Student data privacy remains a top priority for senior technology leaders. Increasing attention to student data use is also occurring at state capitals and in district school board meetings across the country. How do you best ensure your district is aware of this changing landscape, and prepared to meet growing compliance needs and risks associated with securing user and district data?
In this webinar, leading voices in student data privacy Kevin Lewis, Data privacy officer from 1EdTech Consortium, Jim Siegl senior technologist at the Future of Privacy Forum, and Jim Farmer, Chief Technology Officer at Fayette County Public Schools, lead a discussion with insights including:
Hello, welcome today. Welcome to our discussion today on Cybersecurity in K 12. My name is Klaire Marino. I’m the Vice President of Product Marketing with Lightspeed Systems, And thank you so much for spending some of your time with us today.
I have an amazing panel here of experts for this webinar. Our webinar today is entitled: Cyber Nightmares: Attacks, Breaches and Leaks.
But I feel confident that you will leave this session today with insights and actionable, actions that you can take with your district as early as tomorrow.
Before I dive in, I want to remind you that we do have time at the end of the webinar for questions. We want to hear from you, we want to hear your questions.
Troy, and John will be ready to answer them, so please enter them into the chat as we go, and we will, we will leave time for that.
All. So, first, I want to introduce our panel.
Today we have Troy Neal. He is the executive director, Cybersecurity, and IT Operations at Spring Branch ISD in Houston, Texas.
And then, we also have John Genter, who’s the VP of Security and Cloud Operations at Lightspeed Systems.
I’m going to hand it over to you, Troy, so that you can kind of give a little bit of your background for our audience today.
Sure, so just were Spring Branch ISD we are located in Houston, Texas, We’ve got about 35,000 students with about 6000 staff members were what’s called a property rich school district, which means there’s some funding problems. We send about $75 million back to the state of Texas, which means challenges for people in IT. So, I’ve been in the IT industry for about 20 years. I’m on my third career, as I tell everybody started in the military, in the Marine Corps, owned my own business consulting, and then what I, So, everybody, I just wanted, enterprise. We’re larger than most enterprises in K-12. And so, I treat it an enterprise end of the day. we’re in education, and so, I spent years understanding the operational side of K-12.
Great, Thank you, Troy. And, John, please introduce yourself.
Hi, I’m John Genter, Vice President of Security and Cloud Operations at Lightspeed Systems.
I’ve been with Lightspeed coming on 17 years. So, I’ve been on this journey a long time with our, our Lightspeed folks.
I’ve done everything through customer service, customer success, support, and recently, most recently, as Security and Cloud Operations — came out of the fact that I did most of our privacy and security programs and things.
I also spent 22 years of my life as a school board trustee, and that was on a small school district of about 3500. So Troy a little bit smaller than your district, but I suspect many of the challenges are the same, funding certainly being one of them. And in those 22 years, was able to really play, I think, an integral part in the technology rollout of the district and making sure that we thought about the things and did the things.
Certainly the challenges today are much different than they were 20 years ago.
But I think that, uh, the thing that hasn’t changed is IT staffs are typically underfunded in schools and that’s a big challenge.
Great, so let’s talk about those changes as we jump in here.
You’ll see in this graph, but there’s been this dramatic increase in cyberattacks, and, in the last, I’d say, what, 4 to 6 years? So, let’s start with this question: Why do you think K-12 districts are so appealing to these cybercriminals? And what are, what are you seeing?
What types of attacks are you seeing?
Sure, you can jump on it.
Yeah, yeah, I’ll definitely start with this one. Because you have the internal and external threats. So let’s start with the external. It’s, it’s about profit data, selling data, and now it’s back to public.
So at the end of the day, it’s profit and money. And especially in K-12, it’s identity. You’re getting someone’s identity, which there’s a high value for. So I think that that’s your threat,?And people know that.
And then you take the facts: underfunded, understaffed, don’t have tools, process, policy. So you’ve got that kind of external factor there. Then let’s go inside it. And if you look at the slide deck: data breach, DDoS invasion,
insider threat. We’re DDos’ed all the time, especially during testing windows. Because kids don’t want to take tests. Actually, no malicious intent, but they just don’t want to test.
But then, you have internal threats. Kids want to try to find access. So you have these kids that one could be bored in class to just want to try something to the ones that have malicious intent. So, insider threat and issues there are probably more concerning the external. But they’re both there and so you’ve got to factor all that into your strategy, your roadmap, buy-in training, et cetera, et cetera. But, end of the day for external, it’s money.
Yeah, I think too, the threat actors believe schools are vulnerable and the underfunding they think they’re good targets, there’s, uh, payroll systems in schools that the bad actors want to have paycheck sent to them. And then, I think, at the end of the day, and Troy said this, there’s valuable information there. If you can get a kindergartener, social security number and information. You’ve got 15 years that, you can be running, and you’re not going to probably see credit checks run against those accounts, and the bad actors know that, and see, that is highly valuable data.
That makes me think I need to go in and check all of my children’s social security numbers shine. Some of the firms are actually offering that. Now, where you can monitor your kids, social security numbers and things, so not a bad idea to look into.
Yeah, definitely. Let’s see.
So, from a biggest threat perspective, what do you see? I mean, I think you touched on this a little bit, but is it malware, DDoS, Student data breaches? Where are we seeing them that’s happened with your peer institutions? And what are you talking about with your colleagues?
It’s all the above. I mean, I don’t think there’s not a specific one, It depends on the target, and the goal, So DDOs has common Especially internal versus external. I mean, you still there, but more that. Now it’s malware ransomware.
Because you want lateral movement in etcetera. So, I think, that external factor, I said, there, are always looking for your external vulnerability. First is how they get in the door, we all clicking links.
The number one vector in any organization is through spam. Somebody clicks on the link, and it’s gotten creative. Over the years, it’s harder and harder to find it. And that’s back to awareness, training, or training, and it’s everyone’s responsibility. And a little bit talking, kinda inside of things, we talked, and John talked about, elementary school kids.
It’s, as adults, we’re afraid of, no, kids can’t remember long passwords and all this stuff, kids are so far ahead of the visual world, the adult or in the way of some of this stuff. Back to education, digital citizenship, teach them the right and the wrong, and their responsibility to help this.
Because we’re all in this together.
Yeah, I was gonna say, that’s kind of a good segue to my next question, which is about starting to think about, we’re moving from the threat to, or what are some of the things that districts could be doing?
And, if we, if we talk first about, I’m interested in just some immediate, kind of, simple, low-lift things. What would be kind of 2 or 3 in that area that districts should be doing, as, as soon as they get off this call? If they’re not already, what would be your recommendations there?
Number one is awareness, and it’s everyone’s responsibility, That’s our message in our organization, at the board level, senior leadership level, every level. It’s everyone’s responsibility. Training, training, training, and awareness. And don’t be afraid, ‘if I clicked on something, tell somebody.’ ‘See something, Say something,’ It, applies in technology as well. Patching, everyone, patch, patch, patch, those are simple things to do, that, low hanging fruit.
Passwords. And you get the wrong philosophy of password lists versus, cryptic passwords, phrases. I mean just have policies in place first. And then communication. Leadership buy-in. Don’t be afraid to speak up. Say something with senior leadership with your cabinet. They need to understand, because we’re in this together, and because they help drive some of this policy. They can help drive that change. Here’s why we’re doing it, in K 12, my role is risk awareness, risk mitigation.
There are certain things that I don’t believe we should do, in a security role, And our security function, or policy, because it’s not best for kids. And that’s a risk we take as an organization.
Because end of the day, we’re here to educate kids. And so, there’s mechanisms we won’t put in place because it’s not best for kids. But you have to be OK with that. But, leadership needs to understand what that risk looks. And don’t be afraid to say what it is. Because today, we all have to.
So, that’s just some low-hanging stuff.
I would add, to that, too, I think people can be intimidated by cybersecurity, and feeling like they have to be a cybersecurity expert. I like to share, you need everybody to be cyber aware.
And not cyber experts, Troy said it well, know who to ask. This doesn’t feel, this doesn’t look, right, ‘who do I ask?’ That’s cyber aware, you don’t need to know how to solve the problem. But cyber awareness for staff and students, I think, is very important.
I think another thing that can be done fairly straightforward wise is adding multifactor authentication at, say, the district levels, and on district systems. It’s a little harder to probably rollout across the school district of 35,000 students and all, but, if you tackle it as a small component, and just look at those business systems, I think that’s a big win.
Yeah. I’ll add one more low hanging fruit that we do. We have a very stringent onboarding process for software.
And in that is an entire technical requirements section that we vet from integrations to standards, to where’s the data can live? Destruction of the data, and then we even had the cybersecurity pieces of do you have insurance, and we had a breach, what, what models Do you follow us?. we’re asking our vendors the same exact questions that we want to ask ourselves.
Yeah, that’s great When you say vendors? Who do you mean there?
