K-12 - Privacy And Cyber Security Balancing Act
As a person who often speaks to K-12 schools about enhancing their cyber security and privacy curriculum it always amazes me how unprepared most of them are for the huge threat they have to student information. The Family Education Rights and Privacy Act is a privacy law that governs educational institutions and it applies to all schools that receive funds under an applicable program of the U.S. Department of Education. However, the law is mostly about student records and having parental consent before sharing sensitive information, not how schools should actually protect their student information.
There does not appear to be a specific law that gives educational institutions guidance on how they should go about protecting information. I don’t know if it is my lack of personal experience with the inner workings of the privacy and cyber security operational aspects of educational institutions or maybe it’s a business opportunity for me. However, from my experience conducting FBI investigations where universities were involved, to moonlighting as a college instructor, there seems to be a lack of true understanding about the “how's” of protecting student information. And if the colleges do not get it, the K-12 community has no chance.
You can imagine how the conversations go with my children’s school about protection of their personal information. Normally, I get a well you just have to trust us. Sometimes I actually say what I am thinking which is the only places that I actually share all of my children’s personal information are with schools, doctors and the IRS. Therefore, if there is a breach of my children’s information, I know exactly who to sue.
Recently, I went to some folks in my local high school here in Texas to discuss curriculum development and was shocked to find out how much they struggle with getting the right staff, with the right experience, to teach cyber security and privacy. For me there is a huge opportunity for industry to pick up the ball here. When K-12 schools teach cyber security and privacy (let’s say to help with the skills gap), they increase their awareness and knowledge, and begin to ask the right questions, and implement some of the practices they are teaching. The students will also gain knowledge and be better prepared to become a part of the ever growing and changing cyber security and privacy communities. This is what you call a win-win!