Schools have a responsibility to protect their student data. In their data centers and cloud deployments, schools house addresses, social security numbers, health information, transcripts, and other sensitive student information that cannot fall into the wrong hands. Therefore, the school must do everything it can to implement and maintain a strong security strategy. In the event of a student data breach, however, the school must also be prepared to respond accordingly.
Should the worst happen and the school suffer a data breach, here are a few steps the organization should pursue.
Two Student Data Breach Scenarios
There is no one way for a data breach to occur. Hackers have a wide variety of methods to extract data from a data center. The school’s response will vary based on the kind of attack the school suffered.
Scenario 1: Stolen Laptop
Over the weekend, one of the teachers or administrators brought a work laptop home to complete a few tasks before the next week. Sometime during the weekend, the laptop was stolen. Regardless of whether or not the computer was password protected, it contained unencrypted data. In this scenario, it is impossible to know the intentions of the thief. They may plan to simply wipe and pawn the laptop for a few bucks, but there is also the potential for serious identify theft or further theft of student data.
The first step would be to assemble or contact the existing Incident Response Team (IRT), a group of IT professionals and administrators tasked with responding directly to a data breach. The IRT should then take the following steps:
- Interview the owner of the laptop and take inventory of all potentially sensitive information on the laptop
- Contact the school district attorney to discuss whether additional legal support will be necessary in light of the lost information
- Notify the superintendent and the school board to make them aware of the situation and prepare them to answer questions from parents and the community
- There are state and federal laws regulating how and if a school must notify members of the community in the event of a student data breach. Consult with the attorney, using the inventory of lost information to see what legal steps must be taken
- The school may be required to offer credit monitoring or identity theft services to students affected by the breach. Consult with the school district attorney
- Large scale breaches may require the assistance of a contact center to answer the questions of parents and press. Develop a call script and communication strategy to address questions and maintain a consistent message
- Review data encryption policies or establish new ones to prevent a loss like this in the future
- Draft a comprehensive report of the incident and the team’s response for school records. This report can serve as a reference document if breach happens in the future
Scenario 2: Phishing Email
Some of the most malevolent data breaches have little to do with your security applications at all. Phishing attacks attempt to trick your staff and faculty into clicking corrupted links or revealing sensitive information. They prey upon people’s good intentions and trusting nature.
A faculty member receives an innocent looking email from the superintendent asking him/her to head to a certain link and verify email credentials. The faculty member enters their login information as requested before realizing his/her error. Some unknown entity, person, or organization now has official login credentials for the entire school network. Here is how the IRT should respond:
- An IT member of the IRT should take the lead on this response due to the technical nature of the breach
- The IRT should look into the network activity to see whether someone other than the victim has accessed the network using the victim’s login credentials. Note what network areas have been accessed
- After documenting the what, when, why, and how of the breach, consult with the school district attorney to decide whether law enforcement should become involved
- All faculty and staff should update their login credentials and change their passwords
- The attorney should also be consulted to determine whether the rest of the staff should be notified of the breach or simply given additional training to spot and prevent phishing attacks
- Draft a communication plan to notify affected parties or the entire staff and community