Schools in western New York were temporarily closed this winter due to cyberattacks. In-person classes were canceled in the Victor Central School District after malware locked users out of key systems (e.g., SchoolTool, Transfinder) in January. Both in-person and remote classes were halted in Buffalo Public Schools after a cyberattack in March.
The problem is widespread and getting worse. Since 2016, there have been 1,180 publicly disclosed cybersecurity-related incidents involving U.S. public schools, according to the K-12 Cybersecurity Resource Center. In August and September, 57% of ransomware incidents reported to federal authorities involved K-12 schools, compared to 28% of all reported ransomware incidents from January through July, according to the Cybersecurity & Infrastructure Security Agency, which is part of the federal government.
Unfortunately, the question is not “if” your school district will become the victim of a cyberattack, but when. If successful, the consequences often include disruption of critical school operations, exposure of sensitive personally identifiable information (PII) of students, teachers or staff, and, in many cases, ransom demands.
The U.S. Treasury Department has noted that cybercriminals are getting more sophisticated [see sidebar]. Every school board in New York State should be asking questions about the adequacy of the district’s defenses for a potential cyberattack and ensure that appropriate policies (including insurance policies) are in place. This article will explain the most common threats and make recommendations for action consistent withstate and federal law.
Types of cyberattacks
Cyberattacks come in many forms. They include:
Phishing. More than 90% of cyberattacks involve receipt of seemingly legitimate emails that invite users to reveal personal information or click on links that ultimately install malicious software. For example, employees may receive an email from the “Head of School” asking them to submit personal information for W-2 forms, but examination of the sender’s email address will reveal it to be a fake. Thus, school staff should be trained periodically on how to detect phishing emails and websites, as well as how and to whom phishing emails should be reported.
Ransomware. After malicious software encrypts data, the target school district may be contacted and offered a key if a ransom is paid (often via bitcoin, which is untraceable). The FBI estimates that paying a ransom could cost between $100,000 and $300,000, but could be negotiable. For instance, a school district on Long Island paid hackers nearly $100,000 in 2019 to recover data from a ransomware attack. That same year, the Syracuse City School District decided to pay a $50,000 insurance deductible to restore its computer system because of a ransomware attack, according to news reports. Best practice dictates that school districts have reliable backup servers that are not accessible by the rest of the district’s network and are regularly backed up.
Distributed denial-of-service. A computer system can be overwhelmed by multiple, simultaneous requests called a distributed denial-of-service (DDoS) attack. These are not preventable in a system that permits remote access. Thus, it is critical to monitor a school’s network to detect DDoS threats early on and develop a policy or procedure to respond to such an attack. Additionally, school districts may consider obtaining cloud services to mitigate DDoS attacks by focusing on protecting the underlying internet connection or higher-level web servers.
Data breaches. Data breaches occur when secure confidential information is released to an insecure environment. Data are then either copied, transmitted, viewed, stolen, or used in an unauthorized manner. In the education sector, while 81% of data breaches are caused by external attackers, the remaining 19% are caused by a combination of accidental, negligent, and intentional harmful activity by insiders, according to the National Association of Independent Schools. Data loss prevention solutions detect and prevent data breaches but these, like cloud services, can be cost-prohibitive. So, school districts may consider other cost-effective cybersecurity measures, including encryption services, staff training, obtaining insurance coverage to ease the cost of damage, and/or a third party audit of school technology systems. Liability issues
When cyberattacks or data breaches occur that
compromise student data and/or teacher or principal data,
school districts have specific obligations under state and
federal law. The federal Family Education Rights and
Privacy Act (FERPA) and New York State Education
Law Section 2-d and corresponding regulations (Part
121), require school districts to report and guard against
unauthorized acquisition, access, use or disclosure of
student data and/or teacher or principal annual professional
performance review (APPR) data by or to a person who is
not authorized to acquire, access, use or receive it.
Noncompliance with data privacy statutes and
regulations may expose schools to significant liability,
including monetary fines and/or legal action. For
instance, students in the Miami-Dade school district
sued the school board in 2017 after their social security
numbers were inadvertently posted online. In that
case, the students requested monetary damages and an
“overhaul” of school district policies on the protection of
student information. They also filed a complaint with the
U.S. Department of Education for a violation of FERPA.
Proactive measures and steps forward
School officials should consult with their insurance
carriers to discuss coverage and/or protection as it relates
to cyberattacks, including demands for ransom payments.
If they have not already done so, school boards should
adopt policies relative to data protection and security
including appropriate breach response and notification
procedures. They should ensure that there is a chain
of command and protocol to follow in response to a
[Editor’s Note: Contact NYSSBA Policy Services for
sample policy and regulation No. 8635, Information and
Data Privacy, Security, Breach and Notification. See also
“Switch to online learning highlighted obligation to protect
student data” in the June 8, 2020 issue of On Board.]
Contracts with all third-party vendors that have
access to or receive student or teacher or principal data
from the school must be in accordance with Education
Law Section 2-d to ensure that data is protected both
during and after the term of contract. (Your school
attorney can assist in such matters.)
State Regional Information Centers provide many
services involving district computing and protection
of data, and they can provide recommendations for
employees to avoid falling for phishing emails. In addition,
school districts should consider conducting an audit to
assess their electronic or cyberspace vulnerabilities. For
instance, schools should examine whether those employees
who have access to personal or sensitive information, such
as social security numbers, actually need that information
in order to perform their jobs.
Backups are essential but not foolproof. Third-party
cybersecurity companies may provide guidance and
troubleshoot with school districts as to how to safeguard
Should an incident occur, school officials should work
to identify who was impacted and who or what caused it,
shut down all systems and disable the network, identify
how the technology was impacted, host an after-action
review or lessons learned meeting, including a discussion
as to whether or how existing policies or plans should be
revised or revisited.
Preventing cyberattacks can be costly, complex
and time-consuming. School board leadership and
administrative preparedness can make the difference
between your school district suffering a paralyzing
cyberattack and experiencing a nonevent.
Members of the New
York State Association of
School Attorneys represent
school boards and school
districts. This article was
written by Andrew Freedman
and Lindsay Menasco of
Hodgson Russ LLP.