Go Ahead, Blame Your Principal for the Data Breach
Last year a principal in the Chicago Public Schools made a mistake that would alter his career trajectory. He revealed confidential student information and personnel data to comply with a Freedom of Information Act request. The Google Drive folder he shared contained student names, races, grades, special education eligibility, and email addresses. It also included teacher evaluations and ratings.
Upon discovery of what had happened, the district recommended this principal’s termination. As it turns out, a little transparency goes a long way. Too much openness can get you fired.
Administrators who willingly share personal information violate state and federal laws regarding data privacy. More than likely, they also disregard local district policy. The repercussions can be huge.
In advance of the data breach
Schools are not immune to the threat of data breaches. They are often targets. There are steps every principal should take to protect personal and confidential data at the campus.
· Strengthen password requirements. By now no one should be using “password” as their password. Instead, they require combinations of upper and lower case letters, numbers, and symbols.
· Encrypt your data. Encryption protects confidential data, making it far more difficult to find and extract sensitive information.
· Train your employees. Don’t expect your teachers to know how to treat private data or respond to potential threats and breaches. Teach them what you want them to know.
· Retrain your employees. Showing everyone once how to protect data is not enough — review protocols at every faculty meeting.
· Use a virtual private network (VPN). Educators who travel or work offsite access confidential information through cloud-based storage apps. If they’re using a public network, anyone else can see and collect the data they’re looking at. A VPN acts like a security screen. It keeps outsiders from seeing in.
· Review your district’s insurance plan. Most districts cannot sustain the high losses that go with data breaches. Not only will you need additional human resources to react to the breach, but you could also be facing fines and costly litigation expenses.
Even with the best protocols and practices, a data breach can still occur.
Unless you purposefully and willingly committed a crime, you won’t be held liable for the data breach itself. Where most campus administrators get in trouble, however, is in how they handle the breach after it’s happened.
Did you get the notice?
In Texas, the Texas Association of Schools Boards (TASB) inadvertently posted the confidential and personal information of thousands of schools’ employees online. A Pearson data breach affected 13,000 schools and an untold number of teachers and students. Neither TASB nor Pearson sent out these letters; they can’t tell you exactly who might have been affected.
Anyone affected by a data breach should be informed in writing.
If there has been a data breach at your campus, you must take swift action to notify potential victims. Forty-seven states have adopted breach notification protocols, and several of these states have made changes in how quickly victims must be notified. Failure to comply and take action could have principals in just as much hot water as their former colleague from Chicago.
If a data breach happens at your school, initiate the protocol for notification immediately. Failure to do so could jeopardize your career and the future of your students.