So any any kind of vendor fiscal vendor or vendors. If the, Fortunately, a couple of years ago, or Texas passed legislation which required, the having a cybersecurity coordinator, adopted cybersecurity policy, reporting a breach, and then we added cybersecurity awareness training.
And, so, we would hire contractors do the same training, because if you’re going to access the system, then let’s make sure they understand the basics of what to look for.
I mean, it’s actually back to awareness and training, but yeah, all parties involved If they’re going to either access the system or want any kind of information or data from us, here are the requirements.
Yeah, great, great. Let’s move from the low hanging fruit to kind of more longer-term plans that you have implemented Troy maybe, or something that you’ve seen. Johnson, some of the, some of the steps districts might be thinking about for the next 12 months plus.
Sure, I’ll start with some of those. Backup backup, backup, backup, I’ve got a five tier strategy. I’ve got Air Gap Solutions. And our Colo and our DR site. I’ve got good old USB hard drives, the most critical. I’ve got a Cloud copy as well in multiple cloud providers, backups, everything, also, validating your backups, and the strategy. But, I mean, overall, you’ve got to start with a strategy and a roadmap. And your frameworks, where do you want to go on? The big, the big thing now your trust is how do you get to zero trust?
The best you can in K-12 because there’s certain things you’re not going to be able to do in K-12 with zero trust. Visibility, information, how to use that information.
Automation and process, what tool sets can you do and bring in to help automate and orchestrate those things, so you take the human factors out of it.
Pretend I’m, I’m sure you might agree with this, too. That it can feel overwhelming when you look at how to do all of this. But you have to begin by really identifying what are the most critical systems that you need to protect, and then focused on protecting those, and then expand out from there.
Clearly, backups of that most critical data and air gap, those are paramount to being able to recover quickly, should something happen.
So, I think, if somebody hasn’t started down this journey already, making sure that they start by understanding what is the most important thing to protect.
Yeah, and then I’ll add, incident response plans. You’ve got to tabletop exercise, incident response plan. You identify your source systems for your organization, and then, who owns those systems. And then you didn’t have conversations with those owners of, actually ‘what does that mean?’ And then how do you vet those? How do you make sure your privacy policies change with some of your providers. How do you stay on top of that? It’s a village. We’re all in this together.
There’s help out there, partners, or vendors, there’s vast resources information, and people to help you, ask for help.
We had a question set up around, your edtech provider and privacy policies. Lightspeed did an Edtech app record just recently that found that 91% of the application students used, changed their privacy policies at least once in the past school year.
So, why, why is monitoring privacy policies important?
Is that a part of your cybersecurity strategy, Troy?
Parents are more involved and what their kids are doing inside the school, from every facet. So, knowing what those updates look like because, there’s been some changes, even, say, Google where it’s gone from, 13 and up to now 18 up, And so are you use those applications? Have you made those adjustments? But, if you’re not paying attention, you are not watching these. And, so, some of these policies and changes might have happened, and now, you’re out of compliance, from a regulatory standpoint, from a legal standpoint. And, so, you’ve got to have that kind of visibility.
And, I think in the privacy world because the landscape is changing daily, states are passing privacy laws, internationally there’s new privacy laws.
We look at privacy policies that haven’t been updated in the last two years and throw a red flag. It’s, Whoa, they haven’t got an update here. What are they doing? Are they paying attention?
So, these updated policies are going to happen more frequently, because companies are trying to react to the changes in the laws and all.
I know, when I was a trustee, my IT staff was horribly overworked. They didn’t have the resources to go chase, and, and all of a sudden now, they’re going to have to keep up with privacy policies and the changing on a regular basis can be a little bit of an overwhelming thought and process.
But it’s a very quick assessment, kind of, brought to you, instead of having to keep on top of every one of your vendors, and then going through did it change? When did it change? What do I have to do?
Let me add one more thing to that, too. Is also, making sure the right people are involved in it, so with no Analytics CatchOn, our academic leadership teams have access to it. So they’re actually, they’re looking at the data. They’re looking at the usage, so that way they’ve got that visibility. And then we have our edtech team was involved as well, because they help onboard our software or figure out when we stop using software. So I said, it’s still back to that team effort. We’re not in silos, is not an IT function. It’s multi-function, multi-departments and just making sure, here’s how to use the data. And sit down and have the conversation. I meet with my peers, the exec directors, curriculum support, superintendent of technology, superintend of academics, once a week to, we have dual team alignment between the two core functions of academics and technology. So it’s that partnership, that means everything.
Yeah. I was just looking at, there’s a question came, that came in here. So this is actually related to parents,Troy, you were talking about parents being such an important part of the Education community, especially after COVID, and all that we’ve all been through. One question from our audience, is, “do you involve parents in cybersecurity training? And, if so, how?”
Yeah, so, when we do back to school nights, and the back to school events or parent nights, whatever, it’s, we offer those kinds of training. And we, stick a lot of the, the external factors versus the internal things. And then I run our content filtering committee, which is made up of technology staff, administration, principals, teachers, community members, and parents, and we talk through a lot of our policies. Not just filtering, but just in general, around security of our kids in digital citizenship and usage twice a year. So that way, they’re involved in the conversation, because there are, there are advocates as well.
We run what’s called the scam or the week. I’m sure you’ve probably seen that. Where we’re actually paying attention to what’s happening in the world today, and what the bad actors are using. And we send that out to all of our employees, and we encourage them to send them out to their families, and friends, and everyone else.
Because it’s just the way to be informed of what’s happening, and what’s going on in the world.
So, I think, there’s opportunities there to engage the community, as well in a proactive kind of cybersecurity awareness without it being a heavy lift.
We do a quarterly newsletter, and it actually comes from our Chief of Police, Director of Safety Security, and myself. That way, we’re talking about the late in the quarter of, here’s the thing, Cybersecurity Awareness Month. So, we’ll have tidbits of, here are the holiday seasons. Here’s what to look for. We bucket all that together in this little newsletter that goes out to our entire community.
Yeah, that’s great.
A question also came in “Does Spring branch have MFA?”
Yeah. So, it’s a great question. So, I’ve been at Spring Branch for three years. I wanted to do MFA. The first year I started. But, I spent, for six months, just do a gap analysis. So, the way we do anything at Spring Branch from a change management perspective, is what we call New-November initiative.
So, in November, we’ll go in front of senior leadership, and say ‘here’s the new changes we want to roll out next school year’ that way we are getting their buy-in, their feedback, and concerns. And then if they approve it, in December we’ll have an administrator meeting where all administrators in district, are involved. And then we as each division, talk about what’s changing next year. So, I’ve fully gotten there. So, we’re actually rolling out MFA next year, school year, for all staff across the board. And so, that actually, in a couple weeks, I’ll go to senior leadership. They already know it’s coming. Because we all know cybersecurity insurance requires it now, all the mechanisms around there. And so, you’ve got to figure out what, what it means for you, what does it look like, what makes sense for your organization. Because, there’s different ways to approach it in different schools have done it differently.
It’s also perception, because a lot of people will say “I can’t do, and I don’t want a dual factor” on their site.
90% of people in this world have a smartphone, they already doing it. So, we have this misnomer in misperception about oh, that’s too difficult. If your’re online banking you’ve done it. But I think just making sure people are aware of actually what that is. You say, MFA, multi factor, just tell them what that actually means. Just a normal terms. Yeah, and it’s changing All the time now on any anything we’re using, We’re doing with our bank accounts…
so, it’s not any different the expectation to do it for your school.
I like how Troy said that. Kind of help people make the connection.
I always like to teach people to be secure in their personal life and understand why that’s important to them, because I feel they show up to the office prepared to carry those same habits. And, you can’t hardly update your Hulu account nowadays without MFA, and you certainly can’t get into your banking account, and it doesn’t need to be a horribly complicated process. It just needs to be a process that’s put in place on the right systems and things, so that you just add that extra layer of security against someone accessing that critical data that you don’t want them to access.
Yeah, OK, another question, I’m moving us on from this, but you can jump back in time. OK, so, this is about layers of protection.
Is a firewall efficient enough protection? Or, do we need further protection?
Further, lots and lots of further. I mean, and this is actually, one, the roadmap: where do you go, and this is actually having tools that integrate, how do they work together. Because there’s more, there’s so many tools out there. The firewall is just the baseline. I mean, it does a lot. And especially Nixon firewalls, as long as you bundle those ended up purchasing the firewall and not just basics, But that’s just identity management.
How do you defined identity? Privilege access management is out there, now, what mechanisms are in place, EDRs then the next thing everyone’s got to have user requirement. Endpoint Protection, authentication, visibility.
Vulnerabilities– are you aware of all your vulnerabilities? There’s tools out there that help you identify what’s actually there?
Patching– How do you patch on network, off network?
There’s so many mechanism out there, but it’s back start with strategy roadmap first. Where do you want to go? How do you get there, then what’s out there, and what’s available, Next, great, partners and tools, that’s just one, backups as well. But, the firewall is just the beginning of things.
