Many people have never heard the name Glenn Cordelli, but if you are a parent, you should get to know him. Glenn Cordelli is a state representative in New Hampshire serving in Moultonborough, Sandwich, and Tuftonboro. He finished up his third term, and will hopefully be elected for a fourth term in November.
Representative Glenn Cordelli recently put forth a Bill that would require each local education agency to develop a local data security plan. HB1612 was signed into law by Governor Sununu in August, and now school boards across New Hampshire will have to develop a Data Inventory Security Plan.
This is such an important issue now in public education that the FBI has issued warnings to parents:
EDUCATION TECHNOLOGIES: DATA COLLECTION AND UNSECURED SYSTEMS COULD POSE RISKS TO STUDENTS
The FBI is encouraging public awareness of cyber threat concerns related to K-12 students. The US school systems’ rapid growth of education technologies (EdTech) and widespread collection of student data could have privacy and safety implications if compromised or exploited. As a result, types of data that are collected can include, but are not limited to:
- personally identifiable information (PII);
- biometric data;
- academic progress;
- behavioral, disciplinary, and medical information;
- Web browsing history;
- students’ geolocation;
- IP addresses used by students; and
- classroom activities.
Malicious use of this sensitive data could result in social engineering, bullying, tracking, identity theft, or other means for targeting children. Therefore, the FBI is providing awareness to schools and parents of the important role cybersecurity plays in the securing of student information and devices.
Sensitive Student Data
The widespread collection of sensitive information by EdTech could present unique exploitation opportunities for criminals. For example, in late 2017, cyber actors exploited school information technology (IT) systems by hacking into multiple school district servers across the United States. They accessed student contact information, education plans, homework assignments, medical records, and counselor reports, and then used that information to contact, extort, and threaten students with physical violence and release of their personal information. The actors sent text messages to parents and local law enforcement, publicized students’ private information, posted student PII on social media, and stated how the release of such information could help child predators identify new targets. In response to the incidents, the Department of Education released a Cyber Advisory alert in October 2017 stating cyber criminals were targeting school districts with weak data security or well-known vulnerabilities to access sensitive data from student records to shame, bully, and threaten children.
This is a lot for parents to deal with which is why more parents are opting their children out of the personal devices. Silicon Valley parents are raising their children tech-free which should be a red flag for all parents . Learning how to use software or how to use a computer may be a better use of time. Technology changes frequently so some of what children are learning may be outdated by the time they graduate. Given the dangers that come from using third-party vendor apps on an I-Pad or Chromebook pose all kinds of dangers to children.
HB 1612 will go a long way to facilitate a school district developing a data-security policy. But that’s not all school boards should work on. They need to consider allowing parents to opt their children out of this kind of technology if they are not comfortable with it. Policies need to include informed written consent from parents before their child signs on to a platform or software that collects their personal, and sensitive information.
This race to technology benefits the tech industry, and heavily lobby legislators to push technology in the classroom. When the software is “free,” remember they are getting something –data is gold.
Some of the data collected by vendors is sold, and used in research for their product. Ethical guidelines require informed consent anytime research involves children. A good policy should include informed written consent from a parent or guardian on all software programs, platforms, etc. Since these vendors use the data to research their product effectiveness, a good policy should require informed written consent, or even compensation.
I served on a task force in Bedford a few years ago to develop a policy on student data security. It was a good first step, but strengthening the language requiring informed written consent would be a big improvement.
I suspect administrators will want to do the minimum required. That’s why parents and school board members need to make sure the policy drafted includes a provision requiring informed written consent. This is required by governing boards that license professionals who treat children outside the school system. Any administrator who does not support these ethical guidelines is not looking out for the children in their school district. That should concern every parent and school board member in New Hampshire.
(Cross-posted from Girard-at-Large)