How Schools Can Break Through the Fog of Cloud Security

Guest Post by Rachel Burger

When a school administration company goes bankrupt, what happens to the student records?

It turns out that the answer is unclear, as many school districts that used ConnectEDU Inc. discovered this year. As many as 20 million student records were sold and are now unaccounted for across the country. Joel R. Reidenberg, a law professor at Fordham and Princeton universities, told Education Week, “This is a significant red flag for the treatment of student information by education technology companies.” Moving forward, what can schools do?

The past twelve months have been difficult for cloud security. Gazing back at Heartbleed and the Apple iCloud breach, experts are already saying that more cloud data failures will be “inevitable” in 2015.

For schools, cloud security breaches pose a particularly dangerous situation.

In the United States, student personal information is taken seriously. The Family Educational Rights and Privacy Act of 1974 (FERPA) requires that schools must have a student or legal guardian’s consent before disclosing their data, including enrollment status, billing information, and education records.

Even before publishing a directory with student telephone numbers and addresses, the school must inform parents and students that such a guide exists and give these stakeholders a “reasonable amount of time” to opt out. This law applies to “educational agencies and institutions that receive funding from the U.S. Department of Education.”

This federal law has serious consequences if student data is released without the student’s consent, including the potential for a university to lose federal funding.

Aside from FERPA, a major security breach could violate the Fair Credit Reporting Act, PARCC, the USA PATRIOT Act, the Health Information Portability and Accountability Act, among dozens of other laws.

With all this in mind, schools are in a bind. Cloud-based school management software tends to be cheaper than locally-stored systems. And with schools struggling to optimize their budgets in the wake of aggressive cuts to education funding, many feel stuck. They don’t want to jeopardize their students’ secure information, but they can’t afford large, one-time software purchases (which average $4,000).

Luckily, there are some best practices to follow when opting for a cloud system.

Make sure your server is running the latest software patches and that your firmware is updated. Ask your IT administrator to set a static DNS server IP address and to disable DHCP. Make sure that all administrators have a unique login and password—that’s different from the default provided by the software. Use a secure encrypted connection like SSL or TLS. Never forget to password protect all of your devices—and make sure your passwords are strong and regularly changed.

But that is all basic cloud security protocol. When it comes to school privacy and all the security and financial risks that come with doing business over the cloud, school administrators should know the right questions to ask when considering school administration software.

According to Capterra’s IT professionals and Azreen Latiff of QuickSchools.com, school IT departments should ask their potential vendor:

• Can you tell me about the baseline technology?

• Do you have any enterprise customers?

• How is our privacy safeguarded?

• What data is encrypted?

• What kind of encryption do you use?

• Can you install a local instance on a school server? What about a district (as it applies)?

• How can our school use your software to communicate with parents and guardians?

• Who owns the data?

• Who is authorized to view or change student data?

• Can you provide us with references?

Naturally, your school or district might have a lower or higher risk tolerance than the next, or might be able to spend a little more on security, but every school administration software option should be compliant with local and federal laws. After so many schools suffered through major data breaches this past year, school administrators are experiencing a painful wakeup call.

As for education technology companies going bankrupt like ConnectEDU Inc., that’s not out of the question.  Joel R. Reidenberg explains, “Many ed-tech companies today are small startups, collecting lots of data. Many of them are not going to succeed. What's the protection when these companies go bankrupt?” Laws are already moving into place to protect student data, like California’s Student Online Personal Information Protection Act, but legislators have a long way to go to create meaningful policy.

School administrators need to avoid the dark clouds ahead. They should contact their current school administration software vendor and ask the abovementioned questions to make sure that, on the school’s side, their students’ information is safe. If their student’s data isn’t encrypted, if there isn’t a good way for the school to communicate with parents and guardians, and if the software doesn’t have a solid background in providing excellent service and security to other customers, it may be time to choose another option.

This post was contributed by Rachel Burger who writes for Capterra SchoolAdministration Blog.