Layers is the key here. And, I believe it’s difficult to secure what you can’t see, and you might get lucky once in awhile and stumble onto something and then figure out how to secure it. But, if you don’t know what’s running in your network, it’s really hard to secure it.
And I think that’s one of the things that CatchOn Analytics from Lightspeed addresses, is trying to bring that visibility, making those apps visible, helping folks even know what’s running in the network and what’s going on there.
And, being able to look at those security policies and privacy policies have a level of confidence if that matches what they need in the district Lightspeed Filter adds a layer of protection as well, because it’s blocking the malware sites and other sites that students and staff might stumble into. And depending on how you have it set up and what you got it configured for. It could block command and control websites from actually being able to be communicated with should ransomware attacks there. So, I think every security person would tell you, it is about layers, and, again, I think, from the very large schools, to the very small schools, it’s really understanding which of those layers give them the biggest bang for their buck and, and which ones they can implement. And actually manage in their, in their environment to give them the best protection.
Yeah. And I’ll add to that, too, you gotta know all your assets.
And I mean, all your assets, and that’s just not just hardware, collect all your assets.
And you said, it’s layer upon layer, and then what, how do you minimize risk. Because it’s not if it’s when, and then back to, can I restore? Can I know? How quickly can I get back?
And so, I mean, all, those are factors, Yeah. You’ve got a layer everything, and, how you take, least privilege access. you’ve got to look at everything that’s out there. And then I said, you’ve got to apply to organizations and philosophies, but it’s got to start with leadership and those conversations. Because it’s still going to cost a lot of money.
Great. So, a couple more questions that are coming in, but there’s one that I wanted to just ask you to respond to this additional question.
It moves from how you protect yourself to, what happens if there is some type of an incident, and, sure, you mentioned incident response, but, from our research, the average downtime for a school network after a cyberattack is four days with an additional 30 days, on average, for total recovery.
So that’s a lot, and that’s an, and a lot of IT resources, time, and headaches. I’m sure.
I can just imagine, but, what should you do if you fall victim to a cyberattack, and what would be immediate steps you would take within the first 24 hours?
This goes back to the first incident response plan.
You’d have to make sure it actually works, and you can execute it. And if you’re not testing, you don’t know, because communication is going to be number one. What’s communicated external versus internal. There is a huge difference there, and then there’s tons of resources out there that are willing to help. State of Texas, they have a volunteer incident response team. You’ve got partnerships. You’ve got to know who those people are ahead of time. And then that plan, you should actually have all those documented. Because there are certain steps, and certain people that you want to call them immediately.
Don’t be afraid to ask, people are willing to jump in and help, we’re all in this together, I’ve been through a breach in my career, years ago. It’s resources and it’s health. Is it expensive? 100%. And you restore times and you know back to full functional depending on how bad it is. Back to, if you have layers and you have tools, in that plan, you can kind of know and set those expectations because the organization. Of the business needs and understand actually what that means. It’s not going to be normal as is, even if it happens and you restore. There’s never normal after, after this happens. There’s no normal in our world.
You’re not alone, and there are all these resources, Don’t think that you have to do everything on your own. I’m sorry, go ahead, John.
I think Troy’s right here, there are a lot of resources. CISA has the cybersecurity framework, which gives you a nice, kind of, layout of how to, how to go through this.
I think one of the keys is preparing upfront, at least, knowing who you’re going to call, what, what’s your insurance carriers’ number, and who do you call? What, what’s the FBI number, in case you need to get them in, and who’s your FBI contact. And all of that, in a spot, so that if you find yourself in the middle of a breach, you’re not chasing around trying to figure that out, you have it. And I think, the basic steps are going to be, once you realize you have a breach, you want to contain it, you want to mitigate it. You want to, do, you want to stop it from spreading. And once you’ve stopped it from spreading, it’s really then deciding what are the next steps, and what is the damage. And you know what, what does recovery look like.
And to Troy’ point, having thought through that ahead of time and having practiced it, kinda exercises those muscles, So when you’re in the midst of a breach, and Troy having gone through when I’m sure you can tell us, this is a very stressful situation. You’re not sitting around, relaxed going through your incident response plan. I mean, if it’s out in the public, you hope it’s not, But if it’s gotten out in the public, everybody’s phone’s ringing non-stop. It is extremely high stress, and that’s not the time to try to be figuring out who’s phone number, you got to call.
So, taking a little bit of time and, and start small. Start with an incident response plan. That has 2 or 3 things on it, and then iterate on it, and iterate on it, and iterate on it. And get better at it in time as you practice through it. It is really important.
I’ve found, even in my own journey through this.
Sometimes when you’re staring at a blank sheet of paper, and you’re thinking, I’ve got to create an incident response plan, feel overwhelming, because if you searched the internet, there’s 40 page incident response plans. But, I think start small. Use some of the resources there, Troy said, and really, lean on your colleagues and ask them for advice and suggestions.
And the great thing about K 12 education, everybody loves to share, and it’s a wonderful place to be.
Yeah, ask your neighbor district, for example, work together on those policies, on that plan, do the exercises together, that way you’ve got that bond and you kind of have a good understanding of each other’s environments, we’re all here for the same reason, the kids. Exactly.
OK, so another question came in for you, Troy, and it’s about apps that aren’t submitted to IT for review.
So I guess this would be educational apps or potentially administrative apps that maybe you end up in this system? We call them rogue apps sometimes, what do you do?
Well, for the best part, with CatchOn, Lightspeed Analytics, for us, the whole shadow IT, the rogue apps. Now, we have visibility to them. So, our policy, if they’ve not been vetted through our approval process, we actually now block them. But, that’s a lot of conversation with leadership first. And alignment with academics. Because, maybe you might discover an app that actually really good, it’s not approved. Alright, let’s go get it approved because actually we do need to use it, because there’s value to it. That aspect of communication and the alignment between academics and technology. But, we take a block approach to protect the organization, for lots of reasons. Not, and not just from a cyber perspective, its governance, policy, privacy, data concerns. But, you’ve got to have the leadership support, to be able to do that first.
Yeah, that’s actually a really good point about leadership support and lots of conversations to get to that point, but having the visibility of all of the apps and tools that are used across the district is probably step one, if you don’t have it.
How do you get that.
Yep, yep, got to have the visibility first. And then you can have the conversation. Or have the conversations of, we’ve added the visibility, here are the reasons why we need this visibility. And, I said, there’s a cost perspective to this.
From the funding standpoint, duplication of adaptation, concerns around privacy, governance, then cyber, those are your start conversation starters.
If you start that direction and then go figure out, How do you solve I didn’t know. How do you identify? What do I need to do to be able to discover those things?
I’m going to just say to the audience, we have we try and only take about 45 minutes of your time through these webinars, so we want you to get your questions answered And if there’s any topics that we haven’t covered that are burning and you really would some insider resources, please type those in now.
We’ve been answering questions throughout, so now, hopefully, we’re getting to some of these.
There was one, Troy, that also came a bit earlier.
And this was probably pertinent to prior answer you had, but it was around, how often do you rotate or flip your tickets, KGBT?
So it’s a great question but I won’t answer it publicly.
If they want to reach out directly, we can talk through some of the policies and things we do internally.
That’s a big deal, but yeah. There are certain things that I wont say publically.
Great. That’s a wise move.
Yeah, just I don’t do QR codes at conferences.
I know we’ve talked about this in a couple of different ways, but one or the other, one of the other questions that we had was around, we’ve talked about technical solutions, but, and we’ve actually covered some of this.
But, are there any other protections districts can implement to keep their systems safe, and maybe it is about not sharing some things publically?
Yeah. I mean, say, internally. We definitely should be sharing.
Yeah. Because, I mean, back to, we should be sharing with our neighboring school districts what we’re doing. Because we’re in the same fight, and we can learn from each other. So there’s that part of it. I mean, it’s back to, what’s your roadmap? Where do you want to go. Because, zero trust is our next thing. And how do we get there?
We have some tools in place for us. Its vulnerability how we patching our systems were diligent, but we’ve got to identify we’ve gotten internal tools and help identify all the vulnerabilities. And then back to John mentioned, Cyber Hygiene has got free services, we get their weekly report of our external IP scans, we do their NDBR. So, it’s open block, watch system requests, even though we have our internal tools assistant; back the layers.
So, there’s first free resources, know, there’s so many tools out there, it’s just, what’s your priority? Low hanging fruit versus the complex technical things and the path to get there. You’ve got to start with those. Because otherwise, you might try to solve one problem, and cause another problem.
I think, too, it’s, uh, several states actually have requirements. Districts have to publish all of their vendors in their apps, on their websites. Which is a goldmine for the bad actors. Because they know exactly what you’re using, and that’s a tough place to, I understand why the laws are what they are. We certainly want to give our parents that visibility.
