At Slate Enclave, our private school clients have a lot of questions when it comes to FERPA and how they can protect student education records. The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects students’ private information in schools that receive funds from the U.S. Department of Education.
When it comes to data breaches, we usually hear news stories about hackers exposing Protected Health Information (PHI) records from healthcare organizations or stealing Personally Identifiable Information (PII) stolen from large organizations like Target or Equifax.
However, in the education sector, we are noticing an uptick in data breaches leaking student education records. Just this November 2020, the Baltimore County Public Schools system shut down for several days after a ransomware attack. Comparitech notes that since 2005, more than 24.5 million records have been leaked from U.S. schools alone. FERPA is designed to protect students’ private information and hold schools accountable for these data breaches when they occur.
Student Education Records
Student education records include a multitude of Personally Identifiable Information (PII) and Protected Health Information (PHI). People with access to student education records can find out the student’s name, parents’ names, address, contact information, grades, test results, class schedules, previous schools attended, disciplinary actions received, any health information provided to the school, as well as special education records and more.
The depth of information included in student education records is enough for hackers to open credit or steal identities. Since most children and young adults are not tracking their personal credit, student education records are very appealing to malicious hackers.
With an understanding of what needs to be protected, the U.S. Department of Education has provided guidelines that can assist in protecting this data.
Family Educational Rights and Privacy Act (FERPA)
In today’s digital world, most industries have regulations and frameworks to protect the privacy of individuals, and students are no different. FERPA protects the privacy of parents and children under the age of 18 by providing the following rights:
- Giving parents and eligible students access to their child’s educational records.
- The ability for parents and eligible students to obtain records and amend them when necessary.
- Require schools to receive written permission from a parent or the eligible student to release any student education record.
- Allow schools to disclose student education records to specific parties under specific conditions, like the state and local authorities.
Under FERPA, schools are also allowed to release student directories, as long as the parents and eligible students are informed and have enough time to request not to be included in the directory.
FERPA Security Solutions
With the rise in data breaches, educational institutions must take necessary precautions to prevent cyberattacks and have a plan in place if an attack occurs. If a school falls victim to a data breach, FERPA requires the school to inform the parents and eligible students and holds them liable for a fine of, on average, $250 per record.
Schools can protect student education records by implementing similar frameworks and security solutions used to protect PHI. At Slate Enclave, we help our clients implement a comprehensive plan, such as the Cybersecurity Framework, and apply the appropriate family of controls to protect the student data. We ensure our security solutions involve all stakeholders, and have the appropriate buy-in and support from all business units. We also take into account that most school information systems are very complex and require the integration of legacy systems with new systems.
Once the proper framework is in place, it is imperative that best practices are followed and the controls are monitored to ensure the continued protection of student education records. And should a data breach occur, we help our clients take the right steps to mitigate the situation, prevent data loss, and recover stolen records promptly. As always, our goal is to prevent data breaches from happening in the first place.
If you have questions about cybersecurity and how to safeguard your private school, contact us. Slate Enclave is the trusted partner for custom security solutions, tailored to your organization. Our team performs audits for organizations to determine where their security systems are deficient and how to mitigate these deficiencies.