Some of the most sensitive files your office manages are your student files. Grades, personal information, and health information pertaining to each of your students must be as secure as your employee files. Yet, unlike your employee files, certain student records also need to be accessed regularly by key faculty and staff.
Your school nurse and possibly school coaches need to access health files; faculty need access to grades and academic history; and—depending on your school’s culture—faculty might need student personal information, such as home addresses and parent information. Different accessibility requirements open your office to multiple security concerns, and often invite conversations around adjusting policies.
News sources keep our attention (as well as our family’s) primed to student data breaches. In any size organization, maintaining secure servers is a constantly evolving and expanding chore.
For example, a recent Minnesota State College and University data leak made headlines when an isolated server was hacked, potentially leaking student and employee social security numbers. Although a letter from the President to the community tried to soothe fears by stating the infected server was not thought to contain financial information or credit card numbers, the extent of the damage remains unknown. In response to the compromised server, the university announced it would be moving its website to a new server while the investigation is ongoing.
Another recent example comes from Texas, where students are responsible for hacking into district files as an in-school prank to get homework help. The mischievous students are thought to have accessed more than homework assistance, however. Some parents are concerned that prepaid lunch funds were deleted from student accounts, and police are investigating the possibility that birth dates, social security numbers, addresses, and personal identifiers were also obtained.
How Information Leaks Happen
Nearly every data breach has a unique "front door."
In our Minnesota example, an investigation continues as to how an outsider, still unidentified, accessed personal files. Attention was brought to university officials when the hacker posted information he/she had obtained in a public blog post.
In our Texas example, the suspect students had permission to use the computer where the unprotected files were stored. These files were downloaded onto a thumb drive and shared among 12 or 13 students.
Having unsecured files on a computer that students and unauthorized people can access them is a dangerous mistake that could have been easily avoided. However, hackers will test their skills on even the most secure servers. Just as quickly as we upgrade our protocols and policies, hackers find new ways to break in.
Secure Options
There aren't many organizations that haven’t bought into the magical sales promise, “Move your files into the cloud. Faster. Securer. Access the information you need from anywhere at any time.” But, as Athem and Sony have shown us over the last few months, cloud or no cloud, no data is 100% safe from mischievous information thieves.
It's time to enact precautions beyond the sales pitches to ensure our content is as safe as possible—the most important being knowledge.
You already wear multiple hats and, no, we’re not implying that you need to add an IT cap to the weighty stack you’re already wearing. What we mean by knowledge is simply that you’re part of the ongoing conversation revolving around your school’s information security.
When meeting with your IT team—whether in-house or an outside vendor—be prepared to review trending security features, your current systems and software, and your school’s risks. These all must be addressed with updated policies, protocols, and new providers and hardware (if needed).
Share what security measures your school has taken to protect your student data. We want to hear from you.
Security and Privacy Coverage can be purchased to help protect your school in the event of a data breach. ISM offers this coverage through Great American to D&O client schools for 15% additional premium. (Your school must have D&O coverage with us to include this endorsement.) Our policy offers $100,000 Regulatory Action limit for legal fees incurred in response to data loss, and to cover fines and penalties your required to pay by law, as well as $100,000 Privacy Event Limit for identity restoration services, identifying how information was accessed, credit monitoring, and legal fees. For more information, have your Broker contact Andy Bobich at abobich@isminc.com or 302-656-4944—or feel free to contact him directly!
Magnus Student Medical Records is an organization that shares our vision, mission, and beliefs. They offer Web-based software that securely collects and tracks student health information—medical history, consent-to-treat forms, allergies, emergency contacts, medications, and more—while allowing remote accessibility to those who need it (coaches, nurses, emergency medical personnel, etc.). As an added feature to ISM’s Student Accident Insurance, Magnus offers ISM clients a special promotional price of $750 for the first year of service on Magnus Health's Safety Suite —that's $1000 savings! Visit magnushealth.com/ism and schedule a brief demonstration to see how Magnus can simplify and protect your students’ medical information.
Additional ISM resources:
Private School News Vol. 13 No. 1 Hoarders: Retaining and Disposing of Subjective Data
ISM Monthly Update for Risk Managers Vol. 5 No. 5 What’s On Your Printer?
ISM Monthly Update for Business Officers Vol. 10 No. 2 Reducing Student Risk With Up-To-Date Medical Records
ISM Monthly Update for Risk Managers Vol. 3 No. 1 Crisis Planning—It’s Your Job
ISM Monthly Update for Risk Managers Vol. 4 No. 2 The New iPredator
Additional ISM resources for Gold Consortium members:
I&P Vol. 38 No. 3 Maintain Personnel Records Diligently to Protect Your School