So sharing as much information as you need to share, to stay compliant with the law and all, But also understanding what information you could potentially put there that can be very harmful in the hands of the wrong people and then crafting that message on that website.
So it informs the community in a way they need to be informed, but doesn’t give away more information than you need to give away.
One more thing real quick, around, and it’s not a tool, it’s people. Invest in your people training, bringing everyone to the table, everyone’s involved.
Get students involved there, the kids that pique interest, kids think different than us.
Internship programs, take advantage of their brainpower. Because they say, definitely that we do as adults, use them to your advantage. Create this, this pipeline of internal talent. Give them their next, you, know, opportunity kind of thing, give people a chance to learn, and what I always tell my team, my job is to enable, empower, and get out of the way.
I love it.
Yeah. That’s a great. I’m going to ask each of you for, one of your favorite resources. From a cybersecurity perspective. It could be a conference that you attend. It could be a site, framework, that you recommend the audience go check out.
I mean, I spend most of my night and weekends reading LinkedIn articles because, vast network of resources out there.
I mean, just reading and listening, there’s tons of subscriptions. MSISAC. you got to subscribe to those that easy material, reference stuff, conferences, we’re going to that next year as a group.
There’s some, things about that part, but it’s also what local? Host your own event. Partner with the schools and internal learning opportunities, but I don’t have a top favorite, I’m just, any resource, or information that’s out there, I can find and read. I spend a lot of my time.
I think, a great choice, LinkedIn, is that fabulous resource. It’s a, it’s easy to join the cybersecurity groups, that best line up with what you want, and then they push information to you, and you can get that on a regular basis, and then use that to go elsewhere. I think, if someone is starting out on their journey, probably my favorite resource is CISA and the Cybersecurity and Privacy Frameworks.
Because this is a large community that’s come together and try to put a plan, that almost any organization can follow, and it kind of lays out that roadmap on where to start and how to go through it. So, for anybody that’s new, I highly recommend checking out CISA. they also do a great job of keeping updated vulnerabilities and patching.
Great. Thank you. that those were good. Those are good resources. And Troy has there you might need to relisten to this. But it’s a final question, and I will say, if there’s any final questions, just type them in. But thank you, for those of you who have asked a number of questions, today. It’s been great.
But do you have any predictions around trends, on cybersecurity for education?
Anything that you see coming in the future in the next few years, or things that you’ve heard about starting to think about.
The cybersecurity act Biden just passed recently at the federal level. And, it makes the State level, Then they’ll make the school district level.
You know these things are coming, of course, by the time they get to us its way outdated, but, I mean, the whole privacy stuff, states are passionate. The whole GDPR, it’s coming, so how do you get ahead of it. You got to look at those things, those are, trends that are coming.
And it’s, Privacy, privacy, privacy. That’s always an evolving target, But, I said. And then what’s your state doing. Because you don’t know what the State doing, So, you got to follow up with them, and have those interactions. But, the whole GDPR relevant to the US, it’s on its way.
And then, the mandatory, tool of all that part, It depends on what organization and entity at the government level involved. How bad it goes.
So, don’t wait on them to do things, you just got to innovate yourself what’s best for your district.
Yeah, great. John, anything last, any last thing to add there?
For folks to think about security here, the one thing I’d to leave folks thinking about is we have this image of the black hoodie, can’t really see the face, sitting behind a computer hacking away. And while that’s a good image and prints up really nicely on a t-shirt, the reality today is cyber criminals have organized themselves very efficiently. And they have a level one support that tries to get the resources, and then they escalate it to a level two, who has more skills to get to the next level. And then they escalate to a level three, who really knows how to get and break into things.
So, I think the key here is for people to realize that cyberattacks on schools are probably on the increase over the next few years at an exponential rate just because they’re valuable targets and what they’ve done is they have really organized themselves to take advantage.
All, so, so keep working, keep working towards better cybersecurity profile.
OK, well, we’re going to end there, Troy and John, thank you so much for your time today, we appreciate it. And to the audience members, thank you for joining us.
We at Lightspeed Systems do have ways that you can help, that we can help you in this journey, and we’d love for you to take the survey that will pop up afterwards. You’ll also get a recording of this, so you can share this with others in your teams if you found this valuable. And also, I would say please feel free to download our cybersecurity guide. It’s a really good walkthrough of the different layers of defense and things to be looking at. But, again, thank you for your time, and have a great, great day.
Hi, good morning, everyone, Good afternoon, or good evening, depending on where you are. Thank you for joining us today for our webinar.
We’re excited to have an expert panel to discuss student data privacy, and how you can prepare your district and set yourself up for success this year.
I would like to start by introducing myself. I’m Vice President of Product Marketing at Lightspeed Systems.
We are dedicated to providing solutions to districts across the US and globally that provide safe, secure, and equitable education.
Today, I’m joined by three distinguished panelists, Kevin Lewis, the Data Privacy Officer at one Ed Tech Consortium, Jim Siegl, senior technologist at the Future of Privacy Forum and Jim Farmer, the CTO at Fayette County Schools in Georgia. So thank you all three for joining us.
I want to just remind our audience that we will be taking a Q&A session towards the end of our discussion.
And so, we are interested in your feedback, your questions, and observations based on the work that you’re doing in the field.
Please add those into the question box throughout the session, so that we can make sure that we can add those into the discussion.
Again. Thank you so much for joining us today.
We will be sharing the presentation as a resource and some resources throughout the presentation for your benefit OK, great, so I’d like to start today with allowing our panelists to introduce themselves a little bit about their background and the work that they’ve been doing in Education So let’s start with Kevin. Kevin, please take a minute to introduce yourself.
Absolutely. Thank you. Hi. My name is Kevin Lewis. I am the Data Privacy Officer at … checked.
My previous role kind of got mission started on my the privacy work that I do now with the Houston Independent School District, where I headed. There are student data privacy initiatives there.
I work with both schools and suppliers to promote transparency and communication with their privacy policies, assist schools in knowing the right questions to ask the weight of those questions, and then assisting suppliers in keeping them updated on the Internet Information that they need to sort of better create a policy and a culture of privacy within their organization that puts that shows their best foot forward for schools. And so, for both schools and supplies to work together, I’m sort of that middleman to assist in that communication in that collaboration often spreads.
Great, Kevin, thank you so much for joining us today.
Next, Jim Farmer, can you please introduce herself?
Thank you very much, Klaire. It’s great to be here with you. all our guests. My name is Jim Farmer, I’m the Chief Technology Officer in Fayette County Schools. Which is just south of Atlanta and Georgia.
I’m going on my six year there as a CTO, previous to that, I started my career in Broward County, Florida as a teacher and a Technology Specialist from Teaching elementary to working at the district level. And then moved to Georgia in 2004 and worked in South Georgia.
And also, Apigee, OK for Gnocchi Risa doing a little bit of consulting training and you know, a little bit of everything when it comes to technology and supporting the schools in that region.
And as I said, I’ve been in Fayette County now for going on six years. Great to be with you guys.
Thank you, Jim. and now I’d like you to introduce yourself Jim Siegl. Thank you for joining us today.
Great. Thank you and it’s great to be able to talk about this important topic.
So, I am a senior technologist at the Future of Privacy Forum on the youth and education team. We’re a privacy think tank. But before that, I was the technology architect for 19 years for Fairfax County Public Schools. So I’ve spent a lot of time sitting at that intersection of policy and technology, and I had the chance to work on a lot of the initiatives that we’re gonna be talking about today, Clothespins, Privacy Tool Kit, Common Sense Media Privacy Readings and the Student Data Privacy.
So again, these are three big hitters in the in this area of how do how to manage student data privacy what what you need to know about regulations today? Working with vendors, and ensuring that your district is in a good place. So, again, please make sure that you ask any questions, this is a great time, and you have some great experts here, to provide the information that you may be looking for. OK, so we’re gonna start off with a little bit of an icebreaker kind of question.
Um, really, it’s around, Like, what are some data points or stories that you, as panelists have heard recently that really made you stand up and think more closely about what are we doing around student data privacy.
I have one here on the screen that we recently have seen coming out of the site, the Cybersecurity I’m sorry, cybersecurity and infirm Infrastructure Security Agency.
And this number is pretty astounding, that between 2018 and 2021, the number of cyber incidents in schools and districts has rose from 400 to over 1300.
So a big data point there, Kevin, what are some, what are some things or what does the data point that you’ve heard recently or or talked to districts or vendors about that, need you stand up and take notice?
So the biggest thing that I can say, I’ve heard and am currently experienced.
See there’s just the sheer number of applications that are being requested for venting from the schools and the types of requirements that are being asked of suppliers there. So being that sort of that Middleman when I’m talking to suppliers.
They understand like the types of ask the questions that they’re getting, but it’s sort of frustrating to them because there are so many, and for schools, when we talk about sort of the cybersecurity, the different incidences and, uh, the opportunity four inches and just allowing hundred thousands and thousands of applications into there.
