In response to recent cyber attacks on school systems, U.S. Senator Charles E. Schumer released a letter to the Department of Homeland Security to express the critical need for DHS to investigate where the attacks are originating from and help fill cybersecurity gaps of school districts’ EdTech. Senator Schumer’s letter to DHS cited that security breaches not only put vulnerable data at risk, but also subverted teacher lesson plans and interrupted student learning.
As the government continues to recognize the importance of cybersecurity in K-12, it is crucial for school districts to expand their focus beyond their own organizations to include the third party vendors that store or access sensitive data. To begin, consider the following questions:
Do you have a comprehensive and easily accessible inventory of all the districts vendors?
Who maintains the list and how often is it reviewed? Is an individual business owner responsible for the management of each vendor relationship?
Do you know which vendors have access to/store sensitive data and what specific data that is?
Do they receive data feeds? Is the data feed continuous, requiring manual termination at end of the contract?
Can the vendor access your internal network?
Can they enter your facilities without supervision?
Do all vendors have contracts with data breach clauses including (i) breach notification timelines (ii) forensic analysis (iii) remediation process (iv) timelines for remediation and resolution (v) indemnification of costs to remediate and (vi) minimum cybersecurity and Errors and Omissions insurance coverage?
Many vendors host data on the cloud which should be, but is not always, properly secured. Because EdTech is still in its infancy stages, security is not something that should be taken for granted. EdTech services include technology integration training, data analysis, management applications and large-scale network infrastructure projects, making school districts and their vendors ideal targets for a breach, as they can possess sensitive data such as learning records, social security numbers, and health records.