How School Boards Can Mitigate the Risk of Sensitive Data Exposure

The media is often flooded with stories about data breaches and hacked accounts. Knowing that your personal information may be available on the 'dark web' is a frightening prospect.

For school board members, the responsibility of maintaining sensitive district and student information can weigh heavy. School boards are accountable for ensuring that the information related to students and the school district stays secure and protected from accidental or intentional sensitive data exposure.

Sensitive Data Exposure on K12.com

K12.com is an online education platform where recently the personal information of millions of students was exposed. A K12.com database that contained nearly 7 million student records was left open, and any person with a connection to the internet could access it. The issue affected K12.com's Anywhere Learning System (A+LS), which is utilized by more than 1,100 school districts in the United States. The exposed information from student records included:

• Primary personal e-mail address
• Full name
• Gender
• Age
• Birthdate
• School name
• Authentication keys for accessing ALS accounts and presentations
• Other internal data
  
  

The exposure was first discovered on June 25^th, but occurred on June 23^rd and was not fixed until July 1^st. For nearly an entire week, sensitive student information was left in the open.

Bad Cybersecurity Practices That Increase the Risk of Sensitive Data Exposure

1. Not having a solid defense regarding the school district's sensitive data.

Shifting from an offense mentality to a prevention mentality can create a culture that values and pursues solutions to diminish risks to sensitive data exposure.

Setting aside the funds for cybersecurity, establishing more robust policies, and training employees and board members in cybersecurity practices can all help in mitigating cyber risks.

2. Maintaining data on 'the cloud.'
   
   

Storage on a public cloud (like Google) can increase the risk of sensitive data exposure. When it comes to sensitive information the data should be stored on a private server and on sites with high-level encryption (256-bit encryption is the strongest level of security currently available).

The cloud puts non-public information at risk of being viewed by outside individuals or organizations. These breaches in data can be unintentional, or be a result from weaknesses of the applications that are used to access the cloud or other ineffective cybersecurity procedures.

3. Not having a recovery plan for sensitive data.

Having a backup system in place to restore full performance and function in the event of sensitive data exposure or loss is a critical component of mitigating risk. Data loss may seem simple or harmless compared to sensitive data exposure, but data loss can be just as devastating and overwhelming.

4. Operating with paper documents.

Sharing and accessing documents and materials digitally is far more secure than creating and maintaining physical copies. If someone attaches or downloads a digital document, there is some digital trace of that information and the digital transaction.

If your school board passes around a hard copy of sensitive data to each board member and someone takes that hard copy home with them, the potential scenarios of how the information could be exposed is limitless; and, more importantly, that information is then untrackable. Sensitive data exposure is fairly easy when there are physical copies of information that may have been left and forgotten in a public setting. It does not take a skilled hacker or cybercriminal for someone to swipe a hard copy of a sensitive document off of a desk.

Even downloading and maintaining documents on a harddrive can open up the school board to sensitive data exposure. Files on the harddrive of any device are still susceptible to malicious hackers who can infiltrate the device's system.

5. Using e-mail for school board business.

E-mail is technically 'digital communication,' but it is the least effective and secure form of digital communication for school boards. E-mails and attachments are not encrypted or completely secure. Additionally, e-mail communication between school board members regarding board work can be a violation of Open Meeting Laws, so it is imperative school board members tread lightly when it comes to e-mail communication.

Board Management Software That Reduces Risk for Sensitive Data Exposure

When school boards are utilizing board management software, it is imperative that they look at the features and capabilities of the software in terms of securing sensitive data. The software should promote and support strong cybersecurity practices to protect sensitive data related to the public school district and its students.

BoardDocs, a Diligent brand, is a cloud-based school board management software. Unlike many cloud-based services, BoardDocs boasts physically secure servers (that are video monitored) and 256-bit encryption, the strongest level of encryption currently available. These elements ensure privacy and security for your board's most confidential and sensitive data.

BoardDocs' software encrypts all data, features automatic archiving in the 'Library' function, and has a daily backup service to help mitigate risks related to sensitive data loss or exposure. Additionally, users can access 24/7 technical support, free of charge. These features and functions are important to BoardDocs as it helps support an efficient, effective, and successful school board. Ensuring that your board's information is protected and secure means that your board has more time and energy to spend on other important governance issues.

Leveraging board management software helps school boards mitigate the risks for sensitive data exposure or loss. BoardDocs' security and features support and promote cybersecurity procedures that protect the sensitive information of your district and your students. Maintaining secure and encrypted digital records, strong recovery methods, and a secure cloud network encourage a culture of strong cybersecurity practices.