Districts vetting anything and everything, and not keeping those sort of short set of vetted or trusted applications. It’s been the hardest thing.
So for schools, they’re requesting reviews and a lot of applications, not realizing that, you know, you’re opening the opportunity for more and more incidents. And so we try to get ahead of it by bedding and reviewing, hoping to keep them safe and secure as possible.
But at the same time, we’re sort of opening the floodgates and letting all of those different resources and, you know, no matter how well they are, bed, you know, security is, is a whole new sort of master there. If someone wants to do something, they can, they can find a way to do it. And so, it’s, it’s between a rock and a hard place, you know, vetting, seeing all of the requests coming in, knowing that a school is using way too. Many digital resources, or applications at the teachers are requesting. However, they’re getting those requests and then, you know, just being able to go ahead and get those requests done knowing that, it’s probably a little too much, I would say.
OK, so just the sheer number of applications and digital tools that districts are currently using is kind of a Stand-up moment for from what you’re saying. Kevin, what about you, Jim?
Jim FERS: Oh, I forgot I have to. I will start with him or her.
Well, I think I would um, I echo a little bit of what Kevin said when we did an internal audit just for a snapshot of one week. We had over 4500 applications being used in our district.
So that number was a little, you know, shocking and frightening.
Obviously, the security and privacy side, knowing that we had those many things that were being used.
It doesn’t necessarily mean that they all had student data in them, but just that number was just so overwhelming.
That’s one thing that kind of sticks out to me.
The other thing I often reference is, I think it was going on two years ago now, but when it comes to cybersecurity, which this quote, you know, kind of, references here, and the … stuff is excellent as a resource, and reference and guide.
Fire, I was a cyber consulting agency and they were probably one of the premier reputation, you know, for cyber consulting and they got breached.
And that always stuck with me because it’s up a premier, top tier cyber agency could be breached. Where does that put our K-12 systems?
And it was, you know, another point.
You know, how we are woefully in need of assistance, and guidance, and any kind of help we can get, because it is such an important topic, and if a premier agency can be breached, where does that put us?
Thank you. Jim Siegl. Let’s wrap this up on this.
So I’m going to take the opportunity to kind of put us a little bit different spin on this, and think about a past story, and then look ahead to a future story that is keeping me up.
So when we look back at the last year and something like the Supreme Court’s tops decision around reproductive rights, and what keeps me up is thinking about the intersection of student privacy laws.
When most of our schools are running content filters that are capturing and logging students’ searches and Internet traffic, and thinking about the potential, that is very likely that sometime this, you know, in the next year you might see a school have their search records or their content filters subpoenaed. So being, what does that mean as practitioners, as technologists, as privacy professionals? Should we be thinking about how we’re logging that information, how we’re deleting that information, how we’re flagging that information, and categorizing it. So I kinda think about recent events.
and then look ahead to what, how that should inform us about future stories and practices, the data retention practices, and potentially how the government may be getting involved. Interesting.
OK, great. So we’re going to move ahead to our first discussion point, which is what is different today about the need to secure student and district’s data?
It’s always been an issue, but I guess the question that we’re posing here is, We’re more and more of our district leaders are talking about it. More and more regulators are having this discussion. So, why is it different today?
Let’s start with you, Jim Siegl sure, in my, in my previous role, I spent a lot of time thinking about risk and we’re talking about risk in terms of probability and impact. So, I think there’s four things.
The volume, the volume of ed tech apps, and Kevin and Jim talked about that in the intro in.
Increase in apps, and just the proliferation of 1-to-1 devices after the attendant, the increase in parental awareness during the pandemic parents were, had a front row seat of what apps were being used at home.
The, the volume of threats, and we talked about security in the ransomware, and the volume of compliance requirements, and we’ll talk about a little bit later about the increase in the number of state level laws that are putting new compliance requirements around student privacy. So I think all of that has just really raise the volume and the level.
Those are great. Those are great points from the the SQL, I mean, the increase in device usage across districts going from kind of not 1 to 1 to now scaling, to 1 to 1 or 2 to 1 in some districts.
And then the volume of ed tech tools, and just digital learning, that’s happening in the classroom and outside of the classroom.
Kevin, let’s go to you on that.
Why do you think today we need to be focus more than ever on this on this issue?
Kevin, I think you’re muted.
Had to happen, right?
On the head with that one job, because it’s really the difference today versus in the past, is, schools are now more schools now, more than, in previous years, have gone 1-to-1. There are more devices in the hands of students taking them home, or have a device available for them every day in the classroom, with more devices, comes more digital resources, more tools. More applications that are on the district network is just an abundance, an overwhelming abundance of applications. And now, you know, everyone in education is familiar with the term Wild Wild West. And now getting all of those things back, you know, sort of wrangling all of those in and making sure that, OK, hey, you know, we need to start thinking about privacy, we need to see about all of these resources. And so, it’s really like, you know, we just said, and I’ll just keep beating this horse here. It’s the abundance of resources, the availability of devices.
Great. And Jim Farmer as as a current CTO, how do you feel about this topic?
Yeah. So, I think it is a combination for sure.
Dramatic increase in usage with districts go into 1-to-1 with having to go virtual for an extended amount of time.
Opened the floodgates for a lot more apps to be used and teachers to rely on that because they had to, so, that’s part of it.
I think, you know, there’s also to Jim’s point earlier that the the volume of parent involvement and parent awareness also increased, so now there’s that aspect of, well, what is being used, why’s it being used?
And that transparency piece is changing the landscape, along with, of course.
There’s, there’s been a great awareness about the security risk and privacy concerns that we should have, because of all the news about breaches, and ransomware, and all that kind of stuff.
So there is a push from the regulatory side as well, for transparency and accountability.
So those are the things that the pressures on us and K-12 districts has increased over, I would say, the last five years dramatically.
Yeah, and actually, now, we did ask some poll questions as we started this session. And so I wanted to see if we could share those poll questions now to see how you feel like you’re prepared.
Let me open the pool.
I just seem to have lost one second.
OK, wait, I’m going to have to go back and grab those later, So let’s move on to our next next question And then we’ll take a pulse of the audience.
Oops, Excuse me.
Sorry about that. I’m having some technical difficulties here.
Just want to make sure, can you see my my presentation mode?
Are you back or we’re back on Jim, Can one of you. let me know here?
Yeah, it’s on your Preview Mode OK, great, so let’s see here.
there you go, there we go, OK. Thank you.
So we’re going to talk quickly about the regulatory environment and I think Jim Siegl, you are obviously an expert in this area.
And, you know, recently, I know that we’ve had a number of, you know, some state regulations coming across. But I’d love to hear from this group, particularly you, Jim, what you’re seeing here, and what should some of our district leaders know or be paying attention to.
Thank you. And this is an area where there’s been a lot of activity and many of us are familiar at the federal level, with, with FERPA, which was passed in 1974, and has been updated number of times. But a lot of the activity, in the last eight years has been at the state level where since 2014, more than 120 laws have been passed. It’s something that we keep track of. Right now. We’re in the middle of the state’s legislation sessions, and we’re actively tracking student privacy and even more child privacy bills.
But I just wanted to mentioned, because really, a lot of these come into play in what my colleagues will talk about, when you think about seeing this in terms of service.
But really, what we’re seeing in state laws in terms of good practices that some state laws have. And this is not all of them, and not all of them have this, but they typically have a prohibition on targeted advertising.
Some kind of requirement for privacy training to employees, and that could be vendor employees or district employees, depending on the law, or requirements for some kind of, privacy and data security plan.
Our requirements publish a list of approved gaps. So, transparency, training, all of those things are important.
Some type of requirement for data breach response.
And very few states. But designating a data protection officer or privacy officers, that last principle. Having someone in charge so training, transparency, targeted advertising, and someone in charge.
Jim, to how easy is that. If we, if we think about, actually, I’m interested in like Jim and Jim and Kevin’s feedback on this.
But how easy is that for most districts to kind of, like, meet those different, um, specific needs or requests that we’re seeing come across the regulation.
I would say from, from my perspective, for many of the districts, and I can speak to, you know, some of the ones that I’ve been involved in and now work at a, you know, district with 20,000 students.
one of the challenges is a capacity issue. You know, lack of personnel, the experts. So we have to rely on partners.
We have to rely on Consortium’s to educate ourselves and to bring awareness up in our districts.
But it’s, it’s also very overwhelming, because every legislative session, there’s a priority, And the last couple of years, it’s been, you know, as Jim mentioned, the transparency piece. I think it’s really important that he mentioned the data breach response has definitely taken an uptick in the last couple of years.
I know for a fact that, you know, for those of us in who used to get cyber insurance, very easily, it was a checkbox when you got the application, Do you want it? Yes. And you got it.
The last two years, it’s gone from seven questions to now, I think about 20 questions that we have to answer in great detail, and again, that goes to the expertise and the capacity issue.
