K-12 vendors are key components in all aspects of K-12 education.
From operational needs such as attendance and payroll to learning applications for reading, science, and mathematics, vendors ensure school districts operate as efficiently and effectively as possible.
But K-12 vendors are also one of the greatest single sources of cybersecurity vulnerability for schools and districts. The U.S. Government Accountability Office asserted that “cyberattacks carried out directly against ed-tech vendors […] tend to have an especially severe impact on K-12 because they affect a large swath of students across multiple school districts at the same time.”
In fact, K12 SIX’s annual report asserted that 55% of reported school data breaches in 2021 were connected to incidents originating from district vendors. How can you stay safe?
Here are three ways you can better ensure your K-12 vendor selection leads to increased results rather than decreased cybersecurity.
1. Show Me Your Bona Fides
Is your vendor FERPA certified? The Family Educational Rights and Privacy Act is a federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
What about COPPA certification? The Children’s Online Privacy Protection Act places requirements on operators of websites or online services directed to children under 13 years of age, as well as requirements on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.
These two certifications prove that your vendor places high importance on keeping your student data safe. Additionally, requiring recommendations from customers with similar needs is always an excellent idea.
2. Sweat the Details
We see them every day: Privacy Policies and Terms of Service. And while downloading that new photo editing app for your smartphone often involves a skimming, if even that, of the Privacy and Terms of Service policies, these two documents are wildly critical for K-12 cybersecurity.
Here is a non-comprehensive list of specifications to look for from the Privacy Policy and Terms of Service:
- Spell out the type of Personally Identifiable Information (PII) collected and what they do with it
- Delete all student data collected ANY TIME you wish
- Detail who at the organization can access student data and what that means
- Offer audit logs for when company staff members access school accounts and/or student data
- Commit to never share student information with third parties except as required to provide their service (including with advertisers)
- Show their plan in the case of a breach
- Display the granularity of its data encryption
- Provide the location(s) of where on earth the district’s data is stored
- Guarantee that the ownership of PII remains solely with the school district
3. Hope for Security, Plan for a Data Breach
While no K-12 school district expects to be hacked or incur a data breach, the odds of one occurring grow daily. No vendor can guarantee 100% security, but what they can do is detail what they do to actively test their defenses and respond in the event of a cybersecurity breach. A few actions to take:
- Examine the vendor’s incident response plan and ensure it is documented along with a discussion of key steps and with what cadence they are executed
- Require the vendor conduct a yearly pen test by a third party (“by a qualified third-party vendor” is common language)
- Confirm if the data leaves the state and/or the country
We Are Ready to Help
ENA by Zayo is ready and willing to help secure your K-12 school district from cybersecurity threats and data breaches. From hosted firewalls, content filtering, and virtual private networks to DDoS mitigation, cybersecurity assessment services, and unified threat management, we are ready to help you protect your education community.
