The New Hampshire Department of Education Commissioner, Frank Edelblut, called for increased cyber security in schools in a recent Concord Monitor column. Commissioner Edelblut notes the increasing rate at which hackers are targeting schools and highlights how in response to this threat, the New Hampshire legislature passed HB 1612 this past session, requiring all schools to develop a data security plan.
The column does not mention how schools should fund such plans, however. New Hampshire uses a funding formula to allocate state funding to districts and schools, which is currently set at about $3,600 per student. That amount is based on one technology coordinator per 1,200 students, $75 per student on technology (at the rate of 1 computer for every 4 students), and does not include any money for cybersecurity.
Here in the Granite State, we have seen only a couple of cyberattacks upon school districts and their computer systems in recent years.
In 2016, a “denial of service” attack in one school seriously impacted its network functionality. That same year, another school was struck with a W-2 email phishing scam that affected the personal information of teachers and other school employees. Other schools around New England have also been hacked by breaches, ransomware, phishing schemes and even social media hacking that led to employees being targeted.
The state of New Hampshire, including the Department of Education, has been concerned about and studying these incidents to prepare to assist districts with the information they need to protect themselves and the privacy of student and teacher personal information. The Legislature passed and the governor signed House Bill 1612 into law this session, requiring all public and nonpublic schools to develop a data security plan to protect students, teachers and department records from cyberattacks. The plans must be implemented by June 2019.
This new requirement is an important step for the safety of sensitive and personal records. Districts must have an inventory of all software applications, digital tools and other products, and must know who is using those applications, the purpose of usage, terms and privacy statements. Service providers doing business with districts and schools must also meet – or exceed – minimum safety standards for data protection and privacy. Each agency must also publicly make available the rights of parents and students under the Family Educational Rights and Privacy Act.
The U.S. Department of Homeland Security has a number of priorities for K-12 schools to consider when updating their threat infrastructure. A planning process – Guide for Developing High-Quality School Emergency Operations Plans – has been developed to assist school districts in preparing for potential cyberattacks. DHS will also offer, free to schools, testing to help schools identify vulnerabilities so they can prevent problems. The department advises districts to also report all incidents to the Field Cyber Task Force of the FBI, the Internet Crime Complaint Center or the U.S. Computer Emergency Readiness Team.
Securing important and sensitive data in our schools is the natural and expected response to the ongoing modernization of our schools and learning systems. As more technology finds its way into education, the appropriate response is to responsibly deploy that technology so that it benefits students without creating unnecessary risks or harm.
Since the funding formula does not include cybersecurity, the legislature would have to appropriate additional funds for it through the budget or schools will have to use local property taxes to pay for any new systems or upgrades as part of the data security plan. Last year, the Legislature approved $30 million in grants for boosting school safety, but that has largely gone to physical security like door lock upgrades, installing security systems and cameras in schools, and reinforced windows.