We’re being asked to do all these things without having for example, I don’t know very many districts that have a CSO.
It’s a, it’s a high level position for security, that, obviously, a lot of companies have, but not very many school districts can afford that, or have that capacity.
So, it’s a fine line between trying to raise awareness and education in your departments, in your district, and getting everyone up, you know, raising the floor for everybody, with the limited resources.
Yeah, that’s great.
And actually, Jim, I think we’re going to talk a little bit more around, um, who can be involved in making sure that that responsibility is shared across the district a little bit later. But, Kevin, I’m interested in your perspective, from a vendor, from all the vendors that you’re working with right now.
What are, like, how do they fit into this regulatory equation, and how how are they thinking about it as they, our kind of working with and partnering with districts, Obviously, for them, it’s very important, too.
For a lot of the suppliers that we speak with, it is very difficult.
As great as, a lot of these regulations are the well established, as well as the ones that are just being sort of sent to either Congress or through the local legislation.
They struggle with keeping, you know, keeping up with all of the different regulations.
And one of the biggest things I see that I’ve heard from suppliers is that it’s sort of, it hurts them in a lot of ways it stifles innovation.
They’re not able to quickly innovate and produce new technologies and new applications, and to present to schools, because of the different regulations.
For a lot of those smaller supplies, ours, that, a lot of these regulations, keep them sort of segment it in.
Maybe just one space, like K-12, but can’t move into higher ed, because things are a little more difficult in that space, and they’re only in the K-12 space because of the different regulations.
And so, I hear from suppliers a lot. But one thing that I think that IT leaders shouldn’t know about the regulatory environment is, you know, who? Who’s writing the laws? Who’s presenting the laws?
What’s being done around, you know, Who are they getting their information from?
Because I think when they’re creating these different regulations, divorce leads, they need the voice of the people who it’s meant to serve.
And, and, and I’m not sure, I haven’t seen, and maybe I just haven’t looked around enough, I haven’t seen a coalition, or sort of group, or task force, educational leaders that are sort of sharing their perspective.
And sharing their sort of everyday interactions with these different types of applications after working with, and how hard it is to get a supplier to assign a data sharing agreement. Based off of the different regulations. And you’ll see a lot of suppliers start to push back, because they feel like they’re doing enough. They feel like they need the regulation of the California law, for example. And now they’re somewhere, you know, looking at the walls in Texas, and they don’t feel it’s, they feel that they’re strong enough in one area.
And so they’ll push back on the school, ask them to sort of change what they’ve already done, and what they’re currently doing.
And so, I do see a lot of pushback in schools reach out, ask, Hey, how can we get this organization to sign a data sharing agreement? Then I talk to that same organization, and they’re kinda just spent there. There.
Like they’ve done so much, and they can’t really sort of shift any more than what they’ve already done.
So it’s, it’s a very sticky situation for a lot of our suppliers who want to do the right thing, but feel like it’s an ever changing, and always moving, movable Goalpost for them.
Do you have thoughts? Tim Segal, just because we are going to talk about some resources later, but how can actually like for any of you how can kind of educators that are on the frontlines using these tools need these tools to improve learning?
How can they be a part of the conversation, as opposed to just like, like, receiving the information, You know, how can, how can are, there specific, you know, state groups, or what do you recommend?
So that district from the educator and classroom educator, or kind of district leaders are involved in, and better crafting guidelines.
Couple of thoughts on that one, and I think we’re really focused on two, on the, the unfunded mandate, and the unintended consequences, which are the two things that we see a lot, and this.
So, school leaders and educators can work with local associations, like the Consortium of School Network, colson, Which has an annual day, I believe, it’s typically in April, where they, as part of their conference, they send people up to up to the Hill in DC to talk to policymakers. Individually in states, many of the ST chapters, or the coasts and chapters are good places. I was just talking with a group in Massachusetts that was very interested. As Massachusetts is one of the states, the seven states that don’t have a recent student privacy law.
And I think the unintended consequence, unintended consequences, are as equally important as the unfunded. You know, one example that I think of a lot that would have really benefited from a legislator having talked to any educator would be New York’s recent biometric ban, where they ban the use or purchase of any device that was capable of capturing a biometric.
So with an audience of technologists, you can imagine that would include almost any kind of computing device from a Windows device, to an iPad two, to a Mac. So hearing the voice of people that are actually going to be impacted by the technology.
Anything additional that, Jim, I know you’re an active CoSN member and is this a topic that you’re talking about?
Absolutely. I think I would, I would mention to …
for sure has seen great awareness packets and toolkits and frameworks that they have that they provide up.
You know I’m heavily involved in the Georgia chapter of Coase and so we are actively working to expand the organization and to expand the membership.
because of the great resources that are there.
But I’d also say, we’re very fortunate in Georgia to have an affiliate membership for every single district for one EdTech.
So what EdTech has some great resources that can help with awareness of that around this issue.
So, for example, one of the things we’ve done is, we’ve looked at Apps and vetting of apps, is that the dashboard that Kevin has worked so hard on in the last few years, is turning that into an education and awareness opportunity for our teachers to see.
There is an extensive amount of work that goes into, when we are vetting an app, and helping them to see the rubric has been very helpful, and getting them, to buy in, and understand that, Oh, no, I get it.
It’s because of we’re concerned about what they’re doing with our kids information, the advertising that they may or may not be doing.
And the security of that information is extremely important.
So when they see the rubric and the tiles, the best way, I can describe it. They look like Trivial Pursuit tiles. And there’s no greens, and reds and yellows. It helps them to understand the extent of the work that goes into it.
Because each of those four areas are, you know, within them have about 20 questions each. So there’s a lot of work that goes into it, and it has helped us raising awareness and getting buy in.
Great, and actually that’s, do. you mind if I jump because our next or Kevin, did you have a comment on that?
Sorry, are Michiko, thank you!
OK, oh, I was going to say, because our next discussion point is just around, um, whose responsibility is data privacy a shared responsibility? Who at the district needs to be involved?
And, I think that maybe is a good segue jam because you’re talking about kind of educating, not just the technologists and the IT leaders about, um, bedding apps or kind of understanding like a nuance of like, how is the data being used?
So, kind of, let’s expand on that a little bit about how to, who needs it, who else is involved in this, security data, privacy problem?
Yeah, this is a, you know, a topic that we’ve taken attacked of doing it through a data governance approach.
Some of my peers have done it through a cybersecurity approach. Some of my peers have done it through, you know, a privacy, and security approach.
So, there’s different ways that you can approach this, But, for us, with, my team, in our district, we felt like, um, creating a data governance council, that was representative of the district.
So, we have district leadership, school level leadership, and departments across the district that are represented.
And, I said, you know, earlier, we have about 20,000 students. So, our data Governance council is made up of about 25 people.
And, it covers, you know, the whole gamut of the district, down to the school, leadership, and even a couple of teachers on board, as well.
So, we have approached that.
Concentrating it first on awareness, and education and explaining, you know, what is data governance, because if you asked the 25 people in that room, you’re gonna get, you know, 25 different answers. So the first, and this was a very long process but about the who needs to be involved. Our perspective was that this could not be a technology initiative.
This had to be a Fayette County Initiative and therefore we had to raise the level of everyone at the table so that they could go back and work with their departments and disseminate the information and education and awareness that we’re doing.
Because we are tackling things like vetting of apps, password policies, security procedures, data cataloging.
All of the different, broad, range of areas that, you know, you would think about when it comes to data, and privacy, and securing, and storing and sharing in an appropriate way.
So, just about anybody in your district is going to have access to, or be able to have access to information, or student data.
And so, it can’t just be a technology initiative, it has to be done as a team, and it has to be taken on as probably, you know, one of the most important things, obviously, Beyond our teaching and learning environment, that’s our priority.
It’s, it’s right up there as as an important lever that we have to, to take care of.
That’s great, and I, and I want to kind of like zoom in a little bit on two levels.
one is, you had, you had shared an example with me about like the educators at your, at your district and how you helped kind of enable them to be part of that vetting of apps and tools, as they are kind of potentially at a state or regional, you know, Ed tech conference. Or, can you share a little bit about some of the work that you did there?
Because they are such a big part of being able to, you know, judge an app, and how does it work academically? And then, but also, like, be a part of that solution? From a data privacy perspective.
I think there’s a couple of things that, you know, and this is obviously still a work in progress. But we’ve been working on this, I would say, for over three years.
So it hasn’t been something that we just, you know, turnkey and it happens overnight.
It’s, there’s a lot of conversations, there’s a lot of laying the groundwork to build upon it.
And so, one of the things where we’ve done, unfortunately, to have a digital learning team.
That is fantastic made up of Master teachers that get up into our schools, and before, our big Georgia Technology Conference, we share a rubric with our staff.
When they go to the conference, they usually find all these wonderful new apps they want to come back and use.
