The public and the press have been rightfully focused on a myriad of issues concerning school safety in recent months with officials at the local, state, and federal level working on plans to protect the wellbeing of our children, teachers, and administrators while they are in school. In addition to these risks, another danger lurks just outside of our schools and, in many cases, has actually gotten in, resulting in countless problems. That danger is cybersecurity attacks and information ransomed by hackers.
Hackers have hit cities and towns across the nation – from a 911 system in Baltimore to a ransom-ware attack in Atlanta to phishing schemes in Washington state – and computer and data held hostage for financial gain. Schools have not been immune to these attacks with more than 300 hit since 2016, and nearly 800 breaches since 2005, according to security experts and press reports. Most recently, a county school district in South Carolina had criminals demanding tens of thousands of dollars to release hacked servers from their clutches. Another school district – in Roseburg, OR, – after doing all it could to avoid paying the ransom, paid the hackers to retrieve lost student data. Professionals in the field of cybersecurity have issued public warnings, too, that most schools are not protected or prepared for similar attacks.
Here in the Granite State, we have seen only a couple of cyberattacks upon school districts and their computer systems in recent years. In 2016, a “denial of service” attack in one school seriously impacted its network functionality. That same year, another school was struck with a W-2 email phishing scam that affected the personal information of teachers and other school employees. Other schools around New England have also been hacked by breaches, ransomware, phishing schemes, and even social media hacking that led to employees being targeted.
The state of New Hampshire, including the Department of Education, has been concerned about and studying these incidents to prepare to assist districts with the information they need to protect themselves and the privacy of student and teacher personal information. The Legislature passed and the governor signed HB 1612 into law this session, requiring all public and nonpublic schools to develop a data security plan to protect students, teachers, and department records from cyberattacks. The plans must be implemented by June 2019.
This new requirement is an important step for the safety of sensitive and personal records. Districts must have an inventory of all software applications, digital tools, and other products and must know who is using those applications, the purpose of usage, terms, and privacy statements. Service providers doing business with districts and schools must also meet – or exceed – minimum safety standards for data protection and privacy. Each agency must also publicly make available the rights of parents and students under the Family Educational Rights and Privacy Act (FERPA).
The U.S. Department of Homeland Security has a number of priorities for K-12 schools to consider when updating their threat infrastructure. A planning process – Guide for Developing High-Quality School Emergency Operations Plans – has been developed to assist school districts in preparing for potential cyber-attacks. DHS will also offer – free to schools – penetration testing, to help schools identify vulnerabilities so they can prevent problems for occurring. The department advises districts to also report all incidents to the Field Cyber Task Force of the FBI, the Internet Crime Complaint Center, or the U.S. Computer Emergency Readiness Team.
Securing important and sensitive data in our schools is the natural and expected response to the on-going modernization of our schools and learning systems. As more technology finds its way into education, the appropriate response is to responsibly deploy that technology so that it benefits students without creating unnecessary risks or harm.
Frank Edelblut was sworn in as Commissioner on February 16, 2017. The commissioner is responsible for the organizational goals of the department and represents the public interest in the administration of the functions of the department of education. The commissioner is responsible to the governor, the general court, and the public for such administration.