Data breaches, cyber hacks and ransom notes…in Schools. Who is legally liable for k-12 student data privacy and security?
K-12 students and parents are hostage to the data overlords. No, I mean really, hostage, in every sense. As Natasha Singer points out here and here, “BigData” and edtech have taken over our classrooms. Schools and students are held hostage, literally. Imagine being a parent in the Montana school district of Columbia Falls, where students’ school security camera footage, student and staff personal records including name, age, address, counselor records, IEP status and more was recently hacked by a (yet to be captured) cyber terrorist(s), who has sent ransom notes to the school and sent texts directly to the parents, threatening to harm their children. What? you haven’t heard about this hack? Read more about this story here and here (and read the full ransom letter that caused a three day shut-down of 30+ schools in this district). A short excerpt from the hacker ransom note follows below.
“Columbia Falls isn’t the first community where this has happened and there are other active investigations…”
“…We know who you are, Columbia Falls. We know everything about your operation. We know everything about your schools and the children in them. Your nursery children, your primary children, and your secondary children. We know who the problem children are, who the honour performing children are, and even who many of the parents are. We have educated ourselves and made ourselves aware of your entire lives. Today, we’re invading your lives and offices in the form of a letter filled with verbose, condescending, and abusive language. Yikes, right?…
We are sure that by now you are wondering who this internet stranger is. We are thedarkoverlord and it’s a pleasure to finally be speaking directly with you, Columbia Falls, under our real identity. (You may remember us as that pesky telephone number of XXXXXXXXXX). If you receive a message from us, it means you have been completely and thoroughly attacked and breached by an organised entity of creatures who are motivated only by their love for internet money and are responsible for some of the most serious breaches and security violation incidents in the last year.
We could go on and on about the student’s material, but frankly, it hurts our eyes to read. Bloody rubbish. It’s a shame we don’t offer writing lessons as your students could certainly use them. A quick trip over to your secondary school’s domain controller, XXXXXXX, gave us a slew of great reads. Especially from your counselor and social worker. XXXXXXX in particular had some great reads about various students at the school. Some real work, these kids are. We could go on and on.
[Personal private information of students and examples of data redacted]
As we stated before, we could go on and on, but we’re sure you get the point. Notes from the Student Assistance Program are gold as well. Don’t even get us started on the thousands of emails we’ve collected from various faculty and all of these IEP and 405 reports. However, we have one final tidbit of juice for you all to digest, one of the initial reports sent out by XXXXXXX.”
…Imagine if we published all of your sensitive behavioural reports from your counselors and social workers on the open internet. Imagine if we published student grades and even the shoddy student work. How about nurse reports and private health information? What would the parents have to say about this? What sort of lawsuits would they begin? What would happen if everyone found out the reason we closed down multiple districts and over thirty sites is due to your failure to secure your networks?
[Description of report redacted] …read more here.
Is this the tip of the iceberg? Are schools secure and adequately able to protect children’s data? Could it be that K-12 student data breaches are under-reported, already happening and parents are just not told about it?
The databreaches.net site has been tweeting about this situation for several days. They are familiar with this particular hacker group and speculate whether a media blackout intended to protect the victims actually allowed hackers to grow in strength and numbers. Read the post about the media blackout and the darkoverlords here. Similarly–are schools, by NOT alerting parents to known security inadequacies, increased phishing scams, ransomware, and cyber threats targeting schools, actually exacerbating the problem?
Could hacks like this breach in Montana be prevented or lessened if sensitive student data were not allowed to be kept in insecure databases? YES.
Even EdSurge, who often promotes online “personalized learning” and tech in the classroom, recently wrote about Why the State of Surveillance in Schools Might Lead to the Next Equifax Disaster.
We know that no data is 100% safe. The only truly safe data is data that is not collected.
Breaches are happening daily yet the data-hungry nonprofits, edtech, and government agencies continue to collect and share student data (without parent consent). Now these lawmakers have proposed even more sharing with another database, and National student data sharing service–which one proponent likened to a “Pinterest for student data.”
There currently is NO ENFORCEABLE PENALTY when a data breach happens in schools. There is no way for parents to opt out of student data collection and sharing, since FERPA was weakened in 2011 to bypass parent consent. Also, FERPA has no private right of action (meaning unless you have money to burn suing the government, you have no recourse).
There is so much talk of holding schools accountable…
what about accountability for our children’s privacy and for keeping their data secure?
- WHO IS LIABLE AND RESPONSBILE FOR THE EDTECH, DATA HOSTAGE SITUATION in K-12 Schools?
- WHO OWNS STUDENT DATA? (Should data belong to the student who generated it? Yes, even the globalists agree with personal data ownership, but for different reasons: see page 6 of this 2009 publication.)
- WHO WILL PROTECT OUR CHILDREN FROM THE NEXT BIG BREACH?
#FixFerpa #ReturnConsent #Identity #IntellectualProperty #Privacy #Security #EnforceablePenalty