So we’ve given out a rubric that they can then kind of, you know, kinda pre vet these apps and determine, is this something that’s going to fit and work?
As opposed to just coming back and downloading and using the 5 or 10 new things they just saw over the last few days at a conference, and that has helped with awareness and education.
The other part of it, too, is, are our app vetting process.
We included leadership from the school levels to be a part of building the process.
So we had administrators and educators on that on that group to set up the workflow.
No, I want an app, OK, how does that work?
What does what, what process do I need to go through?
And so including those, those teams on the front end of building the process, has really helped us to sell it and to get buy in from everybody else, because it was their peers that helped create it. So, those two things have been really helpful for us. But, again, we’re still learning and we’re still growing in this, in this area.
And a lot of that comes from, are no networking with, like, our friends at one EdTech and CoSN.
And we’re very fortunate in Georgia to have a really good collaborations between technology leaders that is, has been very beneficial.
Great, thank you, Jim Siegel, I was gonna I was wondering if you could share your pneumonic it passes and how that should explain that to us.
Yeah, so to kind of tag on to Jim’s points, this is not an IT only process of app vetting. So rubrics are tools.
The tools that Kevin’s organization provides are wonderful tools, but just a communication tool, and getting buy in across a large group of people that have kind of very different interests and sometimes competing interests. This is not the bringing on an approving. An EdTech app isn’t just a privacy thing. So I would use a communication tool.
I had a mnemonic around app vetting that is just the pneumonic, it passes kind of something that resonates a lot in in education. And the pneumonic stands for some of the key things that I would look at.
And my colleagues would look at when we would vet an app and it stands for interoperability, training, privacy, Accessibility, security, safety, Effectiveness, and sustainability. So being able to do more than just piloted. So, when I think about that, those are all of the conversations that we would have as a district, And as educators and technologists. So it was a very inclusive way of bringing people into the conversation to talk about this, is more than just a privacy checklist, or a privacy gateway.
It was, how are we bringing this particular education tool into the district to support student learning, and make it sustainable, and private, and secure, and a lot of these things, The Interoperability, the privacy securing are things that, I know Kevin may be able to talk about, in terms of the tools that he provides.
Kevin, do you want to jump in there to talk a little bit about this or remove obsolete.
Yeah, absolutely. So just real quick, I liked how Jim mentioned the data governance team.
I wish at the time when I was at the district, we have something like that.
I think data privacy, the responsibility is shared by everyone in the district who handles student data in any form or fashion, and everyone needs to be involved.
Because, for, for me, starting out, with, with the privacy at the district, it was, it was almost like running a campaign.
It was grass groups, knocking on doors, it was first researching and finding out what departments are in the district and realizing, wow, there are hundreds of departments I’ve never knew existed, then get it to introduce yourself to that department hearings, or what they do, and then really promoting your campaign. It’s promoting what, who you are, what you’re doing. And trying to convince them that your priorities should be on their list of priorities as well. And so, it took, and that’s a ton, a ton of time.
And so, that’s all, I would say, for, as a shared responsibility, IT curriculum, and a ton of different departments. I can’t even remember, need to be involved in that process. Feel just dealing with student data and handling that data in a responsible way.
That’s great. OK, so we talked a little bit, we’re gonna move on, some of the resources, we already talked about, obviously, and we have some of the experts, here, are some of the organizations want to tag the student data privacy? Or? Our data privacy forum, and then the student Data Privacy Consortium.
What other other resources that you would say that might make it easier if you’re kind of sitting there thinking, I’m not sure where to start?
We also have a list here. Later, I think these, I’m gonna, I’m actually a jump to the next one for interested of time, because I’m going to combine these two. One is just like resources and ed organizations. We’ve talked about a couple, But is there anything else that the group here wants dimension?
Maybe we haven’t talked about.
We’ve listed a lot of these coasts and a number of others.
one that I do want to mention, just because it’s a phenomenal resource that’s available from the Department of Education, the, the, the student data privacy website, student privacy, dot, ed dot gov, and the Privacy Technical Assistance Center.
You can actually e-mail them or call them with a question, which is kind of an amazing thing, given that they have to support 16,000 school districts across the country, and there are a number of very good resources that support complying with federal privacy laws.
They don’t deal with state privacy laws, but really some, some phenomenal resources.
They regularly hold webinars and we’ll go out regionally.
Anything else, Kevin or jam? I’m going to also we do have a list here for the audience that I’ll just bring up if anyone wants to comment on these.
I will touch just briefly on sort of what we provide at one at tech.
So we get a lot of requests from schools and even suppliers to reach out and have heard about the privacy rubric that we have here.
That Progressive rubric was, it took about three years to create that rubric, and it was done in collaboration with K-12 higher ed, State Departments of Education, and different EdTech providers.
And that was important because that unique set of organizations all working together to make sure that we created something that works for all.
It was meant to give schools who wants to vet their applications, a quick snapshot into what that suppliers’ doing, how transparent they are with their policies, and things like that.
So, the rubric that we have, this is definitely a very strong rubric and it helps you answer the question from teachers, want something yesterday if they request the app.
And they need it almost now, That rubric assists in those regards and it’s meant to sort of handle the low I’m applications that are being sent to that poor person who has to vet those income and resources in their district.
I’ll just add, Go ahead, Jim.
And along along the same lines we have our Student Data Privacy Pledge, which is a checklist of 12 attributes. It’s a yes or no. And we have Policy Council that review them and review the privacy policies before we add them to the student privacy Pledge.
So some very baseline requirements.
Now that’s an important one to mention that I thank you Jim.
Yeah. I was just going to add you know I know a lot of the ones on the slider or are excellent. Of course the one at tech resources. We’ve been talking about CoSN and also has the Annual Horizon Report that they work on.
That’s pretty extensive and it’s really good for kind of educating and awareness. The CISA information is excellent for, for technology leaders at the district level or state levels there.
They’ve expanded immensely in the last couple of years. They even have contacts that you can reach out to and provide guidance and assistance. We have worked with them pretty closely over the last year, and are doing more with them.
So I would say, those have been really, you know, excellent educational and awareness partners for us. But, you know, in Georgia, we’re fortunate to have races, that are regional service agencies.
I would say reaching out to them if you’re new or unsure.
And then we’re have a State DOE that’s led by doctor Keith Osbourn, is the CIO for the State, and they have done an amazing job of kind of, transforming into a service and support agency for school districts.
And that has been a really neat thing to see, happen over the last couple of years with partnerships with one EdTech with partnerships.
We’re providing security resources for school districts, so there’s been a lot of movement in those areas at the state level. And then through our partnerships, but the one that’s, it’s, the last bullet point, I think, is a really big one.
It’s making sure you work with your partners that you have, because there’s already hopefully a relationship there, and having these important discussions about privacy, about security, about your concerns as a district.
You’ve got to have those conversations with your partners, because they are the ones that can make it happen.
And the more we can be involved together as as teams, the more we can tackle these issues as we’ve been mentioning how, you know, the, the onslaught of things that are coming at us is, it’s pretty amazing.
And there’s no way to do it alone. Just like we were talking about.
You know, the app bidding and things like that with data governance?
It can’t be done alone. It has to be Seen as the important issue that it is. And, therefore, you need your departments.
You need your partners, and it needs to be, it’s something that we all are on the same page, working towards that safe and secure future.
Yeah, and that’s a great point.
And I think being from lightspeed systems, I mean, and that, you know, providing a partner, Salute set of solutions to districts.
We, you know, we are, you need to have vendors that are ready to work on, know, the right type of agreement. So, the districts that we meet your district needs from a data security and data government’s perspective.
Um, you know, we also, at lightspeed systems, we have a tool which, you know, we embed and bring in the one EdTech Vetted App badging, and Student Data Privacy Consortium badging.
This is our Digital Insight Product, which allows districts to see the entire of, or have visibility of your entire ecosystem of what apps and and digital learning applications you’re using, whether they’re approved or unapproved, whether they’re licensed or free.
It gives you that view, so you can, kind of, 0, 0 in on potentially new apps that your teachers are using and find out, Are they approved or they’re already in our system? If they’re not, OK, I’d see that they are they are one EdTech vetted.
So I feel more comfortable about the way that They are securing data privacy and interoperability that they’re using.
So, I think working with, you know, your vendors either, whether it’s from, like a contractual perspective or making sure that they are using these types of standards and lightspeed systems. We can give you, help, give you visibility of your entire ecosystem to help give you a quick snapshot on what’s being used. And whether it does comply with that, your data privacy policies at your district or state.
So, important to involve the vendor community, and the ed organizations in this conversation, so that we can all ensure that we’re securing student and district data together.
I think everyone is heavily invested in making sure that learning is safe and secure, Each one of you, as well as the partner community. OK, so let’s jump into Q and A We have a few minutes left. So thanks for staying on with us.
All right. Is there a general guideline of how long we should be storing student data? OK, so, this is actually, Jim, going back to the beginning of this session, where we were talking about data retention.
