents (and students, when they turn 18) have the right to review and contest their child’s educational records, as well as the right to consent to the disclosure of those records, which include grades, health records, and behavioral reports. Essentially, FERPA makes all educational records private unless the parent or student consents to their disclosure. If a school violates those restrictions, even inadvertently, it could face significant penalties, including a loss of federal funding.
Because school funding hinges in part on the protection of data it’s important that schools renew their focus on privacy and take steps to keep student data safe. A breach can also be quite costly as the University of Maryland found out after having to spend millions on credit monitoring services for students. Some of the tactics recommended by security experts include:
- Email encryption. Many schools violate FERPA by requesting or allowing students to send personal information and documents, such as W-2s and health records, via email. All email communication should be protected by end-to-end encryption, which allows only the sender and an approved, authenticated recipient to open the message.
- Encrypt data stored on servers. When data isn’t encrypted in storage, it’s more attractive to hackers — and easier to steal.
- Educate staff on FERPA and data protection compliance issues. Underscore the importance of protecting sensitive information, and develop strict policies regarding who has access to data and acceptable use.
Technically speaking, schools are not required to encrypt student data, even though it falls under the umbrella of “protected information,” meaning that it should be protected, not that it necessarily is. However, with so much at stake, schools need to realize that they are in fact targets of data thieves, and take steps to protect their students.