The K-12 Cybersecurity Act of 2021: Will it Go Far Enough?

Learning has been seriously disrupted and fundamentally altered by the pandemic. While schools everywhere have learned valuable lessons about high-tech teaching by adapting to remote learning and by creating more equitable access to technology than ever before, schools have been facing a parallel pandemic of their own - cyberattacks.

The K–12 Cybersecurity Act of 2021 , the federal government’s first foray into K-12 cybersecurity, was passed into law in an effort to aid student data security. The law charges the director of the Cybersecurity and Infrastructure Security Agency (CISA) to bring together a team and gather appropriate stakeholder input from K-12 schools around the US over a four-month period, then consolidate that knowledge into a set of cybersecurity guidelines over the next two months, followed by the development of an online toolkit to assist school districts as they strengthen their digital security environment.

There is optimism that this legislation will lead to needed action by school districts to protect themselves from data breaches, and it has never been more imperative:

• Cyberattacks have hit schools and colleges harder than any other industry during the pandemic. In 2020, including the costs of downtime, repairs and lost opportunities, the average ransomware attack cost educational institutions $2.73 million. That is $300,000 more than the next-highest sector which was distributors and transportation companies.
• Over a single month in the Fall of 2021 coinciding with the start of school, educational organizations were the target of over 5.8 million malware attacks - 63% of all the attacks that took place.
• Ransomware attacks alone impacted 1,681 U.S. schools, colleges and universities in 2020. Globally, 44% of educational institutions were targeted by such attacks.

Courtesy of: GCN (Government Computer News)

Learning is one of the most important aspects of a child’s life, and the responsible use of personal information by educational technology providers is key when educating today’s youth. All students’ personal information deserves to be safeguarded at school.

Increased data security training could be required at all US schools. It will help ensure fewer costly cyberattacks occur as many malicious actors gain access through phishing or social engineering. The federal government could incentivize school districts by offering to subsidize cyber insurance premiums and the training itself, contingent on meeting certain requirements, such as ensuring that the training of all staff is not a one-time event but is maintained over time.

All US schools could be required to maintain a data breach incident plan and to update that plan regularly and all districts could be required to have at least one individual on staff who is solely responsible for cybersecurity. US school districts could also be advised to buy cyber insurance. To ensure equitable access to this valuable protection, the federal government could explore providing their own insurance scheme, like the National Flood Insurance Program that was established by an act of Congress in 1968.

EdTech providers could be required to meet required data security standards and agree to protect student data when a school or college uses its online services. Increased federal support for compliance efforts such as these could be helpful. Educational staff at a school should not be expected to judge a provider’s adherence to digital privacy regulations or check it has implemented appropriate data security measures. Educational institutions could have access to a list of approved vendors to assist in making informed choices when it comes to EdTech providers.

It remains to be seen what recommendation the CISA will come back with, but PRIVO supports the effort and looks forward to a robust conversation being conducted nationwide with education security stakeholders.

Learn more about student digital privacy.

Written by Patrick Davenport, PRIVO's Student Digital Privacy Program Manager