According to a recent survey of public school parents by the Future of Privacy Forum, more than seven in 10 parents are comfortable with a properly protected electronic education record being created for their child as a valuable tool for improving their educational opportunities. Interestingly, almost all are more likely to support collecting and using data in an electronic record—if they know a school or educational service provider is required to ensure proper security.
Unfortunately the survey also found that a majority of parents are worried that their child’s electronic education record could be hacked or stolen. When asked about trusting servers maintained either at schools or contracted to private companies, 20 percent believe that neither location would be secure.
These findings match general population surveys about the confidence in various entities to secure personal or sensitive data of any kind, including credit card companies, retailers and others that collect personal information. People want the benefits and convenience of electronic storage and access, but are concerned about the vulnerability of their information.
This is a “trust gap” that companies and schools can work together to close by demonstrating increased understanding of parental concerns, strong policies and practices, and good communications among all stakeholders.
To help companies make sure they are getting security right, FPF has released Quick Security Tips for Vendors that focuses on the most common security concerns for edtech service providers. A few examples from it include:
Encrypt Your Data, At-Rest or In-Transit: Network traffic is easily monitored or intercepted on open Wi-Fi settings or over the wire by a network operator. Prevent sensitive data from being accessible to unintended parties by using HTTPS (SSl/TLS), and never send passwords in clear text.
Update, Patch and Protect! Many data breaches occur by exploiting vulnerabilities when there are known fixes. Require relevant personnel to patch and update software and systems quickly, routinely, programmatically and in accordance with policy. Run scans and tests to confirm vulnerabilities are addressed.
My Dog Ate My Laptop: School laptops or devices get lost or stolen every day. Schools and vendors should require full-disk encryption on all laptops and workstations. In fact, all data under your control should be encrypted – including internal servers, third-party servers, and any walk-around device. Don’t forget all those USBs, either: portable storage of any kind should be encrypted.
Passwords Still Matter: Require development teams to deploy two-factor authentication on web-accessible logins. While not always practical, especially for young children, it’s an essential layer of security. When this is not possible, practice “strong password’ rules and controls.
Cloud-y, With a Chance of Risk: More data has meant more cloud storage, and this brings its own set of considerations. If student data is stored in the cloud, but not encrypted before it’s sent, the cloud provider has physical access to the information.
Hosting that Third Party: If a third-party partner or subcontractor has access to student data, then it has the same responsibility and authority for that data as the primary vendor.
This is common practice within the edtech business market. The primary vendor in a relationship with a school or students should seek a variety of contractual constraints governing how subcontractors or third-parties use, share, store and secure data.
There are other important security tips that should be part of the baseline plan, including (but not limited to): How to respond to breaches if they occur; insurance coverage; security training for employees; and, a system or process for logging and monitoring all administrative activities related to student data use and handling.
FPF’s “Service Providers” page on the FERPA|SHERPA website has a more complete list of resources to get student data security and privacy right, including a complementary “Quick Privacy Tips for Vendors” to assist edtech companies with setting up the foundations for good privacy policies.
The fundamentals of privacy and security are the basics of good digital housekeeping. At the same time, they may also mitigate corporate risk.
Companies should be aware that the Federal Trade Commission has the authority to bring enforcement actions against companies that do not provide reasonable security for sensitive data, an authority that was just affirmed by the recent court decision in case of FTC v. Wyndham Worldwide Corporation. The court held that the FTC could use its authority to prevent unfair practices and that poor security was certainly an unfair practice, even if the FTC hadn’t spelled out exact rules on what reasonable security requires. Here’s a general list of useful security tips that companies should review carefully.
The FPF tips and the FTC guidance are not technical manuals, nor are they meant to be a comprehensive security requirements list. But they can establish a more responsible, protected framework, useful from either the perspective of a school administrator or an edtech service provider. Equally important: If companies and schools use these principles in their communications with parents, they can provide the needed reassurance that schools and vendors understand parents’ concerns and are following the right policies to address them.
Most important, of course, is that these steps are completely necessary to develop the trust and transparency among schools, parents and students required to take digital learning to the next stage of excellence.
Jules Polonetsky is Executive Director and Co-chair of the Future of Privacy Forum; Brenda Leong is Senior Counsel and Operations Manager there.