So, is there a general rule around storing data? Is it different depending on the nature of the data.
So, feel free to jump in with any thoughts there.
Yeah, and I’ll ask Jim to chime in as well. But this is there is no specific requirement in any legislation for for data retention. So, for example, when I was in Virginia, the retention schedules were governed by the library of Virginia and they put out policies that it differed by the nature of the type of data.
So, for example, you know, field trip permission slips were kept for current school year. And other kinds of data were kept current, school, year, plus one. And, you know, some things like the educational record were 70 years. So it varies, and they tend to not be in regulation, but that doesn’t prevent you from applying just kind of data minimization and retention, in terms of not keeping records. So FERPA only requires you to secure the law while you’re maintaining it. It doesn’t specify how long you have to have to keep it.
And I’d be curious from your experiences in Georgia as well, Jim.
I know I’ve had this conversation with our person who’s in charge of data retention, and it To your point, it depends on the data. It depends on what department attended. It depends on how it’s being used.
We have some data that is required to be stored and secured forever.
And that’s some of our like HR data, But then there are the things to your point about yearly, that it needs it.
But, again, the information that I’ve gotten about this is that it can tend to be very unclear, I guess is the best way to put it.
So we have a person in our department, in our district that we go to that has the latest information.
That goes to all the data conferences and keeps up with the Georgia specific laws.
But to your point, as well, there’s, there’s federal regulations that are required on some cases.
So with FERPA as the baseline, it kind of sets like guardrails, but it doesn’t give you specifics on data so that it’s going to be determined a lot of times also by school boards policies, and some school boards are different than others on how they will approach that.
So, it really is unique to each, sometimes, each district, as well.
And Jim, I’m curious, at least in Georgia, I know one of the things in the Student Data Privacy Consortium, which has a national data protection agreement, many districts utilize one of the, the exhibit’s, which is basically a form to request that the vendor delete data or return the data. I’m kind of curious, do you deal with it, kind of turning it from the law side to the, to the contracting side. Do you deal with any of that on the contracting process?
That’s exactly what our data governance council is starting to to approach. As of right now, we’re kind of in the beginning phases of creating our own data sharing agreements.
For things like for example, the school photographers, right? There’s not a contract per se. It’s just, they’re going to come in and take pictures. But they have student information.
They have access to all this database of, uh, info that they have.
So we are in the process of working on those pieces, but again, it’s early phases and it’s, it’s challenging because it’s, it’s so there’s so much of it in so many different areas.
And to Kevin’s point earlier, you know, I know a lot of partners that we speak to about approaching them with the data, sharing our data privacy agreement.
And there’s sometimes some pushback because, as Kevin mentioned earlier, they feel like they’re doing a lot when they’re trying to reach, you know, the minimum for the California law and now Texas has some things, and Georgia has some things.
So, it makes it, sometimes, where the vendors are being stretched, sometimes a little further than they’d like, so it’s a fine line to walk.
Yeah, I think it’s interesting because, like you’re talking about in the district, like your retention of your district data, and then the vendor is also storing data like a student learning data or whatever that might be. So making sure that you speak with the vendors about or at least, like, how long are you retaining that data? I mean, I know we have that Publish, We have that available for all of our clients. So that they know how long we’re retaining their District data in our systems, or any any specific data. So I don’t know, Kevin, do you have anything from the vendor perspective? Do you most vendors or in your, in your Rubric around data retention at this point? Yeah?
So since I probably read well over 60 privacy policies a week, a lot of the common statements that I see around data retention in the supplier’s policy, as they use the term commercially reasonable and they make a lot of references to you. When you request deletion of your data, we still may retain it for multiple purposes. Some, some suppliers make the case for, they need to hold on to that data even if you request the deletion of it, but they need to hold on until it, for lawful purposes. They never state what the law is, but they. but it doesn’t make sense that if, you know, they use it for in case they get sued or if there’s any type of case, where they need to refer back to that data to sort of protect themselves against lawsuits. And things like that, They will hold onto that data And, they will say, for a commercially reasonable amount of time, which is never really defined in any policy.
I’ve seen, But there’s no sort of like when Jim Siegel said there’s no real law that says what the retention time has to be, but they always mentioned the types of data In a lot of the policies that are really depending on the type of data, we may hold onto it for these reasons.
And they will list those reasons, most fully, most lawful reasons why they hold onto it, even if you’re requesting.
And a lot of the times, they don’t give you any type of timeframe for retention unless a school asked for. So, some vendors are able to delete that data, or it will have a retention period of immediately, you can delete your data.
And we’ll delete it right, as you do so, Or they know, it’s cool doesn’t ask them to delete it.
I think Kevin’s the audio we might have lost in there for a second, So, in the interest of time, we have another. a few, a few additional questions. So Jim Seal, I think this might be a good one for you, is there additional funding to help schools meet SDP regulations specifically?
one of the things that state laws tend not to be good at is funding, the things that they require. There are very few states, Utah is really the only example that I’m aware of, that passed a student data privacy law, that actually provided funding to do what was accomplished.
On the, that’s on the privacy side, some states have stepped in and, and signed up entire state at the state level with a, as a student data privacy consortium membership, so kind of getting that, that group. So, for example, that is the way that it’s handled in Virginia for the 130 or so, so, districts. I’m kind of curious to know if there are things that you’re seeing in Georgia, or seeing on the security side. I know that there are grants and some federal things around, with with … around cybersecurity.
Yeah, there. There definitely are.
And I would say, as I mentioned earlier, the DOE and Georgia has really taking some steps in this direction as well.
They’ve provided every district in Georgia with an affiliate membership to one Ed tech, so that’s been, I think, really beneficial, and I think that’ll just get better and better.
There’s also some things that the state is doing for, from a security perspective, with giving people some resources to help on the cybersecurity side of things, which, of course, is, you know, indirectly related to student data privacy, Of course, because the more secure we can be, the better that that whole umbrella is. So I think there are some things that are being done at that level.
Now it’s just a matter of raising awareness and education of all of our districts, and so that’s, that’s one of the things we’ve tried to do through the one EdTech meetings that we have, and through expanding the membership of CoSN and throughout the state of Georgia.
You know, and elsewhere of course, because of the TLE seal (Trusted Learning Environment) is fantastic for districts to learn about, it’s a trusted learning environment.
And then of course for individuals the Fetal Certification which is the Certified Education Technology Leader which kind of covers many of these topics that we’ve talked about.
And it just helps to raise that level of expertise and awareness that we as leaders in this area, need to have.
Yeah, and I think, I don’t know, Jeremy, for you or any of you, but I know E rate, there’s discussions right now about Will there be E rate funding that actually goes towards more of a cybersecurity? I think that’s under review or, like, comment right now.
So, I think as cybersecurity data, privacy, and data governance become an increasing or continued issue for districts, it sounds like at the federal level, they’re realizing that school districts need help funding be appropriate technology solutions and potentially consulting solutions, or, you know, whatever types of needs that they, they have there.
So, I think that there will be more to come, I guess. Yeah. There, we should see more information about that.
And I’m sure that there will be continued discussion about how do states states fund these needs, as well as the federal government.
Well, I want to thank the audience for joining us, and Kevin, Jim. Jim, I’d love to love to thank you for your thoughts. We really appreciate sharing your insights today.
We are going to wrap up in the interest of time, but, again, thank you for joining us.
We want to provide you with the information that we have, and the solutions and tools that we have at lightspeed system. So, if you’re interested in more information about some of the ways that we can help you around data privacy, security, and compliance, please reach out to your lightspeed account manager. Or if you do not have one, please reach out to us by visiting our website.
Again, I want to thank our panelists for a great discussion today, and thank you for joining us.
A recording will be sent out shortly, and we appreciate your time, and we appreciate your dedication to education. Thank you so much. Have a great day.
Still doing your research?
Let us help! Schedule a free demo with one of our product experts to get all of your questions answered quickly.
Looking for pricing information for our solutions?
Let us know about your district’s requirements and we’ll be happy to build a custom quote.
Reimagine the inspired and interactive classroom for remote, hybrid, and in-person learning. Lightspeed Classroom Management™ gives teachers real-time visibility and control of their students’ digital workspaces and online activity.
Ensure scalable & efficient learning device management. The Lightspeed Mobile Device Management™ system ensures safe and secure management of student learning resources with real-time visibility and reporting essential for effective distance learning.
Prevent suicides, cyberbullying, and schoolviolence. Lightspeed Alert™ supports district administrators and selected personnel with advanced AI to detect and report potential threats before it’s too late.
Protect students from harmful online content. Lightspeed Filter™ is the best-in-class solution that acts as a solid barrier to inappropriate or illicit online content to ensure students’ online safety 24/7.
Gain complete visibility into students’ online learning. Lightspeed Analytics™ gives districts robust data on the effectiveness of any tools they implement so they can take a strategic approach to their technology stack and streamline reporting.